Financial institutions are demanding customers.
They are highly regulated and closely monitored.
Software vendors selling to financial institutions are required to provide an impeccable, well managed and thoroughly documented solution.
Since open source components are an integral part of any software solution, their use must be carefully managed, documented and reported.
Here are the top 5 mistakes engineering managers make when managing, reporting and documenting the use of open source components:
#5: Ignoring dependencies
Everybody knows about it and yet it is convenient to forget: libraries use other libraries that useother libraries...and so when you use a libraryyou are responsible for its license, and thelicenses of all the libraries that it uses,and the licenses of the libraries that they use…you get the point.
A recent WhiteSource study, covering 3,000 commercial software projects, showed that in most cases there is a significant gap between what open source developers think they used, and what was actually in their product.
#4: Not checking for library updates
The great thing about open source is that there’s an entire community out there using, QA-ing and fixing whatever’s necessary.
But do you remember to check for updates on the libraries you use?
#3: Forgetting to look up security alerts
Security alerts for the libraries you use are constantly published and updated, as are the fixes for those vulnerabilities.
Are you staying on top of it all?
Once a month is not enough when it comes to security vulnerabilities: if an open source library you use is vulnerable, then your entire product is vulnerable.
#2: Using a spreadsheet to do it all
Really? A spreadsheet (while cheap) is something you need to remember to update and make your programmers update. Using it means that you all spend time on checking for dependencies, looking for updates, security vulnerabilities…
Not as cheap as it seems, right?
#1: Doing it only when you have to
Every time you have to prepare an open source report for a customer or a new release, you have to stop everything else you are doing and make sure that you know of all the open source components in your software (including dependencies), that they all have an acceptable license, and that you comply to the license terms.
Wouldn’t it be great if you could get a full open source report by clicking a button?