© Black Duck 2012

It’s No Myth:Compliance Is Good

BusinessLinux Collaboration Summit, 16 April 2013

Phil Odence, VP Business DevelopmentBlack Duck@black_duck_sw

2 © Black Duck 2013

Black Duck’s Perspective

• Known for services; primarily a software company• Not an open source company per se

• Very involved, but most products under commercial licenses

• Serving (primarily) commercial companies• Software, Systems, Enterprise IT Organizations

• Helping companies manage their use of open source

@black_duck_sw

3 © Black Duck 2013

Agenda

Goal: To provide a bird’s eye view of open source/FOSS usage and compliance in companies

• Evolving Relationship Between Commercial Companies and FOSS •Why open source? •Why comply?•Are they really?•What’s next?

@black_duck_sw

4 © Black Duck 2013

First of all…

“Software is Eating the World.”Marc Andreessen (Netscape Founder)

August ’11, Wall Street Journal

And there’s a growing appetite for open source…

@black_duck_sw

5 © Black Duck 2013

…with the plate is heaping

Source: Ohloh/Black Duck KnowledgeBase

2.7 billion filesNearly 1M de-duplicated projects10+ million staff years of development5000+ sites2,200+ unique software licenses

2006 2008 2010 2012 2014 -

500,000.00

1,000,000.00

1,500,000.00

2,000,000.00

2,500,000.00

FOSS Projects

ProjectedGames

MobileBig Data

Social

NetworksUI

Cloud

@black_duck_sw

6 © Black Duck 2013

OSS Adoption: Jeff Hammond circa early 2009

@black_duck_sw

7 © Black Duck 2013

Olliance Consulting* Management Maturity Framework

Developer driven

Business strategy driven

Ad Hoc Use

Built-in Complianc

e

InformalGuidelines

Strategic OSS Use,

Community Leadership

Explicit Policy,

Tracking & Audting

Process Automation, Community Participation

Open S

ourc

e A

dopti

on

*now a division of Black Duck

@black_duck_sw

8 © Black Duck 2013

Industry OSS Adoption ala Geoff Moore

Innovators Majority

Open S

ourc

e A

dopti

on

@black_duck_sw

9 © Black Duck 2013

Jeff Hammond circa late 2010

• OSS goal to means• 80% developers used• Reduced management gap• Don’t ask/tell to strategic• Waned concern about

mission critical apps

@black_duck_sw

10 © Black Duck 2013

The Chasm is the Stuff of Myth

Closed source is the evil empire

You are a bunch of wookies

If anyone knows we are using open source we’ll have to give up all our code

They just want a free

ride

There’s no way to make money if I give away my software.

No one cares about licenses unless they are

getting sued Those guys don’t get it.

•Chasm: Greek χάος means emptiness, vast void, abyss. Same as for “chaos”•Out of which grew the Chaoskamph myths • Explaining the clash between order and chaos in the world’s creation

• paraphrasing Wikipdia

@black_duck_sw

11 © Black Duck 2012

Why open source?Myth: You only love us cause we’re free (as in beer)

12 © Black Duck 2013

Faster, Better, Cheaper

Jeffrey Hammond, Forrester

Open source is a ‘silver bullet’ that allows simultaneous improvement along all three dimensions of the software

‘iron triangle’ of cost, schedule, features.

OSS

Cost

Features

Schedule

@black_duck_sw

13 © Black Duck 2013

A bunch of good reasons…

“Open source is ubiquitous, it’s unavoidable….having a policy against open source is impractical and places you at a competitive disadvantage”

• Key Benefits• Flexibility

• Modify, mix, reuse code• Innovation

• Leverage FOSS and community• Cost Optimization

• Reduce or eliminate acquisition costs

Source: Mark Driver, Gartner Group

It’s only #3

@black_duck_sw

14 © Black Duck 2013

30%

80%

AverageBest in class

Company Benefit: Less is More

@black_duck_sw

15 © Black Duck 2013

Real World Example

“Over 80% of the software in our handsets is open source”

Carl-Eric Mols, Head of OSS, Sony Mobile Communications

@black_duck_sw

16 © Black Duck 2013

Another:Large Commercial UK Bank Trading Application

Delivered a new trading app but only had to do 28% of the work!

@black_duck_sw

17 © Black Duck 2013

…and then there’s customer acceptance

• DoD CIO Letter…• To effectively achieve its missions, the

Department of Defense must develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements. The use of Open Source Software (OSS) can provide advantages in this regard.

• Unfortunately, there have been misconceptions and misinterpretations of the existing laws, policies and regulations that deal with software and apply to OSS, that have hampered effective DoD use and development of OSS

• I have asked the Director, Enterprise Services & Integration, to work with your staffs and identify other barriers to the effective use of open source software within the Department, so we can continue to increase the benefits from the use of OSS

FOSS

@black_duck_sw

18 © Black Duck 2013

So…

• The myth: • It’s all about the “free beer”

• The reality: • It’s about:

• Flexibility• Innovation• Co-opetition and Community• Recruiting• Support from customers• And, yes, Cost

@black_duck_sw

19 © Black Duck 2012

Why Comply?Myth: Companies don’t give a hoot (’cept maybe when they get sued)

20 © Black Duck 2013

Software today is Multi-Source

THE ENTERPRISE – TOOLS, PROCESSES

Your Software Application

Internally Developed Code

Commercial 3rd-Party Code

San Mateo

Cambridge

Paris Bangalore

Outsourced Code Development

OSS Communities

Global 2000 organizations increasingly leverage code from a vast array of sources — including internally built, open source, outsourced, commercially built, and customized applications.

