Q&A Interview with Sara Purdon , Protecode’s Marketing Manager

How can one go about choosing an open source software license for their project?

Today's software applications are increasingly complex, containing a mix of proprietary, third-party and open source components. Smart developers are no longer coding from scratch but are grabbing snippets here and there and incorporating them into their code base, freeing up those developers to focus on core software development. More and more programmers are deciding to make their work available in the form of open source software.  Merely making the code public does not give others permission to use it. A license givesblanket permission,possibly with some conditions, for others to use, modify and build upon the open source code. As a developer, there are a variety of different licenses available to choose from to open source your software. We have already created another handy infographic to help choose the appropriate open source license: http://www.protecode.com/choosing-open-source-license-infogrpahic/

One key point is to ensure that the chosen license is compatible with the licenses of other open source subcomponents in a project.  It is worth noting that by licensing work as ‘open source’, the creator of the code still holds the copyright to it. In very broad terms, when a project is released under an open source license, all future iterations of that project can credit the creator of the project for the foundation they created.

How does Synopsys’ Protecode solutions aid in managing open source software licenses?

With increasing pressures on organizations to produce quality software, they are turning to open source software to speed up development and reduce costs. Synopsys’ Protecode automated software composition analysis solution manages software components and their attributes such as licensing or security vulnerabilities during any and all stages of the software development process.  A range of comprehensive reporting capabilities are able to provide a software Bill of Materials (BoM) and their licenses, obligations associated with licenses, copyrights, known open source security vulnerabilities, encryption content and overall make up of a software portfolio.  With Synopsys’ Protecode solution, organizations can establish licensing policies, implement a workflow for the adoption of open source software and scan and detect open source in real-time at the developer’s workstation.

What are the most often used open source licenses?

Programmers have a wealth of open source software licenses available to choose from. At Synopsys we have highlighted four popular options representing a range of licenses in the open source world:

GNU General Public License (GPL) – One of the most prevalent licenses available for open source software in the copy left license category, the GPL allows programmers to copy, modify and distribute the software, as long as the modified work is released to the public domain under GPL.

GNU Lesser General Public License (LGPL) – This is a weak copy left license that allows developers to incorporate unmodified LGPL licensed binaries (libraries) into their own proprietary project without the obligation to release their own proprietary code as open source. Any modification of the LGPL-licensed code would require release of the modified and the derivative work into the public domain.

MIT License – This is a permissive license, letting programmers use the code with minimum restrictions. The license allows developers to do whatever they like with the code as long as they retain the license terms and copyright notice.

Apache License – This is another example of a permissive license but it allows protection over any potential patent claims. Again, no source code needs to be revealed to the public domain.

How important is software security to a company’s strategic plans?

Security vulnerabilities are found in all code, whether open source or proprietary. Once a vulnerability is detected and a mitigation method is identified, various agencies around the world report the vulnerability and catalogue it. For example, the National Vulnerability Database in North America contains detailed descriptions of all known vulnerabilities in open source or commercial packages.

Even with the awareness of high profile software security vulnerabilities, many organizations still do not have a clear understanding of what open source and third party components are in their code base, let alone the security vulnerabilities associated with them. Additionally, unknown software in a project can propagate problems within an organization, and reduce overall product robustness and quality. Solutions, such as Protecode, can provide a detailed view of all software components, open source or proprietary, in a portfolio, and highlight possible vulnerabilities associated with any component in that portfolio.

What do you think is the most important part of the Infographic?  What are the main features of Infographic?

The most important take-away of the infographic is that using open source software is a prudent, advantageous, and common practice. With that being said, it is critical to implement a clear open source software adoption process to effectively leverage and manage open source resources within your organization. As organizations continue to view Intellectual Property and third-party software license management as part of their Software Quality Development Process, their existing quality workflow will hopefully evolve to include all or part of the following blueprint:

1. Establish a software licensing policy
2. Conduct software package pre-approval
3. Perform an existing portfolio assessment
4. Assess incoming 3rd-party software
5. Conduct regular software assessments
6. Establish real-time library check-in`s
7. Establish real-time automated assessment
8. Conduct pre-shipment software assessment

Together, these 8 steps implement a thoroughly managed open source software adoption process.

Why should companies use open source software?

Generally, today`s software solutions are acombination of proprietary, commercial and open source code. Open source helps technology organizations accelerate development, reduce product cycle times, manage product development efforts, and build ever more complex solutions by using and contributing to public domain code.   In order to leverage the value of open source, it is best to use a structured and managed code adoption process.  Management of the code base becomes critical as does the need to identify security vulnerabilities and ensure open source compliance. Managed adoption of open source software leads to accelerated development, reduced costs and improved software quality while minimizing security vulnerabilities and removing intellectual property uncertainties.