Beruflich Dokumente
Kultur Dokumente
Table of Contents
1) Usage Policy and Governance of Open Source Software (OSS)..........................................3
2) OSS License Compliance...............................................................................................................5
3) Acquisition and Provisioning of OSS...........................................................................................6
4) OSS in the Supply Chain................................................................................................................7
5) OSS Tracking and Management...................................................................................................8
6) Security and Maintenance.............................................................................................................8
7) OSS Community Interaction...................................................................................................... 10
8) Training and Education............................................................................................................... 11
www.openlogic.com
www.openlogic.com
6. What business justification is required before approval is given for the use of OSS in your companys products?
m None needed
m Must meet engineering requirements that specify the use of OSS
m Must demonstrate business value total cost of ownership versus functionally-equivalent commercial software,
return on investment, etc.
m Must demonstrate why OSS was chosen over a commercial solution
7. Once the open source policy is established, what are the remediation requirements for existing products
that incorporate OSS?
m None, grandfathered in
m Existing products with OSS must be inventoried (e.g., scanned, audited) within X days
8. Will OSS be distributed in your companys products?
m No, all use is internal
m No, but will be used in customer-facing environments
m Yes, will distribute unmodified OSS externally
m Yes, will distribute modified OSS externally
m Yes, will integrate and distribute OSS with proprietary IP
9. Can OSS distributed in your companys products be modified?
m No, must be used in native form
m Can be modified with approval
m Can be modified in specified ways
m Can be modified in any way if not distributed
m Can be modified without restriction
10. Are source code and binary code scanning required of all software in a distributed product to avoid
IP infringement?
m No
m Yes, source code and binary code must be fingerprinted upon initial acquisition only
m Yes, source code and binary code must be scanned periodically
m Yes, source code and binary code must be scanned prior to companys product being commercially shipped
m Other : ______________________________
www.openlogic.com
www.openlogic.com
www.openlogic.com
www.openlogic.com
7. Does your company distinguish between companies that supply OSS and companies that provide
proprietary software?
m No
m Yes
www.openlogic.com
2. Who is responsible for overseeing the security of OSS components? Who will check if the code contains
vulnerabilities? Who is responsible for applying security patches?
m Individual end-user
m One central person or central body/team, e.g. Open Source Review Board (OSRB)
m Team to be named
m IT security staff
3. What kind of security/integrity review is required before OSS is procured?
m None
m Download from an OSRB-approved repository is sufficient
m MD5 checksum or other prevailing security verification method
m Virus scan with an up-to-date fingerprint library
m Complete source code scanning for security and integrity
m Manual review
4. What kind of security/integrity review is required before OSS is incorporated into your companys products?
m None
m Verified download from an OSRB-approved repository is sufficient
m Verified MD5 checksum (against OSRB-registered MD5) or other prevailing security verification method
m Virus scan with an up-to-date fingerprint library
m Complete source code scanning for security and integrity
m Manual review
5. What kind of security/integrity review is required before shipping products that include OSS?
m None
m Company-conducted complete source code and binary code scanning for security and integrity
m Certified scan results provided by supply chain vendors that include OSS in the components they supply to
the company
m Manual review
m Other: ______________________________
6. How will your company address project forking or abandonment of OSS used in company products? Are
there alternate vendors/suppliers available?
m Manage when it happens
m Alternate vendor/suppliers are listed or identified prior to incorporating the software within company products
m Active written response plan
7. Is there a minimum technical standard that must be met for OSS to be brought into the company for use
in distributed products?
m None developers take all the responsibility and use at their own risk
m Project must be considered stable in SourceForge/Github and/or community must be considered stable
(subject to approval by OSRB)
m Must have significant widespread adoption as measured by downloads
m Must have significant commercial base, i.e. MySQL dual-license
m Other: ______________________________
www.openlogic.com
www.openlogic.com
10
www.openlogic.com
11
Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building
great software and accelerates the value gained from code across the enterprise. Rogue Waves portfolio of complementary, cross-platform tools helps
developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity,
while shortening development cycle times.
Copyright 2014 Rogue Wave Software. All Rights Reserved