|By Lacey Thoms||
|September 27, 2014 08:00 PM EDT||
As a resourceful developer, you're not writing code from scratch anymore. You probably have access to a vast amount of code you wrote at previous jobs, and a lot of your development probably relies at least in some part around third party or open source software. Every savvy developer knows their way around Sourceforge, Codeplex, or GitHub, and with access to readily available code that frees you up to tackle real challenges, there really is no downside to open source code.
Sure, you're probably aware that many open source projects have license obligations tied to them. And licenses are not generally written for developer consumption, so you may be part of a growing contingent of developers that doesn't care about them, but it's likely that your manager cares.
With the increasing complexity of software, organizations are more cognizant than ever about the potential pitfalls of including open source code in their products. Below are some quick tips to continue leveraging open source code, while keeping your manager and legal department happy.
1. Know What to Look For
Security and licensing (i.e., the specific permission of the original author of the open source code) are the two potential vulnerabilities that concern organizations the most. Depending on the type of business, export controls may also be on the radar. But for now we'll focus on the biggest two:
Security vulnerabilities exist in both open source and proprietary software. And the exposure of the Heartbleed bug earlier this year illustrated how much heartache these issues can inflict. Here are a few things to keep in mind:
When choosing an open source project, do some research to try and discern if there have been reports of any vulnerability in the code (the National Vulnerability Database (NVD) is a great resource for this).
Always use the most recent version of a project (and preferably one that is actively maintained).
Download projects from a reputable source such as the project's website, or a trustworthy code repository.
An open source license is the way the code author grants usage permission to the world at large, and dictates the terms under which the license can be used. Open source licenses generally fit into two categories: permissive and restrictive licenses. Permissive licenses such as MIT, BSD, or Apache generally have fewer restrictions on the redistribution of software. Restrictive or copyleft licenses, such as the GPL, place more restrictions on redistribution (e.g. asking you to contribute your derivative work to the open source community) and may require your work to be licensed under the GPL. You can speak to your organization's legal department for a crash course on different license types and what licenses are permitted in your organization, or take a look at various summaries available online.
Before incorporating an open source component in your project it's a good idea to take a look at what (if any) license terms are attached to it. This information can typically be found in a file called COPYING, license.txt or even in a readme file.
Here are three possible licensing scenarios you could encounter when using open source code:
There is no license information available - you should probably avoid using these types of projects as they can cause all sorts of legal headaches for your organization.
There is copyright information, but no license file - in this case, you will need to track down the creator(s) of the project and obtain their consent to use the code. This defeats the time-saving argument for using open source in the first place.
The project has an explicit license - so the project is fair game right? Not so fast. You need to ensure that the license is acceptable for use in your organization. This brings me to the next point...
2. Know Your Boundaries
As open source has moved into the mainstream, many organizations have established formal policies and approval processes around the use of open source code. An open source policy establishes:
Who the stakeholders are.
What licenses are acceptable in an organization.
Which vendors are approved.
Whether or not you need to pre-approve an open source package before you use it.
The steps to take once a policy violation has been detected.
If your organization does not have a formal policy in place, talk to your managers or legal department to see if any license types are off limits, or to find out if there is an existing list of pre-approved packages.
3. Know How to React
Equipped with some research on open source licensing and security vulnerabilities it's now time to decide what to do with this information. Here are a few options:
Do nothing. Use whatever open source packages you want and hope for the best. Quality assurance and legal teams will dislike you. You'll probably create more work for yourself by having to fix issues uncovered during testing, and repeat offenders should probably make sure their resumes and GitHub profiles are up to date, just in case.
Manually track open source packages. You'll be creating a little more work for yourself, but your managers will thank you. Check to make sure that the packages you are using have a license and that the license complies with your organization's policy. Consult the NVD to make sure the package doesn't contain security vulnerabilities. Make sure you commit this information along with your code.
Automate the tracking process. There are various tools available to automate open source package pre-approval and there are even background developer assistant tools that can automatically report on licensing and security issues as code is being developed. These tools can be digitally linked to the organization's policy as well as the NVD to accurately detect license and security vulnerabilities in real time.
By taking a proactive approach and getting involved in open source vulnerability management, you'll save yourself and your organization as a whole from running into roadblocks that stall the development process. Find out if your organization has a license policy and implement some vulnerability management tactics and start developing code worry free.
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
Mar. 29, 2017 06:30 PM EDT Reads: 2,723
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Mar. 29, 2017 03:15 PM EDT Reads: 2,242
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
Mar. 29, 2017 02:30 PM EDT Reads: 3,837
SYS-CON Events announced today that Auditwerx will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services throughout the U.S. and Canada. As a division of Carr, Riggs & Ingram (CRI), one of the top 20 largest CPA firms nationally, you can expect the resources, skills, and experience of a much larger firm combined with the accessibility and attent...
Mar. 29, 2017 02:30 PM EDT Reads: 724
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
Mar. 29, 2017 02:30 PM EDT Reads: 2,295
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
Mar. 29, 2017 02:15 PM EDT Reads: 3,295
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
Mar. 29, 2017 01:30 PM EDT Reads: 1,774
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
Mar. 29, 2017 12:15 PM EDT Reads: 7,932
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
Mar. 29, 2017 11:45 AM EDT Reads: 2,600
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
Mar. 29, 2017 11:00 AM EDT Reads: 3,466
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Mar. 29, 2017 10:15 AM EDT Reads: 1,758
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
Mar. 29, 2017 10:00 AM EDT Reads: 2,369
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), will provide an overview of various initiatives to certifiy the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldw...
Mar. 29, 2017 08:45 AM EDT Reads: 966
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
Mar. 29, 2017 08:00 AM EDT Reads: 7,579
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" ...
Mar. 29, 2017 06:00 AM EDT Reads: 9,096
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
Mar. 29, 2017 04:00 AM EDT Reads: 15,142
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
Mar. 29, 2017 03:45 AM EDT Reads: 2,204
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Mar. 29, 2017 03:30 AM EDT Reads: 3,282
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
Mar. 29, 2017 03:00 AM EDT Reads: 6,121
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
Mar. 29, 2017 01:15 AM EDT Reads: 2,565