FOSS for Enterprise

Understanding Open Source Licenses, Risks, and Compliance

Indrajeet Patil

xkcd comic showing modern digital infrastructure precariously balanced on a small project maintained by one person since 2003

(xkcd, CC BY-NC 2.5)

Source code for these slides can be found on GitHub

What you’ll learn today

FOSS licensing history and philosophies
Legal implications and compliance requirements
Enterprise risks: security, sustainability, and violations
Automated tools for managing open source dependencies

Scope

✅ Inbound FOSS • Using open source in your products
❌ Outbound FOSS • Releasing your code as open source

Visual representation of FOSS concepts

Disclaimer: Educational purposes only. Not legal advice.

FOSS Licensing

The FOSS Movement

Free Software

Book cover: Free as in Freedom - Richard Stallman's Crusade for Free Software by Sam Williams

Free Software Foundation (1985)

Four Freedoms:

Run, study, modify, share

Open Source

OSI logo

Open Source Initiative (1998)

Open Source Definition:

10 criteria (non-discrimination, license distribution, technology-neutrality)

What are software licenses?

Different aspects of software are protected by different types of intellectual property law.

Software license: Legal instrument governing use, modification, and distribution of software

Book cover: Understanding Open Source & Free Software Licensing by Andrew M. St. Laurent

Movements ↔︎ Licence Philosophies

	Reciprocal (Copyleft)	Permissive
Origin	Free Software Movement	Open Source Initiative
Philosophy	Preserve freedom for all users	Maximum freedom to developers
Key Feature	Derivatives must use same license	Minimal restrictions
Examples	GPL, AGPL, MPL	MIT, BSD, Apache
Goal	Ensure software remains free	Enable broad adoption and use

License Combination Examples:

Chain link icon

Code icon

Chain link icon

Copyleft

Custom

Copyleft

Open hands icon

Code icon

Choice icon

Permissive

Custom

Any License

Legal Aspects

When do licenses matter?

License obligations are triggered by distribution

Internal use within your organization is generally NOT distribution

Examples:

IS distribution:

Imaging software in shipped microscopes
Control software bundled with lithography systems
Lens design software for opticians

NOT distribution:

Internal development/testing tools
Web services on internal servers
R&D prototypes used internally

Enterprise Risks

Lack of awareness and compliance

Common issues:

Dependencies added unknowingly
Transitive dependencies unnoticed
License obligations misunderstood
No component inventory

Non-compliance consequences:

Copyright infringement lawsuits
Forced source code disclosure
Product sales injunctions
Reputational damage
Financial penalties

License changes can break your business:

Major FOSS projects have switched licenses, forcing companies to pay or migrate:

Redis (BSD → SSPL/RSALv2, 2024)
Elasticsearch (Apache 2.0 → SSPL, 2021)
MongoDB (AGPL → SSPL, 2018)

Lesson: Monitor upstream license changes actively!

Case Studies: License Violations

Famous legal battles involving FOSS license infringement:

Legal gavel icon

VMware vs. Hellwig

Germany • Dismissed

Linux developer sued VMware for GPL violation. VMware ultimately removed problematic component.

Takeaway: Dismissed cases can still force compliance

Court ruling icon

Artifex vs. Hancom

USA • Settled

U.S. court ruled GPL is enforceable contract. Landmark Ghostscript case.

Takeaway: GPL licenses are legally binding contracts

Multiple lawsuits icon

BusyBox Lawsuits

USA • Multiple Settlements

First U.S. GPL enforcement lawsuits vs. Verizon, Best Buy, Samsung, and others.

Takeaway: Big names aren’t immune to enforcement

Security vulnerabilities

Common security risks:

Outdated packages with known CVEs
Unpatched critical vulnerabilities
Supply chain attacks

CVEs can enable:

Remote Code Execution - Run arbitrary code
Data Exfiltration - Access sensitive data
Denial of Service - Crash or disable systems

Meme showing open source developer applying a patch to fix software vulnerability (Flex Seal format)

Case Studies: Vulnerabilities

The cost of failing to patch FOSS vulnerabilities:

Security breach icon

Equifax Breach (2017)

Unpatched Apache Struts

150M+ people affected. Patch available 2 months before breach. Cost: $575M settlement.

Takeaway: Delaying patches costs hundreds of millions

Critical vulnerability icon

Log4Shell (2021)

CVSS 10/10 Critical

Apache Log4j vulnerability. CISA: “most serious in my career”. Hundreds of millions of devices vulnerable. Half of corporate networks probed.

Takeaway: Ubiquitous library = ubiquitous vulnerability

Heartbeat icon

Heartbleed (2014)

OpenSSL Memory Leak

17% of SSL servers affected (Yahoo, GitHub). Bug existed since 2011, disclosed 2014. Undermined Internet security foundations.

