OPEN SOURCE CULTURE, STANDARDS, RISKS, AND REMEDIATION: A DEEP DIVE Jeff Luszcz VP Product Management [email protected] @jeffluszcz
DisclaimerIANAL; //Iamnotalawyer;IANYL; //Iamnot_your_lawyer;
IANYP; //Iamnot_your_programmer;
Thepurposeoftoday’stalkistoprovideanintroductiontotheOpenSourceCompliance
Onlyyourlegalcounselcantellyouwhatyouneedtodo
Topics
• Stateoftheindustry• ABriefHistoryofOpenSourceLicensing• OSSObligations• Whydoyouneedalicense?• OSSLicenseBasics• Distributionmodels• CommonMisunderstandings• BestPractices:HowareCompanies
HandlingToday?• Remediation• Q&A
2018- EVERYINDUSTRYISSHIFTINGtowardOSS
5
A U T OM O B I L E H E A LT H C A R E I O T E D U C AT I O N
S A A S M E D I A C O N S UM E RG O O D S
T E L C O
Thetechnologystackischangingquickly
6
PA C K A G E M A N A G E R S C O N TA I N E R S I O T L I N U X
GNUBash• Potentiallyaffectshundredsof
millionsofcomputers,serversanddevices
• ShellshockcanbeusedtoremotelytakecontrolofalmostanysystemusingBash
• Typicalage:5yearsold(seen13years!)
LinuxGNUCLibrary(glibc)• Affectsalmostallmajor
Linuxdistributions
• MillionsofserversontheInternetcontainthisvulnerability
• Typicalage:3years
OpenSSL• 17%oftheInternet'ssecureweb
servers(500M)believedtobevulnerabletotheattack
• Allowedtheftoftheservers'privatekeys,users'sessioncookiesandpasswords
• Typicalage:3-4+yearsold
ApacheStruts2• RemoteCodeExecution(RCE)
vulnerabilityintheJakartaMultipartparser
• Allowsattackertoexecutemaliciouscommandsontheserverwhenuploadingfiles
• Exploitsarepubliclyavailable,simpletocarryout,andreliable
Heartbleed
CVE-2014-0160
Shellshock
CVE-2014-6271
Ghost
CVE-2015-0235 CVE-2017-5638
SoftwareVulnerabilitiesarebecomingwellknown
THESOFTWARESUPPLYCHAINISBECOMINGMORECOMPLEX
8
PA R T N E R C O D E
O P E N S O U R C E
P R O J E C T S
YO U RC O D E
S U P P L I E R C O D E
S O F T W A R EP A C K A G E S C O N T A I N E R S
B U I L DD E P E N D E N C I E S
S O U R C EC O D E B I N A R I E S M U L T I M E D I A
F I L E S
C O P Y +P A S T E DS O U R C EC O D E
C O M M E R C I A LC O D E
THESTATEOFCOMPLIANCEISPOOR
9
221236
252
454
560
2012 2013 2014 2015 2016
25 25 298
27
AVERAGEOSSDISCOVEREDBYFLEXERA’SAUDITTEAMS(FORTHESAMEPROJECTS)
AVERAGEOSSDISCLOSEDBYCUSTOMERS
Source:FlexeraProfessionalServicesAuditdata2012- 2017
PA C K A G E A N A LY S I S
D E P E N D E N C I E S
S U B C OM P O N E N T S
B I N A R I E S
M U LT I M E D I A F I L E S
C O P Y - PA S T E C O D E
IncreasingDep
thofA
nalysis
590
17
2017
ABRIEFHISTORYOFOPENSOURCELICENSING
1940s-1980sCommercial,one-offandpublicdomaindominate1976USCopyrightActof1976198x“Freeware”andoneofflicenses1985X11/MITlicense1988firstGPLlicensesforEmacs/Bison/etc.1988BSDlicense1989GPLv11991GPLv2/LGPLv22002Affero GPLv12007GPLv3/LGPLv3/Affero GPLv3
OPENSOURCE– OBLIGATIONSOpenSourceiscommonlyconfusedwith“Free”asinnocostsoftware
OpensourcemaybeFreeofCost,butisnotFreeofObligations
Commonreferredtoas“FreeasinSpeech,notFreeasinBeer”
OpenSourcelicenseshavealistofobligationsthatusersmustfollowinordertolegallyusetheopensourcelibraryunderthatlicense
TheactoffollowingtheseobligationsiscalledOSSComplianceorLicenseCompliance
YourComplianceactionsdependsonhowyouareusingtheseOSScomponents
MostlicenseshaveMultipleObligations
COMMONLYSEENOBLIGATIONS
Obligation TypeofObligation Definition
ShareSource CopyleftakaViral Authorrequiresusertosharesourcecode
GiveCredit NoticeorAttribution NameofauthormustbereportedinAboutBox,Documentation,Website, etc…
SharePatents PatentClause Author requirespermissiontousepatentsorlicensepatentsinthisopensourceproject
Restrictuse Restrictwhocanusethiscode Restrictionon militaryuse,restrictiononnuclearfacilities,geography/countries,commercialuseetc..
