Software development is synonymous with rapid development and a technology stack that is always evolving. The only way to keep up is by using open source build-blocks. With loads of external components it’s essential to have a process that keeps track of them all.
Without the right tools this is really challenging. Open source dependencies in ecosystems like npm
and maven
range in hundreds per application. Every single dependency has open source licenses and conditions of their own, that you are required to comply with.
Failing to do so can cause reputational damage and have serious monetary consequences. Still many organizations manage their software assets manually - tedious work that exposes organizations to risk.
Turn manual tasks into automated compliance
Keeping track of ever-changing software assets and licenses manually, in excel sheets and in hindsight simply won’t cut it. Automating the process is a must, with:
- Software Composition Analysis (SCA) tooling to create an up-to-date inventory of software assets
- Accurate license identification
- Automatic tracking of security risks and license information for each asset
But a complete inventory of assets does not ensure compliance on its own.
Continuous compliance is achieved by guarding the supply chain in real-time. Enforcing business license policies and preventing packages with non-compliant licenses from being used in the organization.
Know your license inventory before it becomes a showstopper
Most importantly, businesses need to keep track of their license composition as part of the regular software development lifecycle, identifying and evaluating key information and risks when adopting new software. But other major events, like Mergers & Acquisitions (M&A) proceedings or releasing new software to the public also needs to be considered.
Maintaining an accurate and up-to-date license inventory is integral to avoid lawsuits due to a license breach. Shifting left helps remediate risks early.
It’s imperative to keep track of the licenses used in your projects to ensure license compatibility. Not all open source licenses are compatible - permissions and conditions of one may conflict with the requirements of another.
Due diligence is an important event for any business, so you want to guarantee a smooth process without hiccups. A due diligence process includes taking detailed inventory of software assets, licenses and security risks in the business. Make sure to be prepared and not delay one of the most important transactions for your business.
Continuous license compliance
Continuous compliance means managing licenses and risks, for every open source component used, directly when developing and in CI/CD environments.
Traditional SCA tools stop at identifying license information in a static list of software assets. Bytesafe takes it a few steps further by automatically enforcing your license rules and blocking unwanted licenses according to your business' unique needs.
Staying on top of your license compliance with Bytesafe:
- Software Composition Analysis: Automatic license inventory for the components used by your organization
- Dependency firewall: License policies to enforce your rules. Keeping unwanted licenses out of your organization
License composition - accurate, up-to-date & accessible
To ensure license accuracy, the License Compliance Plugin scans for information directly in the package files of your open source dependencies hosted in Bytesafe.
This information supersedes any license metadata - as there is no guarantee for metadata (e.g. package.json
) to be accurate.
License dashboards provide an overview of all license compliance information for a registry - compiled in an easy to access place. Users can access key license metrics and what licenses are in use for their software composition.
License policies
License policies in Bytesafe govern what licenses to allow or flag as potential issues, and what licenses to block. Translating your unique license compliance needs into actionable policies.
Each license policy consists of license rules for any number of licenses. Associating a severity with a specific license automatically opens a Bytesafe issue when such a license is detected in your codebase.
Fully customizable policies - with templates to get you started
License policies in Bytesafe are fully customizable, allowing you to tailor each policy to your unique use cases.
Know your compliant open source licenses? Start from scratch, only allowing a set of licenses and blocking all others.
Don’t fully know what open source licenses you can expect to see for your projects? Start with one of our templates and align it with what you know and trust. Make sure to get notified of all others.
Interested? We are here to help
Security and compliance can be daunting tasks - for developers and stakeholders in Open Source Program Offices (OSPO).
For more information on how Bytesafe can help your organization with open source license compliance contact me or schedule a demo.
For additional reading, see our posts on the benefits of a secure supply chain and open source license basics - from copyleft to permissive.
Thanks for reading!