What is Open Source Compliance?
Open source compliance is the act of adhering to, and demonstrating adherence to, open source guidelines, policies, regulations and legal obligations.
Compliance is all about how a company follows its own rules, and those imposed upon it from outside. Gartner defines three forms of compliance:
- Regulatory compliance, which is concerned with the laws the enterprise is subject to
- Commercial compliance, which involves the requirements placed on the enterprise by its trading partners, customers and supply chain
- Organizational compliance, which is driven by forces ranging from the need to preserve shareholder equity to the desire to demonstrate corporate social responsibility
Open source regulatory compliance addresses meeting the legal obligations of open source licenses, as well as meeting the requirements of regulations that may be affected by the use of open source. Examples of the latter include export restrictions on cryptographic code contained in open source, as well as Sarbanes-Oxley requirements to verify the ownership of material assets.
Commercial compliance requirements from trading partners can include verification of all third party software, including open source, used in a product. It is becoming more common for trading partners to require a software bill of materials that identifies the composition of software including what open source is included.
Organizational compliance – how a company follows its own rules -- can range from verification that software development standards for the use of approved stacks or components are being met, that legal obligations are being met, and other security obligations. The drivers for organizational compliance range from the need of development and operations executives to manage operational and technical risk to control development and support costs, the prevention of unknown or unsupported software being deployed in mission critical infrastructure to the management goals for improving reuse and standardizations as a way of limiting redundant development and inefficiency.
Governance and compliance go hand in hand: open source governance is the system and methods used to ensure open source compliance. The Black Duck Suite enables the implementation of an open source governance program that can ensure compliance with regulatory, commercial and organizational requirements.