Vanity/OneOffLicenses Givemefreebeer,sayaprayer,DoNoEvil
Requestsbytheauthortodosomesortofactionnottypicallyseenincontractsor licenses
Preserve Attribution Attribution Requires attribution/copyrightstobepreservedinthesourcecode
ProvideDisclaimer Disclaimer Explainthattheopensourceauthorisnotresponsiblefortheuseofthesoftware,evenifithasdefects
SupplyOriginal Licensetext
LicenseText Requirestextofentirelicensetobeprovidedtousers
CommercialTerms Payforuseofcode Classicsoftwarebusinessmodellicense
OPENSOURCE– TWOCOMMONLICENSEPHILOSOPHIESCopyleft/Viral– Requiresreleaseofsourcecode(someorall)GeneralPublicLicense(GPL)– YoumustsupplyallsourceifyoulinkagainstGPLcodeanddistributetheproduct
LesserGeneralPublic(LGPL)– YoumustsupplysourcetolinkedlibraryifyoulinkagainstLGPLlicenselibrary
Affero GeneralPublicLicense(AGPL)– YoumustgivesourceawayifyouuseAGPLcodeandprovideNetworkAccesstotheproduct(specificsmaymurkydependingonwhoyoutalkto!)
Permissive– RequiresanoticeinAboutBox,documentation,sourcecode,NOTICEfile,etc..BSD
MIT
ApacheSoftwareLicense1.1ApacheSoftwareLicense2.0
OPENSOURCE– OTHERLICENSETYPES
Vanity/OneOffLicenses
FreeBeerLicense
(e.g.Poul-HenningKampmalloc)
* "THE BEER-WARE LICENSE" (Revision 42): * <[email protected]> wrote this file. As long as you retain this notice you * can do whatever you want with this stuff. If we meet some day, and you think * this stuff is worth it, you can buy me a beer in return
Poul-Henning Kamp
GoodNotEvilterms
Theauthorrequiresyoutodo“Good”not“Evil”withtheirsoftware
(e.g.Json.org)
The Software shall be used for Good, not Evil.
WHYDOYOUNEEDANOPENSOURCELICENSE?
Copyrightlaw(inmanyplaces)meansthatallsourceisexplicitlycopyrighttheoriginalauthorEVENifnotmarked
Youhavenorighttousesomeoneelse’scodewithoutpermission
OpenSource(andcommercial)licensesarethewayofgivingpermissiontousesourcecode
LackoflicenseshowslackofmaturityfortheOSSproject,oftenasignofotherproblems!
Itisnot OpenSourceifyoudon’thavealicense
WHATDOESCOMPLIANCELOOKLIKE?
YouprovidecopyrightnoticesinyourAboutBox,Documentation,etc..YoupassalongLicensetexttoyourusersYouprovidethesourcecodeforGPL,LGPL,etc.modulesYoumarkchangesinsourcefilesYoupayrequiredPatentlicensingYoupayforcommerciallibrariesasneededYourespectwebserviceSLAsYoudothisforeveryrelease
WHATDOESCOMPLIANCELOOKLIKE– LICENSENOTICES
WHATDOESCOMPLIANCELOOKLIKE– SOURCEBUNDLES
COMMONMISUNDERSTANDINGS
Justbecausecodeisavailable,thisdoesnotgiveyouanypermissiontouseit.
“FreelyAvailable”!=OpenSource
“PublicDomain”isdifferentthan“OpenSource”
YoustillhaveCompliancetasksevenifyoudon’tshipyourproduct(SaaSorinternaluse)
BeliefthatCommerciallylicensedcodehasnoOSSobligations
MINIMIZATIONANDJAVASCRIPTMostorganizationsareminimizingtheirJavaScripttosavedownloadtime,speedupexecutionandobfuscatetheircode
Inmanycases,onlytheminifiedversionsofopensourceJavaScriptlibrariesarebeingcheckedintoSCM
Additionally,manyOSSpackageswillbeconcatenatedtogether.
