How do you think people manage their open source components?
In a few weeks we will release an extensive survey we did on the practices of Open Source Software (OSS) usage in software development organizations.
In the meantime we wanted to focus your attention on an interesting detail that emerged from our survey - the hidden costs of mismanaging open source.
Many companies spend significant efforts (though they are often unaccounted for) tracking open source usage. In 81% of the cases (according to our survey), open source management is left to individual developers or low-level team leaders. The result is inconsistent treatment, which is a sure recipe for license non compliance, risk to the company’s own intellectual property, and substantial risk of unpatched defects and security vulnerabilities.
The point is that Individual developers are not skilled in managing OSS libraries. They are coders or algorithmic engineers, not managers (or devops personnel) so they are not qualified and lack the understanding and motivation to do these management chores properly. Furthermore - the time that they spend on these tedious reporting tasks is wasted time that can be used for coding and development (which is the reason they are there in the first place!) and when they do get to these chores its mostly at the wrong time (in the crunch of a release or OEM/M&A transaction), and are therefore very expensive and extremely ineffective.
So the question is: “Why do R&D teams do these tasks?”, “Why it is so ineffective?”, and “What can we do better?”
The modern solution is called "OSS Lifecycle Management" - an innovative approach for automated monitoring of your OSS inventory.
This approach uses software plug-ins to your development server/s, and automatically detects new open source components as soon as they are entered by developers. It also provides continuous and comprehensive and up-to-date OSS inventory reports (down to the last dependencies); License risks analysis and compliance reports and proactive alerts on security vulnerabilities whenever discovered, as well as available fixes. These solutions are easy to setup, requires no training to use, and completely removes the burden from developers. These services are available in SaaS model and affordable to companies of all sizes from startups to large enterprises.