Programmers naturally gravitate toward the best software packages and components for development. They are increasingly choosing a broad range of enterprise-grade open source packages from Apache and Tomcat to Axis and Eclipse. But imagine for a moment this all-too-common scenario: a programmer at a Global 2000 is faced with a looming deadline and after a little bit of research, picks an open source package that he thinks will meet his technical needs and enable him to get his job done more quickly and effectively. Although the open source package may have all of the functionality needed, the programmer doesn't take into account some of the broader, longer-term issues that can have a significant impact on the enterprise, such as:

• How will we get support for this package once it goes into production?
• Will we be able to get the service levels we need for support?
• How might the license impact our company?
• What will we need to do to stay in compliance with the license?
• What IP protections do we need to put in place?
• Will the project still be active over the years to come?
• How will we manage potential changes to source code?

Why Open Source Is Worth Considering
The popularity of open source continues to grow as a wide range of innovative open source software components enable business agility and increase ROI. The functionality and flexibility of open source cannot only decrease time-to-market of new solutions, but help extend the life of legacy applications.

Today, companies don't need to give up the value-add services of commercial software when they choose to use open source solutions. There are now a variety of commercial open source companies that offer support, indemnification, and maintenance for popular enterprise open source packages, making it easier to leverage these open source solutions into your homegrown applications.

Making Open Source Successful
As open source becomes more ubiquitous, business and IT executives must identify ways to confidently incorporate a variety of open source packages to meet business demand. Creating an effective open source policy to govern the adoption and use of open source in an organization will mitigate any potential legal, financial, and operational risks and is a critical step towards making open source successful in your organization. As companies use more open source software, they are more likely to create an open source policy. For example, according to a recent survey conducted by OpenLogic, 83% of the organizations polled that are currently using more than 25 open source projects have an open source policy, are developing a policy, or plan to create one.

However, many companies aren't aware of the extent of their open source use. As with our programmer, most open source packages are downloaded by programmers, bypassing the normal procurement controls. Enterprises have often dozens to hundreds of open source solutions deployed without an appropriate level of review.

Writing an open source policy will establish a framework for communication between business management, legal teams, IT managers, and developers about how open source will be deployed in their organization. First, a policy can help direct and monitor IT plans by ensuring that investments in IT generate the desired business value and ROI. Second, when a policy is enforced, it will mitigate and manage legal risks including intellectual property infringements and license violations. Lastly, a policy will ensure that companies can continue to meet operational cost and uptime requirements whenever open source is deployed.

You Can't Get Something for Nothing
The first thing to consider when creating an open source policy are the choices your business may face in balancing risk reduction with business demand. For example, though the flexibility, functionality, and quality of open source may help businesses maintain a competitive business advantage; enterprises often consider open source solutions merely to reduce costs.

What business and IT executives need to keep in mind is this: software is software. All software, both open and closed source, comes with responsibilities and requirements that businesses can't ignore. Whether proprietary or open source, management teams must devote resources to developing, deploying, managing, and supporting all of their software assets. Although businesses can cut costs significantly when moving to open source solutions, it's critical to invest in open source governance to avoid unnecessary legal disputes, unexpected costs, or unforeseen operational issues. In other words, you can't get something for nothing. Even though the procurement of open source most often begins with a free download, you need to be vigilant about what software you're using and how it's being used.

How Open Source Software Is Different
Although open source software is "just software," there are a few critical differences you need to consider for governance purposes. First, open source packages carry open source licenses that have unique characteristics. Second, open source packages are typically created by a number of independent authors, which can raise potential intellectual property concerns. Finally, open source is typically procured differently than commercial proprietary software, which may dictate adapting existing processes.

Although the most widely known open source license is the GNU General Public License (GPL), the Open Source Initiative (OSI) has approved over 50 open source licenses. And many free or open source packages use licenses that haven't been approved by the OSI. In either case, legal staff must familiarize themselves with the terms of open source licenses being considered to determine that the license is compatible with the particular use that the enterprise is planning. The enterprise must also put audit and control processes in place to assure that the organization complies with all of the terms of those licenses. There are cases of enterprises paying out-of-court settlements to open source copyright holders due to violations of open source licenses, so license review and compliance is a critical piece of your open source governance plan.

Another major concern of companies using open source is intellectual property violations. Since open source packages are typically created by a number of independent authors, there's some risk that an author might have inadvertently or purposely infringed on another party's intellectual property. There have been a few highly publicized lawsuits or legal actions around intellectual property infringements by open source packages. Although many of those legal actions may be without merit, companies that use open source are concerned about the potential cost of defending these suits. One option for mitigating this legal risk is through indemnification. There are several open source solution providers that offer indemnification for the packages they support, giving clients some financial protection in the case of a legal action.