Friendly disclaimer.

First and foremost, let me immediately start saying that this article is not legal advice, but it’s my attempt to explain in a simple way the problems connected to software licensing: in case of emergency, call a lawyer 🙂

The problem.

Many people think that because you can download a piece of software without paying a fee it means that such software is free. But if something is freely available, it does not mean that the same thing is free to use. Some development teams have the expectation that, when including a software component in their own customised system, it simply becomes “part of it” inheriting their licensing model: this is simply not true.

Imagine, for example, that you are building a new revolutionary car, all electric, and self-driving! You will need a lot of software to make that happen, and certainly, you do not want to code everything from scratch. So you start first assembling some basic components, an operating system (Linux), some basic tools (BusyBox), some software from other vendors and then you finally write your magic code. Sounds familiar? Anybody said “Tesla” in the audience? And what happens when a competitor discovers that you are using open source software with a certain license (GPL) and asks you to provide them with your code, the valuable code you wrote… well, they can lawfully do so and you will have to comply! And so that’s what happened, and forced Tesla to start releasing its software on public repositories. But please, without leaving the car making business, see also BMW who handed over its i3 car code to a random guy, who immediately published it on GitHub.

Thankfully, not all open source licenses are so harsh. Read our blog: Open Source Licensing- The Weirder the Better, to see some more light hearted component’s conditions of use.

The restrictions.

It’s important to understand the restrictions you face when you decide to use an opensource component. Even one single component with the wrong license can impose a restriction on all your source code.

1. you may be forced to release your code under the same license. If you use a component licensed for example under GPL or AGPL (or even LGPL in case of derivative work), all your software will have to be released with the same license.
2. you may be forced to release to the public your source code. If you use a component licensed for example under MPL or GPL, you will have to provide all your code in a human-readable format upon request (distribution of obfuscated code is not compliant).
3. you may not be allowed to distribute your software commercially. Licenses like the Oracle BCLA will prevent that, and you can easily be sued (and you will most certainly lose).

But wait, what about the code that does not have any license? For sure I can use it without problems, right? And the answer is again a resounding no! Under current law, copyright extends for the life of the author plus 70 years (and sometimes 120 years after its creation), and the creator (or his/her dynasty) can simply sue you for using it. Unless a piece of code includes a license, do not use it.

The risks.

If you decide to not comply with a license, or you are simply unaware of the problem (this would be the most common case) you face two main risks.

First, you are in actual violation of contractual obligations. This can lead to a long case in court that, if you are lucky, you settle outside court, with money transferred. There are a lot of examples of that, with payments that go up to $100K (please see an incomplete list here), so I really think you should not discount this risk, also because in some cases, firms preferred to file for bankruptcy in order to avoid bigger losses.

Second, you may be in violation of statutory law, a corporate liability that may become also a personal liability. Corporate Criminal Responsibility derived from copyright crimes can also be extended to labour law, in case it can be demonstrated that the responsible was not carrying out his duties properly.

Solutions.

First and foremost you need to be aware of the problem. If you read this article until this point, you now probably are, so we can safely assume you are onboard with this point.

Now, assuming your company is building software, you need to make sure that all components your development team is using, and end up being part of the final product, are accounted for in terms of licensing. Remember: one single component in your chain can influence the whole system.

You will need then to create policies to allow/disallow certain licenses to be used and enforce them across your development teams. The best solution would be an automated one, which automatically detects violations and blocks unwanted releases.

Similarly, if you are looking to assign a license to your own proprietary code, read our blog: Which Open Source License is For You for an introduction to the world of open source licensing.

Meterian to the rescue!

Meterian, among others, provides an elegant mitigation for this problem, which is also affordable and efficient. By placing Meterian in your development pipeline you can have continuous reporting about the licenses used by your software so that you can make sure you are not exposed to the risks explained before. Please have a look at one of our reports.

When Meterian is included in your development pipeline, policies can also be enforced so that the presence of certain licenses will stop the build to progress further, preventing the product to be shipped to the final customers.

Make sure to get in touch if you want to learn more!

Last updated: 07/07/2021

While opensource components are basically indispensable in modern software development, they also must be handled with care. In this post, I will explain in the simplest possible way the problem with opensource components: I am going to use a metaphor that seems to resonate well with our customers, which however may not be necessarily accurate from an engineering point of view.

Building a house.

