Open Source and something called Pandora's Box
The improper use of open-source components, in the worst-case scenario, could subject companies to costly litigation from parties like SCO Group of Lindon, Utah. ... "It's almost like you've got to be a lawyer now to develop software," said Jothy Rosenberg, chief executive and chief technical officer of Service Integrity, who this month ordered a 24-hour scanning of his company's Sift 3.5 software during a "code freeze" before its introduction. "In this day and age, anybody building a commercial piece of software has got to do this. It's like buying insurance on your building."And here's something to consider:
Some liken it to the Sarbanes-Oxley (PDF) financial reporting requirements that have rattled executives at publicly traded companies. And the problems are related, in that Sarbanes-Oxley requires public companies to value their software and assess their litigation risks.In that vain, from Wasabi Systems: The Sarbanes-Oxley Act and the GPL (get the PDF version here):
Third, and perhaps most importantly, the executives of American companies in violation of the GPL are themselves in likely violation of the Sarbanes-Oxley Act, which governs the disclosure of information to shareholders and the public. If the CEO of a corporation says that the corporation owns its assets, but that corporation is violating the GPL, that CEO can go to jail.
What's Wasabi Systems' advice? "Buy lots of Insurance."
The open-source advocates have been able to maintain the thousand-monkey argument largely because the opinion was widely held that open-source software benefits from lots of volunteers and is therefore more secure than proprietary closed-source software. But Enron, and particularly Sarbanes-Oxley, has turned this notion on its head with a vengeance. I've been getting e-mail from CIOs that indicates they are increasingly becoming aware that open-source software might not pass any security audits designed to comply with Sarbanes-Oxley.
That is because, in an audit, you have to be able to certify every part of an application. If there is even a chance that someone who has not been properly qualified touched a financial application or the platform on which that application resides, IT will fail the audit. Corporate boards are motivated to take draconian measures when this happens to protect their own assets.