Open source Consulting

Thought Source are experts in Open Source and can provide deep assessment and advice for your code today.

WE PROVIDE DEEP OPEN SOURCE ANALYSIS AND REMEDIATION MANAGEMENT

Open Source can be as dangerous as it is powerful.  Used in the right way, and it can provide a way to accelerate the development of solutions, used in the wrong way and it can lead to your intellectual property open to serious security vulnerabilities and your product being made available for the public to freely use.

OPEN SOURCE CONSULTING SERVICES WE OFFER

FULLY HYDRATED OPEN SOURCE SCAN

We go beyond simply providing a list of dependencies and their licenses by gaining deep understanding of your source code and architecture. This lets us provide a practical assessment of risk and remediation. 

LICENSE USE ANALYSIS

Open Source is an every evolving collection of various licensing techniques, which can be triggered in various situations.  The “safe” method in which you originally implemented your code, may no longer be the case.

SECURITY VULNERABILITY ASSESSMENT

Open Source components can often be the cause of serious hidden attack vectors within your own product.  As part of our scanning techniques, we determine the relevant public vulnerability disclosures which affect your product.

AGING OPEN SOURCE PROJECT USE

As part of our holistic open source approach, we determine your use and associated risk of old packages or project which are no longer maintained.

OPEN SOURCE MODIFICATION

There is a right and wrong way to modify open source projects in order to protect your IP. We are experienced in helping product teams take the right approach.

RISK REDUCTION & REMEDIATION

Our analysis reports contain clear advice which is specific to your open source use.  We provide easily digestible, prioritized risk mitigation strategies ready for implementation by your product group.

REMEDIATION PROJECT MANAGEMENT

We find that many product teams are not geared to manage the execution of open source remediation.  Let us manage your project to ensure a clean bill of Open Source health!

ONGOING OPEN SOURCE HEALTH CHECKS

Don’t let our “point in time” Open Source analysis go out of date.  We offer a fully managed health check service as part of our Thought Source Copilot solution.

Contact us now, to get started with an Open Source review

INCORRECT OPEN SOURCE USAGE CAN DEVALUE SOFTWARE ASSETS

Reciprocal licenses, such as the GNU Public License, GNU Affero General Public License can seriously impact software value

The Positive: Open Source enables rapid value creation

BUILD ON GIANTS

Industry standard, enterprise grade systems and components are available, like Linux, Apache, Hadoop

ASSEMBLE & INTEGRATE

Create business value by assembling components instead of creating from scratch

LEVERAGE COMMUNITY

Harness the wider community to contribute to open source projects and leverage their effort

MINDSHARE

Open source has positive market associations and is considered superior on quality and cost perceptions

OPEN SOURCE IS EVERYWHERE

Most software and services of all kinds use Open Source

COMMON PITFALLS

Reciprocal licenses can force you to publish your IP if you are not careful!

CHANGING OPEN SOURCE COMPONENTS

If you change or modify components, then you are required to publish those changes to the community, even if this is your core IP

PUBLISHING YOUR CODE

Licenses like the GPL require you to publish your source code by simply using GPL code. If this is not done correctly, your entire offering can become open source, severely reducing its value

FREE IS NOT ALWAYS FREE

Some projects may be open source for noncommercial use only, or have restrictive terms that can only be solved by purchasing a commercial version

CHANGES IN LICENSING TERMS

Although a component may have favorable licensing terms, the owners can change terms. This can cause  onerous terms on core components of a product

Contact us now, to get started with an Open Source review

WARNING: SaaS SOLUTIONS ARE NO LONGER IMMUNE FROM OPEN SOURCE RISK

The landscape is changing, what was ok before is no longer, and Though Source has its finger on the pulse.

LICENSES TARGETING SAAS USAGE

New licenses such as the SSPL (Server Side Public License) mean SaaS need to publish source code if SSPL components are used. This impacts popular projects such as MongoDB and Elastic

SOURCE AVAILABLE NOT OPEN SOURCE

The new source licenses such as SSPL are not recognized as being open source, but are considered “source available”. This indicates that the obligations and rights are different to traditional open source

CHANGING POPULAR PROJECT LICENSES

Popular projects that had permissive licenses have changed to SSPL style licensing, impacting existing users, requiring them to either use old versions, fork a project or start to pay licensing fees

THE TRADITIONAL WAY IS BROKEN: HANDLING RECIPROCAL OBLIGATIONS

Software engineering teams have traditionally relied on certain guardrails to protect they IP when using Open Source.  These traditional guardrails can be broadly classified into four approaches

USE OPEN SOURCE AT THE BINARY LEVEL

Reciprocal obligations are focused around process boundaries. Using open source components as binaries is safe

USE RECIPROCAL LICENSED IN NON CRITICAL AREAS

If reciprocal code is used in areas such as build tools or general code, publishing source code does not impact product IP

ARCHITECT AND EMBRACE RECIPROCAL CORRECTLY

Using reciprocal code in the right places, with process boundaries and separation can protect IP, allow contributions back to the community, and promote the vendor as a good corporate citizen

PROVIDE SOFTWARE ‘AS A SERVICE’

Licenses have relied on software being distributed to customers as a trigger for license obligations. Software provided on a SaaS basis is not distributed, avoiding obligations

INTRODUCING

THE TECHNICAL DUE DILIGENCE SHOW

The Thought Source team have produced a video series covering the "behind the scenes" of performing technical due diligence for M&A projects.