Overminimizationishidingversioninfoandpreventshumansforidentifyingoldversions
Alwaysstoreoriginalsinun-minifiedform
YOURDELIVERYMETHODAFFECTSOBLIGATIONSSaaSvsshippingproduct(e.g.adistribution)• MostOSSLicensesonlycomeintoeffectuponDistribution
EmbeddedLinuxvsApplicationrunningonLinux• AreyoushippingLinuxorareyourusersbringingtheirown?
Client/Serverpieces• Somepartshosted,somepartsdistributed
Mobileapplications• ClassicdistributionwithsomepossibleAppstore implications
Web/JavaScriptfrontends• TheJavascript,HTML,CSSsenttousersbrowsers
YOURPRODUCTLIVESINADEEPSTACKOFOSSAND$
FULLLINUXSTACKSHAVEMANYOWNERSThesoftwaredevelopmentteamisoftendifferentthanthereleaseteamtheputsaproductintoproductions.
Thingsoftenfallinthegapsbetweentheseteams.
Theyoftenhavedifferentmanagement,legalcontacts,understandingofOSSlicensing.
CompaniesmanyknowsomeOSSfromthereleaseteam(e.g.Linux,Apachehttpd,MySQL,etc..)orsomeOSSfromthesoftwareteam(zlib,openssl,etc..)butnotalwaysfromboth.
A“good”listforthereleaseteamisoftenconfusedfora“good”listfortheactualproduct.
LinuxdistributionsoftenleadtolonglistsofOSScomponentsbutnotalwaysaclearunderstandingofthecompany’sOSSchoicesintheproduct.
LINUX:COMMONAREASOFCONCERN
•Linuxcanbecomplicatedandcontainmanymovingpieces
•ThebasefortheOSSoftencomesfromtheoutside
•WhileEverythingisrequiredtobedeclared,thisisoftenhard
•ComponentsthatMUSTbedeclared•LinuxKernel•Busybox•iptables /ipchains•U-boot•Multimedia&Codecs(e.g.ffmpeg,h264,etc..)
AdditionstoyourbaseOperatingSystem(e.g.RPMs,etc..)
ModificationstoDeviceDrivers
COMMONAREASOFCONCERN
Whileitisbesttohavea“Full”accountingofallthirdpartysoftware,certaincomponentsmayhaveahigherprioritythanothers.
1) Linuxrelatedtechnologiesw/GPLlicensing2) Cryptographiccomponents– oftenhighlytargeted,andalso
havelegaltrackingrequirementsforexportanyway3) Compressioncomponents– similartocryptographyintermsof
usageandprogrammingtechniques.Oftenhighlytargeted.4) Multi-mediacomponents.Wildlyused,oftencontainscrypto
andcompressionroutinesthemselves.Patentconcerns5) ApplicationsPlatforms– widelyused,oftencontaincryptoand
compression,complex6) Databases– centraltoallsystems,complex
QUESTIONSTOASKYOURDEVELOPMENTTEAMqDowehavealistoftheopensourceandcommerciallibrariesweareusing?
qHowdeephavewelooked?Howcompleteisthislist?
qWhatCryptography,Compression,MultimediaandApplicationServerlibrariesareweusing?
qDoesthislistsincludealllibrariesbroughtinthoughrepositorymanagerslikeMaven/RubyGems/npm,etc…?
qDowehavealistofallthewebserviceswedependon?(e.g.creditcardprocessors,stockpricelookup,etc…)
qWhatDatabasesareweusing?(includingsql,nosql,embedded,etc..)
qDoweshipVMsorApplicationstoourcustomers?WhatOS,OSScomponentsandsoftwarestackareweshipping?
qWhatisthe“FullStack”requiredtorunourproduct– includingtheOSS,DB,etc…?