Takeaway: Encryption bugs expose everyone’s secrets

Sustainability risks

Common sustainability issues:

Maintainer burnout and underfunding
Abandoned or undermaintained projects
Toxic communities

Business impact:

No security patches or bug fixes
Forced migration to alternatives
Reputation damage from toxic projects

Book cover: Working in Public by Nadia Eghbal

Critical dependency risk:

FOSS project at your product’s heart = its sustainability is your sustainability

Case Studies: Sustainability Failures

Real-world examples of FOSS sustainability crises:

Package removal icon

left-pad (2016)

Package Removal

11 lines of code, 15M+ downloads. Maintainer removed after dispute, breaking thousands of projects (React, Babel, Node).

Takeaway: Tiny dependencies create massive failure points

Burnout icon

core-js (2023)

Burnout & Underfunding

9B+ downloads, 50% of top 10k websites. Solo maintainer earns ~$400/month, threatened to go closed-source.

Takeaway: Critical infrastructure runs on volunteer labor

Sabotage icon

faker.js/colors.js (2022)

Maintainer Protest

3.3B+ downloads. Maintainer sabotaged libraries to protest Fortune 500s using free work without giving back.

Takeaway: Frustrated maintainers can become security risks

Automated Tools

Why automate FOSS management?

Problem	How Automation Helps
Hundreds to thousands of direct dependencies	Automated discovery of all FOSS components in codebase
Tens of thousands of transitive dependencies	Dependency mapping to track entire dependency tree
Multiple package managers (npm, pip, Maven, etc.)	Multi-ecosystem support across all package managers
Constantly evolving vulnerability landscape	Continuous monitoring for newly discovered CVEs
Unknown license obligations	License detection and compliance checking
No visibility into component inventory	SBOM generation (Software Bill of Materials)
Manual tracking doesn’t scale	Automated alerts and reporting for issues

Open Source Tool: Trivy

Trivy - Comprehensive security scanner by Aqua Security

Vulnerability detection
License scanning
Secret detection
SBOM generation

Scan a container image:

trivy image nginx:latest

Free, open-source, widely adopted in CI/CD pipelines

Trivy logo

Commercial Tool: Black Duck

Black Duck by Synopsys - Enterprise-grade SCA platform

Comprehensive vulnerability management
License compliance automation
Supply chain risk assessment
Policy enforcement

Configuration (application.properties):

blackduck.url=https://blackduck.example.com
blackduck.api.token=${BLACKDUCK_TOKEN}
detect.project.name=MyProject
detect.policy.check.fail.on.severities=BLOCKER,CRITICAL

Enterprise support, extensive database, advanced reporting

Black Duck logo

Integrating tools into your workflow

Scan early and often - Integrate into CI/CD pipeline
Set clear policies - Define acceptable risk levels
Automate fixes - Use dependency update tools (Dependabot, Renovate)
Monitor continuously - New vulnerabilities discovered daily
Educate developers - Make security everyone’s responsibility

Worth it?

Is FOSS worth the risk?

We’ve seen the risks…

License compliance challenges
Security vulnerabilities
Sustainability concerns
Legal complications

But the answer is YES! ✓

Innovation without reinventing
Massive cost savings
Battle-tested solutions
Vibrant ecosystems

The modern stack is FOSS

🎨 Frontend

TypeScript • React • Vue
Webpack • Vite • npm

⚙️ Backend

Python • Node.js • Java
FastAPI • Django • Express

💾 Data Layer

PostgreSQL • MySQL • Redis
MongoDB • Kafka • Elasticsearch

☁️ Infrastructure

Docker • Kubernetes • Linux
Terraform • Ansible • Git

You’re already using FOSS everywhere. The question isn’t whether to use it, but how to use it safely.

Summary

Key takeaways

FOSS is everywhere - Understand what you’re using

Licenses matter - Know the difference between reciprocal and permissive

Distribution triggers obligations - Understand when licenses apply

Security is critical - Don’t be the next Equifax

Automate everything - Use tools like Trivy or Black Duck

Thank You

Happy FOSSing! 😊

Check out my other slide decks on software development best practices

References

Free Software Foundation. “What is Free Software?” https://www.gnu.org/philosophy/free-sw.html
Open Source Initiative. “The Open Source Definition.” https://opensource.org/osd
GNU Project. “GNU General Public License v2.0.” https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Open Source Initiative. “MIT License.” https://opensource.org/licenses/MIT
U.S. House of Representatives. “The Equifax Data Breach Report.” December 2018.
Aqua Security. “Trivy Documentation.” https://aquasecurity.github.io/trivy/
Synopsys. “Black Duck Documentation.” https://synopsys.atlassian.net/wiki/spaces/INTDOCS/
Choose a License. https://choosealicense.com/
TLDRLegal. “Software Licenses in Plain English.” https://www.tldrlegal.com/