Skip to main content

Open Source / Inner Source

Open source is software made available with source code that anyone can inspect, modify, and enhance. It is provided with a license that dictates how the software can be used – for example, it might impose commercial restrictions or mandate that any modifications must also be shared back with the community.

Open source software may be developed in a collaborative public manner and so can bring in diverse perspectives beyond those of a single company.

It is important that organizations understand and mitigate against the risks of open source. When an open source library is imported/used, then all the dependencies that library uses is also included – and there could be many levels of dependencies resulting in the use of considerable amounts of software from unknown source.

Software Composition Analysis tools should be employed to analyse the dependency graph and keep an inventory of third-party components being used to build applications – these can then provide ongoing monitoring to:

  • report on known security vulnerabilities and software bugs
  • alert when updated versions are available
  • accurately track the open source licensing conditions to fulfil all the legal requirements helping to avoid any unfortunate surprises … such as jeopardizing exclusive ownership over proprietary code.

Microsoft are a member of the Openchain project - and are Openchain ISO/IEC 5230 compliant. This means Microsoft can trust the open source code that it uses and ensures all compliance obligations are met.

Inner source is the use of open source software development best practices and the establishment of an open source-like culture within organizations. Facilitating code re-use across teams focuses efforts on solving new problems important to business goals, versus those that have already been solved by others.

https://github.com/open-source
https://resources.github.com/whitepapers/introduction-to-innersource/
https://www.openchainproject.org/