qDowehavea“DisclosureList”fromourcommercialvendors
CommercialComplianceIssues
COMMERCIALCOMPONENTSCOMPLIANCEISSUES
Commercialcomponentsarenotoftenwellmarked,oftenmovearoundGetalistofknowncommercialcomponents/checknames/paths
CommercialcomponentsoftencontainlargeamountsofundeclaredOSScodeAllcommercialcomponentsshouldcomewithadisclosurelistofOSSthatitusesPushforsuchalistincontractsandviaemaildiscussionsw/avendorIt’susuallynotyourjobtoperformafullreview butyoumayhavetoFind1-5undeclaredOSScomponentsto“forcetheissue”asneeded•Zlib /libpng /openssl /glibc /ffmpeg areallgoodcandidatesforeasydiscoveredundisclosedOSScomponents
SUPPLIERSCODEANDSDKSCOMPLIANCEISSUES
•YoumayalsoreceivesourcecodefromCommercialcompanies
•Vendorsdonotalwaysmarkcodeasclearlyastheyshould
•GPLcodewillberightnexttoCommercialorGPL/Commercialcode
•OftenopensourcecodeisNOTmarkedanditslicensingisunclear
•KnowyourcontactpersonandhaveaprocessforloggingIPbugsorQuestions
•DevelopersoftengetconfusedaboutwhetherthiscodeiscommerciallyorGPLlicensed
DEALINGWITHCOMMERCIALCOMPONENTS• Binaryanalysisisoftenneeded
• Thesupplierscodemaybeinaspecialformat(encrypted,strippedofsymbols,compressed,etc…)seeifyoucangetanunmodifiedfilefrombeforethesemodificationswereperformed
• Pushforanindependentoutsidereviewasneeded
• Setacontractualstandardfordisclosurelevels
• UnderstandthatLinuxOSfullsystemcomplianceisdifficultandtheuseof“ALL”incontractlanguagemaybedifficulttoenforce
SaaSComplianceIssues
WHAT’SDIFFERENTABOUTSAAS?Traditionallysoftwareisdistributedtoendusersthroughphysicalmeans(viaCD,embeddeddevice,download,etc…)
Classicopensourceandcommerciallicenseswerewrittenwiththisinmind.
Manyopensourcelicensesonlycomeintoeffectwithaclassicdistribution(esp.manypeople’sconcerntheGPL)Thisissometimesknownasthe“ASPloophole”
SaaSprojectsarenotdistributedintheclassicwaybutinsteadrunonanetworkserver
Userscometothesoftwareinsteadofthesoftwarecomingtotheusers.
WHAT’SDIFFERENTABOUTSAAS?(CONT.)
BecauseoftheperceivedreducedcomplianceneedsaroundtheGPLmanycompaniesstoppedorreducedurgencyintrackingOSSlicensingforSaaSprojects.
LittleornocreditwasbeinggivingtotheOSSbackbonesofpopularSaaSproductsandchangeswerenotbeingpassedbacktothecommunity.
ThisleadtoconcernintheOSScommunityabout“FreeRiders”
MembersoftheOSSCommunityrespondedwiththeAffero GeneralPublicLicense(AGPL)in2002andupdateditin2007.
WHATISTHEAFFERO GPL/AGPL?
TheAGPLwasdesignedtoclosetheASPloopholebytreatingnetworkaccessassimilartoadistribution.
Thebasicintentistorequiresourcecodefortheentireapplicationtobeofferedtotheendusers.
COMMONAGPL-STYLELIBRARIES
ThemostcommonAGPLstylelibrariesweseeare:• iText PDFgenerationlibrary(duallicensedAGPLorcommercial)
• MongoDB (DuallicenseAGPLw/exceptionorCommercial)• BerkeleyDB/Sleepycat (nowAGPLorCommercial)• Funambol (AGPLorCommercial)• Ghostscript (nowAGPLorCommercial)• Noe4J(GPLv3/AGPLorcommercial)• Magento (OSL– similartotheAGPL)
Manyoftheseareduallicensedwithcommercialoptions.
SAAS COMPLIANCE– TOPCONCERNSUntrackedLibrarieswithVulnerabilities– oldversionsofOSSlibraries
TheAGPListheclassicOSSconcernforSaaSvendors
OtherAGPLlikelicensesinclude:• CommonPublicAttributionLicense
http://en.wikipedia.org/wiki/Common_Public_Attribution_License• OpenSoftwareLicense
http://en.wikipedia.org/wiki/Open_Software_License
Otherlicensesthatrequirereviewandcomplianceinclude:• Commerciallylicensedlibrariesandtools• Componentsmarked“NotForCommercialUse”• Componentswithrestrictionsontypesofuse(e.g.nomilitary
use)• Licensesbasedonuse,notjustdistribution• Webattributionlicenses(e.g.putalinkonyourhomepage)• ComponentswithUnknownlicenseterms
OTHERSAAS COMPLIANCEISSUESImages,Icons,FontsandSounds
Peopleareverygoodatrecognizingthesetypesofresourcesandtheirhistoryoftengetsconfusedbythedevelopers
Javascript andCSSOftentreatedasadistributionwithalltheclassiccompliance
requirements
PatentLicensesCertaintechnologieslikeMPEGorothercodecsmayrequire
licensefeesevenifopensourcelibrariesareprovidingthefunctionality
PrivateInstallationsCertainlargecustomersmayrequireprivateinstalls.Theseareaclassicdistribution
CONTAINER/PRIVATECLOUD/PUBLICCLOUDISSUES
Businessmodelschange,sometimesovernight.
