Best practice for open source also for companies that use "none"?

That surprises me, because experts report that open source components are found in around 99 percent of software audits. Such audits are prompted, among other things, by negotiations with resellers such as SAP, company acquisitions, strategic financing rounds, or compliance and security checks.

As a rule, hundreds, sometimes thousands of different open source components are found here. Experts at analysts have been reporting for some time that today as a rule already one third of the application code consists of open source components.

This also applies to the SAP community, where Android, Apache, Git, Java, Linux, Maven, OpenStack, Spring and hundreds of other smaller or larger components are playing an increasingly important role in IT.

So I'm wondering how to interpret the statement in response to my opening question. Does my interlocutor not have an overview of in-house software development, is the company unaware of or indifferent to what their software developers are doing? Is open source really not being used and thus important potential for innovation and cost savings not being exploited?

Why is it important to know whether and to what extent open source is being used? The adage "What I don't know won't hurt me" protects neither companies nor management in the event of critical problems. As long as it is unknown whether, where and which open source is being used, there can be no effective protection.

Why is it necessary? Open source components can contain unclear or even viral license types, which have already led to expensive legal disputes with open source developers in some cases.

In the meantime, as with patents, there are also so-called trolls who target companies and "earn" millions by doing so. Since more than half of the audits uncover license types unknown to the management concerned or components with critical GPL licenses, the potential risk is very high.

Cases are also known in which company takeovers, investments or OEM agreements have "burst" or company values have fallen dramatically. In contrast to mobile apps, open source users are usually not automatically informed about new versions.

As a result, companies often use outdated versions that contain critical errors and security gaps that have been known for a long time. Developers have to become active themselves and laboriously find out about updates. Hackers also do this and use information from databases such as OWASP.org for targeted attacks via insecure components.

Avoiding risks with best practices

It is important to first determine the extent of use, even if open source is not "officially" used. Companies should define a process in which the use is regulated and, if possible, automatically monitored without hindering development.

Companies such as SAP, Seeburger and Xing prove that this is possible without any problems by securing the deployment through agile processes and monitoring software. This protects against commercial risks as well as in meeting legal requirements such as the IT Security Act.

In the meantime, there are some proprietary, commercial solutions, mostly from the USA and Israel, but this seems somewhat paradoxical for the monitoring of open source software.

Solutions such as VersionEye from Mannheim take a different approach here, are themselves 100 percent open source (Apache license) and can also be used free of charge for fully automated monitoring with regard to versions, licenses and potential security risks.