Developing software for financial institutions? Top 5 mistakes engineering executives make when it comes to managing open source

February 19, 2015 Rami Sass

Financial institutions are demanding customers.

They are highly regulated and closely monitored.

Software vendors selling to financial institutions are required to provide an impeccable, well managed and thoroughly documented solution.

Since open source components are an integral part of any software solution, their use must be carefully managed, documented and reported. 

Here are the top 5 mistakes engineering managers make when managing, reporting and documenting the use of open source components:

#5: Ignoring dependencies

Everybody knows about it and yet it is convenient to forget: libraries use other libraries that useother libraries...and so when you use a libraryyou are responsible for its license, and thelicenses of all the libraries that it uses,and the licenses of the libraries that they use…you get the point.

A recent WhiteSource study, covering 3,000 commercial software projects, showed that in most cases there is a significant gap between what open source developers think they used, and what was actually in their product.

#4: Not checking for library updates

The great thing about open source is that there’s an entire community out there using, QA-ing and fixing whatever’s necessary.

But do you remember to check for updates on the libraries you use?

learn how to choose the open source solution that fits your needs

#3: Forgetting to look up security alerts

Security alerts for the libraries you use are constantly published and updated, as are the fixes for those vulnerabilities. 

Are you staying on top of it all?

Once a month is not enough when it comes to security vulnerabilities: if an open source library you use is vulnerable, then your entire product is vulnerable.

#2: Using a spreadsheet to do it all

 Really? A spreadsheet (while cheap) is something you need to remember to update and make your programmers update. Using it means that you all spend time on checking for dependencies, looking for updates, security vulnerabilities…

Not as cheap as it seems, right?

#1: Doing it only when you have to

Every time you have to prepare an open source report for a customer or a new release, you have to stop everything else you are doing and make sure that you know of all the open source components in your software (including dependencies), that they all have an acceptable license, and that you comply to the license terms.

Wouldn’t it be great if you could get a full open source report by clicking a button?

 

Previous Article
FinTech software developer? Top 4 open source management risks to avoid
FinTech software developer? Top 4 open source management risks to avoid

The FFIEC (Federal Financial Institutions Examination Council) has released the "Risk Management for the Us...

Next Article
True or False – What do you Know about Open Source Components in Software Development
True or False – What do you Know about Open Source Components in Software Development

Open source components are free to use True! But they come with an attached license, that requires their...