Ahead of Trinity’s Code of Ethics event, Martin Callinan discusses the benefits that open source software can provide, as well as the risks and ethical issues companies need to consider.
Martin Callinan is the founder and director of Source Code Control, a UK-based open source and cloud transformation consultancy.
He is an open source expert with over 20 years of experience helping companies manage the risks associated with open source software supply chains such as IP compliance processes, security vulnerability management, and compliance. ‘supply.
Callinan is one of the speakers at Code of ethics conference to be held at Trinity College Dublin on July 1. The event will examine how open source technology and its community can deliver code for everyone, bring changes to social environments, and the potential benefits for commercial and nonprofit organizations.
“One area in particular where open source is expected to play a key role is in public services such as health, local and central government”
– MARTIN CALLINAN
What are the main advantages that open source software can offer companies?
All software developed today will include open source software components and libraries. The fundamental benefit is that developers share code that addresses technical challenges – this avoids having to develop common features from scratch, making software development projects more efficient and reducing time. of placing on the market.
A good example is the Android Open Source Project. Android is based on the Linux kernel. The base mobile operating system is open-source and is developed by a community of organizations and individual developers. Having a community contributing to the operating system brings economies of scale. It also allows developers to collaborate and share best practices and ideas to build skills and help the software industry move forward.
Many traditional industries such as automotive have evolved into software companies. Tesla is a prime example of a software-driven automotive company, where cars include software-connected services, all based on open-source technology.
Another area where open source proves to be a big advantage is in cloud services. Many organizations are migrating both infrastructure and applications to the cloud. Legacy on-premises applications are being modernized, and the required architecture and development is enabled by open source software.
How has open source software developed in recent years?
The biggest change we’ve seen is the use of open source becoming accepted and enterprise-ready. Many large software companies that historically viewed open source as a threat have now embraced open source and contributed code that can be exploited by software developers.
A good example would be Microsoft, whose developers are now one of the biggest contributors to open source on the GitHub code-sharing site. This shift has also seen coding standards and practices evolve, raising the bar for the quality of open source code available.
Were there any defining moments that drew attention to open source software?
By far, the biggest milestone related to open source is the success of the Linux kernel and the software solutions and industries that have benefited from open source.
The Internet we all enjoy today runs on Linux. Likewise, mobile devices and cars are supported by Linux and other open source technologies. Organizations are not locked into individual vendor policies and restrictions and are free to control their own destiny.
Which industries can get the most out of open source software?
All industries can and do benefit from open source software. One area in particular where open source is expected to play a key role is in public services such as health, local and central government. Public sector organizations around the world provide common publicly funded services to citizens.
The ability to share code for solutions that can be modified and evolved without needing to be locked into software vendors allows for great efficiencies and economies of scale. In the healthcare industry, clinicians are involved in the development of healthcare software solutions, working alongside software developers to create the solutions they need to deliver effective healthcare services.
You are heavily involved in risk management in this area. What are the biggest risks associated with open source and how can companies mitigate them?
There is a widespread perception that open source software can be used freely without any obligation or cost. This is incorrect. The term “free” related to open-source is related to freedoms, freedom of use, viewing of source code, modification of source code and distribution.
However, there are open source licenses that govern the rights to use open source. A basic requirement is that if you use code under an open-source license, you attribute attribution to the copyright holder. Some licenses provide that if you use the code in a solution under development, users of the solution must have access to the source.
These obligations can create intellectual property legal risk for organizations and conflict with business models. For example, if a software vendor has IP value in the software they develop, then controlling access to source code would be a business imperative. There have been a number of cases where companies have been forced to disclose their source code due to the use of open source libraries under a license that requires source code disclosure.
Another risk is software security. Most developers are under pressure to deliver code. Leveraging open source components from sites like GitHub and NPM goes a long way in speeding up software development. However, some components may have known security vulnerabilities that could end up in a solution that could then be exploited by malicious actors.
In recent years, there have been supply chain attacks where malicious code is injected into open source code on code sharing sites, which enters the software supply chain and is then exploited. Because of these risks, the industry has come together to provide standards and best practices to guide developers in creating solutions that customers can trust.
In 2016, the Linux Foundation founded the OpenChain project. This is a community-based project aimed at building trust in the software supply chain. Organizations such as Microsoft, Siemens, Bosch, and Google, to name a few, have collaborated to produce a best practice that can be adopted by software vendors to mitigate the risks discussed. In 2020, this has become a international standards.
In the United States, the White House issued a Executive Decree on improving the country’s cybersecurity, which includes a requirement to track and manage the use of open source components and provide government users with a software bill of materials – which is analogous to a list of ingredients on food packaging .
And what about the ethical side of open source?
One area of ethics that is a hot topic is the lack of contribution to open-source projects and also a lack of funding. There have been a number of high profile security vulnerabilities related to open source projects, for example Log4J, which have exposed this problem.
Log4J is a relatively unobtrusive piece of code that is widely used. The vulnerability that has been discovered is highly exploitable and many large companies use and depend on it. The maintainer who fixed the Log4J bug contributed to the project part-time and only had three GitHub sponsors (a way for people to pay project volunteers).
We’ve also seen an increase in so-called ethical licensing. A developer called Coraline Ada Ehmke created the Hippocratic License which adds ethics to open-source projects.
The thing is, open source software data isn’t free for everyone – there are obligations and ethics to consider when adopting and using it.
10 things you need to know straight to your inbox every weekday. Sign up for the brief dailythe summary of essential science and technology news from Silicon Republic.