How to avoid the risks of open source licences ?
Table of content
- Definition of the open source licence for a better understanding of the concept
- The main open source licenses
- How to minimise the risks of using an opensource licence ?
- Answers to your questions about open source software
Open source licences represents a €5,5bn market in the UK alone, based on 2022 figures published by the CNLL (National Council of Free Software). Before adopting this solution, it is essential to take all the security, legal and practical risks into consideration.
Definition of the open source licence for a better understanding of the concept
By definition, open source software is a program, whose code is open, as opposed to proprietary software, whose code is totally locked. To put it simply, open source software is a program whose source code is released to the general public.
There is a conceptual difference between open source software and free software. According to the rules laid down by Richard Stallman, one of the founders of the free software movement, a program is free if it meets four main criteria :
- the freedom for everyone to use the program without restriction,
- the freedom to analyse how the program works,
- the freedom to share and redistribute copies of the program,
- the freedom to improve the source code for the benefit of as many people as possible.
The main open source licenses
When using an open source licence in a company, it is important to pay particular attention to the type of licence held by the program. Here are the three main types of open source licences available on the market today and their main characteristics :
The public domain
By publishing a program in the public domain, the programmer or developer gives up their copyright. Everyone is therefore free to use, share and also modify the software. This is notably the case with the CC0 (Creative Commons Zero) licence.
The permissive license
There are many licences that grant extended rights to users, although the licensee does not waive the copyright or the protections afforded by the licence. It is possible to market a program under a permissive licence under certain conditions. Also, the vast majority of these types of licences do not grant a guarantee of use. MIT and BSD licences fall into the permissive category.
Contrary to what one might think, copyleft does not mean giving up one’s copyright to a program. The idea of copyleft is to make it easy to copy and share a program, without giving up the rights inherent in the licence. Depending on the degree of copyleft (weak or strong), a copyleft licence implies that all or part of the code developed around the open source component meets the same requirements as the licence from which the open source comes. Even derivative programs (forks) are required to respect the original licence. This is especially the case with the GNU GPL.
How to minimise the risks of using an opensource licence ?
More and more companies are integrating opensource solutions into their structure. This is particularly the case for server administration using the Apache licence and database management. CMSs such as Wordpress, Joomla and Prestashop, used to design websites, are also available under opensource licence.
Thousands of software products are now available as open source for companies and offer a particularly advantageous access cost. Here are the points to consider before implementing an opensource solution :
Take note of the current licence
Software that can be downloaded for free does not necessarily mean that it is free software. Some non-paying programs are proprietary, for instance, and can only be used in certain contexts (personal use, limited to SMEs, etc.). For a larger-scale exploitation, it is often necessary to pay.
Some open source systems operate under dual open source and proprietary licences, as is the case with MySQL. Ignorance of the licences may expose you to fines for non-compliance or even legal action. Before any new use, you should take the time to read each clause of the licence.
Before opting for an open source licence, it is also necessary to understand the documentation licence and length of the technical support. Taking the example of Ubuntu distributions (Linux), there are LTS versions that benefit from both a more extensive documentation and a longer period of support from its developers.
In the case of CRMs and ERPs, which allow you to manage collaborative projects online, the licence varies according to the number of users. For ERPNext, for example, the free open source licence version does not include the warranty. In case of a bug or crash that causes damage to your database, you will have to provide technical support yourself. For Odoo, the basic version (invoicing and accounting) is free, but access to the additional modules (HRM, stock management, multi-user project management, etc.) is not.
A preliminary simulation will be required to identify the actual operating cost based on the possibilities offered by the open source licence, regardless of the software implementation project.
Taking into account the flaws of open source software
No software, proprietary or open source, can claim to be perfect in terms of security. That is why updates are regularly published to correct all the flaws that would allow hackers to steal data or sabotage the software, SaaS or website.
Out of all programs, 80% contain a vulnerability linked to the use of an open source solution and more than 50% are considered high risk. According to a study conducted by OSSRA (Open Source Security and Risk Analysis) in 2022.
For proprietary software, the responsibility for releasing a security patch or update lies with the software itself. In contrast, the collaborative nature of opensource solutions, whether under the GNU GPL, Copyleft or MIT licence, makes the community or foundations responsible for fixing security flaws. Access to the source code used to be seen as an advantage, since problems could be fixed immediately. Now, the proliferation of the open source library is weighing on the responsiveness of developers to release patches. If your company’s core software is late in getting the necessary updates, you will be fully exposed.
Consider the human factor
In many cases, it is the people in charge of the information system and the computer technicians themselves who are the source of security problems, as they sometimes forget to perform the necessary updates. This updating does not necessarily concern the main software, but sometimes dependencies that are not always monitored.
To minimise the security risks of open source licensed software, it is recommended to perform a vulnerability test before installing it. A clear security policy should then be defined. The frequency of updates should be determined and a monitoring system set up to keep abreast of detected flaws. The objective is to guarantee optimal security throughout the life of the software. This approach is all the more important if the installed application assumes critical functions for the company’s development.
Answers to your questions about open source software
What is open source software ?
Open source software is an application whose source code is open to the general public. This does not mean that the program is free, although the majority of open source solutions are available without access fees. For a company, it is essential to understand the legal scope of a licence in order to guarantee unfettered use of the chosen solution.
Why use open source ?
Open source software is in most cases free of charge and free to use while offering many features. It therefore reduces the cost of access and operation of the company’s information system. Nevertheless, it is necessary to pay particular attention to security and the nature of the licence to take full advantage of it.
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.
Recommended for you