Transcription
INTRO TO SETTING UP A COMPLIANCEPROCESS IN YOUR ORGANIZATIONINDIRA BHATT, PRINCIPALGWYN FIRTH MURRAY, FOUNDER1
Introductions Indira BhattIndira is currently an independent consultant, having worked previously as a manager in KPMG’s San Francisco Advisorypractice; with nearly 10 years of experience in the area of Free and Open Source Software (FOSS) due diligence. One ofthe original key members of the Palamida services team, over the years, Indira has led hundreds of OSS due diligencedeals and helped various organizations successfully contribute code to the open source community. Indira is also acommunity representative for the Linux Foundations OpenChain Project and spearheaded the development ofOpenChain's M&A checklist.2
Introductions Gwyn MurrayGwyn Firth Murray, an “early adopter” in the legal community with respect to free and open source issues, is founder andprincipal of the Matau Legal Group. Matau Legal offers a broad range of commercial, licensing, and other legal servicesto both start-up and established companies in the high tech and biotech industries. Gwyn has worked as inside andoutside counsel to computer hardware, computer software and pharmaceutical companies, including Apple, SGI, AlzaCorporation, VA Linux Systems, and Kanisa, Inc. She has conducted her own law practice, dba Matau Legal Group, since2002. Gwyn is a graduate of Stanford University Law School, and also holds an M.A. in Latin American Studies fromStanford University. She obtained her B.A. magna cum laude and with distinction in economics from Yale College.3
Agenda Common issues and legal implications introduced by lack of anOSS compliance strategyBasic Components of setting up an OSS compliance programCompliance as seen in M&AStandards and first stepsQ&A4
For an organization to use OSSeffectively there needs to be a processaround OSS intake, detection of licenses/security issues, and remediation whereaction is necessary.Training of engineering / developmentteams is key.5
Common Issues Lacking or inconsistent software intake processLack of a mechanism for detection or tooling around OSScomponentsLicense conflict and noncomplianceLack of ultimate project ownership and company wide governancepolicies (legal approval and rejection policies)Awareness around legal implications of these issues. . .6
Elements of a compliance programPeopleDevelopersLegalIT and OPSProduct ManagementSales, Support and ServicesProcessElements of acomplianceprogramContinuous scanningDeep auditsLegal approval and rejectionRemediationGovernance framework and policiesCI/CD OSS Scan ToolingPre release Deep Scan OSS Audit ToolingTechnology7
Basic steps to start creating a compliance program Management education and buy-inGauging maturity by certification and checklistsDefining developer education around OSS licensing. usage andmodificationInvesting in OSS discovery tooling to create OSS bill of materialsand notices across product linesConducting legal reviews pre major release and defining theapproval and rejection policiesGauging timelines for remediation and necessary patching8
From the field: Compliance as seen in M&A Open Source code audits are performed as a standard Existing software bill of materials speed up deal closing Maturity around OSS usage or compliance processes is independent ofcompany size Common issues found are improper use of components with strongcopyleft or unknown licenses, unpatched security vulnerabilities, andability to remediate quickly.9
Standards Self certify with the OpenChain web e Checklists in and M&A non-M&A scenarios to gauge pt SPDX standards: https://spdx.org/10
Questions?Thank you!11
Indira Bhattindira@tenthousandgiants.com650-906-6042Gwyn Firth Murraygwyn@mataulegal.com650-823-586412
13
practice; with nearly 10 years of experience in the area of Free and Open Source Software (FOSS) due diligence. One of the original key members of the Palamida services team, over the years, Indira has led hundreds of OSS due diligence deals and helped various organizations successfully contribute code to the open source community. Indira is also a