“Everyone”isaSaaS-onlycompanyuntiltheygetatleastoneverylargecompanywhowantsaprivatelyhostedversion
SaaSprojectsoftenhavemanymoreGPLdependenciesthanaclassicapplicationandarehardtorefactororfixwhengoing“Private”andtryingtocomplywithDistribution-styleobligations
ThetimescalesforreviewingOSSdependencesisoftenveryshort,salesteamdriven,notdevelopmentteamdriven.
Wefoundthingsweshouldn’tbeusing;Nowwhat?
HOWARECOMPANIESHANDLINGTODAY?
Option1:Removeandrewrite/getnewOSS
Acompanymayremovetherejectedcodeandrewrite/re-implementthefeaturewithnewcode
VerycommonduringM&Aandforriskadverseorgs
Risks/Drawbacks:Timerequireforrewrite“Dirty-room”re-implementationsNewcode’slicensemaybenobetter
HOWARECOMPANIESHANDLINGTODAY?
Option2:ContactAuthorandaskforlicense
Acompanymaytrytocontacttheauthorandask/suggestanacceptablelicense(commonlyMIT/BSD)Sometimesthroughanintermediary(outsidelegal)
Risks/Drawbacks:AuthorisnowawareofuseAuthormaydesirestrongerlicensethanyouAuthormayrequireCommerciallicenseThelicenseislongerthanthecode!
HOWARECOMPANIESHANDLINGTODAY?
Option3:WaitandSee
Acompanymaydecidetodonothing,shipsoftwareandseeifproblemsoccur
Commonforoldcode&risktolerantorgs
Risks/Drawbacks:CopyrightinfringementLicenseproblemifforcedtocomplyCan’tproperlydiscloseOSSlicenses
PICKINGALTERNATIVESTOREJECTEDOSSLIBRARIES•InmanycasesGPLv2orGPLv3librariesareappropriateandexpected(especiallylowerinthestack)
•IfyouexpecttokeepyoursourceclosedyouwillmorelikelyberequiredtoremoveGPLlicensedcodeiffoundintheseclosedareas
•PickinganappropriateAlternativelibraryhascertainconsiderations•Youdevelopmentteamislikelythebestteamtopickanalternative
•Legalshouldspecifyallowedlicenses(e.g.MIT/BSD/Apache/Commercial)
•Legalshouldspecifyforbiddenlicenses(e.g.GPL/Affero/CC-SA)
•IfanopensourceprojectcanNOTbefound,a“build”decisionismade
•Projectswillsometimes(rarely)providecommercialre-licensingofGPLcode
•Donotletyourteamtryto“relicense”theprojectwithoutpermission
WHATISSOFTWARECOMPOSITIONANALYSIS?
Securityrisk- VulnerableOSSComponents
IPrisk- NoncompliancewithOSSobligations
Reputation
44
Today,developersareleveragingmorethan50%ofopensourcesoftware(OSS)intheirproprietaryapplicationstospeeduptimetomarketanddriveinnovation.
BEGINBYESTABLISHINGAPROCESSFORSCA
©2018Flexera|CompanyConfidential
CREATEAPROCESSTHATWORKSFORYOURCOMPANY
HOWMATUREISYOURSCAPROCESS?
87% 41% 49%
FLEXERAOSSAUDITTEAM
NoDisclosures M&AAudits BaselineAudits
Priority1Issueseg.GPL,APGL
16% 11%Priority2Issueseg.commercial,unknown
FLEXERASURVEYSTHEINDUSTRY
49
IncreasingOpenSourceusageandlackofOpenSourcegovernance
SETTINGSTANDARDS
Questionstoaskyourteams
“AreweusingthelatestversionofApacheStruts2?”
Whatifacustomersaid“OurITdeptrefusestodeployanyapplicationswithOpenSSL”?
“ArewevulnerabletothatCVEinthenews?”