Establish an Open Source Governance Program: Open Source Development Tip #3

October 18, 2011 By Terry Bernstein

2 minute read time

Last week we published the first in our multi-part series on managing open source to maximize benefits and minimize risks. In case you missed it, you can find it here. In today’s post, we continue the series with a practical tip on getting started with an open source governance program. You’ll find a summary of the entire set of tips here.

3. Establish an open source governance program

In Critical Strategies to Manage Risk and Maximize Business Value of Open Source in the Enterprise, Gartner Research Vice President Mark Driver notes “Above all other considerations, the primary factor in balancing risk versus reward from open- source-software (OSS) assets hinges on the successful execution of an enterprise open- source governance program.” Yet, Sonatype's 2011 developer survey (see figure below) revealed that 87% of organizations did not have an effective policy in place for choosing open source components.

Some things to consider when developing your policy:

 

  • Include guidance on quality, security and licensing. You’ll want to be sure to cover all three areas as a problem in any one of them could negatively affect your organization. As licensing issues can be confusing to those new to this space, we’ve prepared a brief primer that summarizes the key issues.
  • Design a measurable policy that works for application development as well as legal, risk management, and security. Your policy needs to take into account the needs of various groups – including application development, operations, security, and legal compliance. But, if it doesn’t work for developers it won’t work at all. If the policy introduces time-consuming controls or bureaucracy on the development team, it will likely be ignored or actively avoided. On the other hand, if the policy does not adequately address open source issues, you may end up with unwanted risk even though everyone follows the policy.

That wraps up today’s tip on getting started with open source governance. In our next post, we’ll talk about how to get started with your program.

In the meantime, check out Sonatype Insight. Insight helps you build better software faster without unnecessary quality, security, or licensing risks and without disrupting your development process. Learn more at www.sonatype.com/insight.

 

 

 

 

 

 

Tags: Sonatype Says, osstop10, AppSec Spotlight

Written by Terry Bernstein

Terry is the former Director of Product Marketing at Sonatype. He is now the Director of Product Management at Verisign.