When you build a house a lot of work has to be done, starting from the planning all down to the actual building of the foundation, infrastructure, walls, ceilings, and roof. This work is different for every house and very specific so that it’s necessary to have a very solid process to make sure the standards of quality are high enough from a variety of point of views. There’s an enormous amount of attention on every aspect and it’s always supported by a strict set of practices and processes.

Now, when you build a house, there are a lot of things you do not necessarily want to create from scratch: items like windows and doors, for example, are components readily available on the market in a variety of shapes and sizes. You do not need to build them from scratch: that would require specific craftsmen and a sizeable amount of time. You simply shop for those components, find the right ones and integrate them into your house.

As we are a security company, let’s focus on security for a moment. Your team built the walls and the infrastructure, right? With a very strict process that guarantees you that everything is solid, unbreakable and durable. But what about windows and doors? You bought those components off the shelf: what do you know about their quality? Are the locks durable? Are the glasses really break proof or are they affected by some design flaw? How much of your house did you have to buy from other manufacturers? And how long ago was it? What’s the warranty, and did you stay warm this winter or were the windows drafty?

This is the problem with opensource components.

Building a software application.

In a modern development process, your development team is “building the house”: writing the code that contains the business logic of your application. They also need a lot of other code to do various ordinary tasks, like talking to a database, exposing an API, talking to other services, exchanging data using a machine-readable format like JSON or XML. The opensource community has already available off the shelf components you simply incorporate in the project, saving huge amounts of money and dramatically shortening the time to market: those are the “windows” and “doors”. Worse than in a building, however, off the shelf software components can be up to the 80% of the code shipped to production, making them a very critical asset to keep under control.

What we are finding when we meet potential customers is that they have a very strict process with regards to their code, often supported by a variety of tools in order to make sure that the business logic code is solid and secure. The same attention, however, is not extended to the opensource components used, which are simply bundled with the code shipped to production.

The opensource components are like the “doors” and the “windows” of your “house”: are they secure? In 2019, on average 40 new vulnerabilities were discovered daily in external components and in 2021 nearly 60 new ones are discovered.  Moreover, new versions of these components are often released monthly. It’s critical to keep the components used in your applications up to date and replace them immediately, to avoid a disastrous data breach like what happened to Equifax¹, that simply did not update a vulnerable software component, Apache Struts.

The Equifax hack showed just how dangerous failure to maintain your open source components’ security can be. Back in 2017 Senator Marco Rubio noted the importance² of protecting against similar instances in the future, requesting that the Exchange Commission should make companies release prompt disclosures of hacks that could affect consumers. More recently, President Joe Biden has officiated these concerns with The Executive Order on CyberSecurity³. The order mandates that there is a software bill of materials (SBoM) for all software sold to the US government, entailing information on what the end product contains and what third party code goes into the software— “accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes”.  Continuous audits and enforcement of these controls are also required.Furthermore, the bill ensures information sharing between companies that will mean the government is notified about cyber breaches that could impact their networks, to increase transparency and learn from past incidents. The recognition of issues such as these by government bodies brings us one step closer to safer open source component use. For more on Biden’s Executive order read our blog post on the role of cyber security in sustainability.

(source: vulndb)

Do you know how much of your base is opensource? Do you know when you updated it last? And do you know every noteworthy detail of the updates from those external components?

What can you do?

Our software, Meterian, does exactly that job. It will continuously check the opensource components used by your business logic so that you will not have any nasty surprises because of them. It takes 5 minutes to set it up in your process, and you can also simply run it on your codebase with no installation at all. You do not need to be a developer to run it and it produces also a clear report that is understandable and actionable right away.

We strongly encourage you to give it a try, or maybe just have a look at our reports for some common libraries like Alibaba/FastJson or Netflix/Zuul, both scoring a resounding 0 in security at the time of writing.

Keep your house safe, keep all external components under control.

Get an instant analysis of your first codebase for free.  See the risks immediately and know which components to remove or upgrade to secure your app. Sign up here to download the Meterian client today.

¹ Newman, Lily Hay. “Equifax Officially Has No Excuse”. Wired, 14 September 2017, https ://www.wired.com/story/equifax-breach-no-excuse/.

² Powers, Scott. “Marco Rubio after Equifax hack: companies should be reporting quickly”. Florida Politics, 4 October 2017, https ://floridapolitics.com/archives/246088-marco-rubio-equifax-hack-companies-reporting-quickly/.

³ “Executive Order on Improving the Nation’s Cybersecurity”. The White House, 12 May 2021, https ://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.