- Melinda Ballou, IDC (sponsored by Black Duck

@black_duck_sw

21 © Black Duck 2013

The Fundamental Challenge

“How ya gonna keep ’em down on the farm…?”

Internet900K+ Projects5000+ Sites10Bs LOCs

@black_duck_sw

22 © Black Duck 2013

Management challenges aren’t just legal

• Key Benefits• Flexibility

• Modify, mix, reuse code

• Innovation• Leverage FOSS

and community• Cost Optimization

• Reduce or eliminate acquisition costs

• Challenges• Technical Failure

• Operational exposure• Needs to be

audited, managed

• Security Risks• Business

exposure• IP Risks

• Legal exposure

“Open source is ubiquitous, it’s unavoidable….having a policy against open source is impractical and places you at a competitive disadvantage”

Source: Mark Driver, Gartner Group

It’s only #3

@black_duck_sw

23 © Black Duck 2013

Managing Open Source = Proper SW Dev Mgmt

• “There are plenty of other reasons beyond licensing that I want to understand what’s in our code”

• CIO, Large Financial Services Firm

• Security• Quality• Supportability• Community

• Sarbanes Oxley Act Section 404 says you gotta know what software you got and who owns it• Fortune 500 tech companies- material risk in

10Ks@black_duck_sw

24 © Black Duck 2013

And, if they want to get bought someday…

2009 2010 2011 2012

M&A AuditsUS Tech Deals

OSS Compliance have become routine question in tech M&A

Source: Black Duck / 451 Group

@black_duck_sw

25 © Black Duck 2013

Free’s not all that free

OSS

Risk(all

sorts)

ComplianceProductivit

y

Phil’s (other) iron triangle

No compliance means productive but risky

Overly heavy compliance reduces risk, but may squash productivity

@black_duck_sw

26 © Black Duck 2013

So…

• The myth: •Companies don’t care•And only pay attention to extreme measures

• The reality: • Legal fear is a motivator•But companies’ overall risk management agendas align reasonably with open source governance• It’s just not all that simple@black_duck_sw

27 © Black Duck 2012

Who complies?Myth: OK, but most companies don’t complyAnd, they may talk the talk, but…

28 © Black Duck 2013

Companies invest heavily in compliance

@black_duck_sw

29 © Black Duck 2013

In the form of sophisticated governance processes

@black_duck_sw

30 © Black Duck 2013

…best practices, training, transformation

@black_duck_sw

31 © Black Duck 2013

..,dedicated review boards and programs

Open Source Program Office

• Responsible for all open source activities and strategy across the company• Provides continuous training and consulting to HP product and

project teams• Encourages contribution to the open source community• Sponsors numerous open source foundations (e.g. ASF, Linux

Foundation, OpenStack) and events• Typically review 10 to 20 proposals per week from teams wanting

to use and/or contribute to open source• Develops in-house tools to support the review and tracking of

open source across the company• Promptly handle any compliance inquiries that come to our

attention

http://opensource.hp.com

@black_duck_sw

32 © Black Duck 2013

….correct and corresponding code infrastructure

“The Internet of objects would encode 50 to 100 trillion objects, and be able to follow the movement of those objects. Human beings surrounded by 1000 to 5000 trackable objects”

@black_duck_sw

33 © Black Duck 2013

OK, but do they waddle the waddle?

@black_duck_sw

34 © Black Duck 2013

Giving back is a “higher order skill”

Engineering driven

Business strategy driven

Ad Hoc Use

Built-in Complianc

e

InformalGuidelines

Strategic OSS Use,

Community Leadership

Open S

ourc

e A

dopti

on

*now a division of Black Duck

@black_duck_sw

Explicit Policy,

Tracking & Audting

Process Automation, Community Participation

35 © Black Duck 2013

Companies certainly rock the Kernel

• 75% Kernel developers are paid• 800 companies have contributed over time;

200 active as of 2012• Red Hat, Intel, Novell, IBM, Texas Instruments,

Broadcom, Nokia, Samsung, Oracle and Google

• Jon Corbet’s 2012 annual report

@black_duck_sw

36 © Black Duck 2013

Financial Services

Automotive

Mobile

AerospacePolarsys

Healthcare

Community and Co-opetition

MozillaEclipse

Openstack

The

Foundation

The Apache Foundation

Networking

@black_duck_sw

37 © Black Duck 2013

Automotive may boast the most logos

Ford contributes AppLink code to GENIVI Alliance

GENIVI License Review

Team

@black_duck_sw

38 © Black Duck 2013

And … I’m just sayin’

Microsoft is into open…

@black_duck_sw

39 © Black Duck 2013

Close to our hearts

@black_duck_sw

40 © Black Duck 2013

So…

• The myth: •Companies don’t comply•And even if they do they don’t participate

• The reality: • Some don’t•Many do• The world’s best companies invest heavily•And, more and more they are walking the walk

@black_duck_sw

41 © Black Duck 2012

Looking Forward and Conclusions

42 © Black Duck 2013

Conclusion

• The Companies/FOSS has evolved• Corporate usage has crossed the chasm• Companies have good business reasons to

manage/comply• The best companies do comply• And are finding good business reasons to give

back

@black_duck_sw

43 © Black Duck 2013

There may remain a philosophical schism, but...

Software is all about delivering shareholder value

Software is all about

“free”

Rather than question motivation, focus on results

@black_duck_sw

44 © Black Duck 2013

Check out where it’s going

• Key trend toward internal OSS methods – 80%• Open source will make up >50% deployed code – 62%• “Lower Cost” – drops to #7 in importance• Attracting talent – #1 reason to engage• Company’s co-epetition will increase – 57%

•2013 Future of Open Source Survey Results show new trends in OSS

•First ever webinar results panel is now available to view on-demand!

•#FutureOSS

@black_duck_sw