The goal is to put in place policies, systems and processes to ensure a reasonable standard of care over the use of open source software. Companies can also put in place governance solutions that allow them to inventory their open source usage, implement open source policies, automate approval processes, track and audit open source deployment and ensure compliance with open source licenses.

A critical component of open source governance is to understand what open source software your enterprise is using and where it is being used. Besides helping you ascertain legal risk, understanding "what and where" is critical when systems go down, security vulnerabilities are uncovered or legal actions occur.

Surprisingly, most enterprises do not have a handle on how much open source they use. While some open source technologies are widely used by companies of all sizes, other packages are downloaded by developers, bypassing standard procurement processes and controls. In addition, some tools are often deployed unknowingly because they are bundled inside other packages the developer wants.

In fact, open source programs can contain dozens of other open source components, making it difficult to assess what open source software is used and what licenses are involved. Creating a baseline for open source inventory is a key step in governance. This will help you identify actions needed to mitigate legal risks and plan for the use, support and updating of open source components.

The license conundrum