Open Source Software

Strategic – Efficient – Compliant

Your expert for questions

Marcel Scholze
Director at PwC Germany
Tel: +49 69 9585-1746

Drive Digitisation, Innovation and Sovereignty

The world runs on Open Source Software (OSS) – from consumer electronics, household appliances and medical technology, to automobiles and production lines to enterprise IT and mobile services. Especially emerging technologies such as Cloud Computing, Internet of Things (IoT), Blockchain, Artificial Intelligence (AI) and Robot Process Automation (RPA) are massively built on Open Source Software.

You can only keep pace with the progressive digitalisation of products and services and the increasing importance of disruptive technologies with an effective and efficient Open Source Software management. By this, you empower but also govern the use, creation and contribution of OSS. An efficient Open Source Management Framework as well as the use of appropriate toolchains such as, Software Composition Analysis (SCA) and Software Asset Management (SAM) are state of the art. Among other things, these factors influence the OSS Maturity level of a company and position it in competition.

“For digitalisation and keeping pace with latest developments of services and products mature, enablement and compliance of Open Source Software is key to survive! Our mission is to shape, enrich and enable your digital future through Open Source Software!”

Marcel Scholze,Director at PwC, Head of Open Source Software Services

Chances and risks of OSS

Through the targeted use of OSS you can save costs and development capacities, at the same time participate in the latest developments, help set standards and become less dependent on software manufacturers. However, it is  important to ensure open source compliance for software licenses to avoid unintentional license violations, which could lead to financial, continuity and reputational risks.

Have you seized the opportunities that Open Source Software offers your company and adequately mitigated the risks? Do you have the OSS compliance of your (software) suppliers under control?

OSS benefits to strive for

Drive your digital future through open innovation 

  • Profit from shared knowledge and development capacities, and strategic open development and innovation alliances
  • Increase your brand and reputation to retain and attract digital talents

Become sovereign in your software use

  • Reduce the vendor lock-in effect and strengthen negotiating position with proprietary suppliers
  • Enhance IT security, quality, and transparency through Open Source communities
  • Professionalise Intellectual Property management in your software supply chain with existing standards such as ISO 5230 and ISO 5962

Cost and Time Savings

  • Reduce time-to-market through usage of leading edge Open Source frameworks in “Emerging Technologies” such as AI, ML, Blockchain, and Cloud
  • Eliminate one-off and recurring license costs
  • Establish Open Source development as a new sourcing model to leverage swarm intelligence and global resource capacity

Challenges to be aware of and solve

Support and continued development

  • No obligations or service contracts for project continuity, maintenance, support, and quality by the communities
  • Liability gap between own product liability and liability for OSS components

Legal Risk to Intellectual Property through license obligations

  • Ban of further use of OSS components or products (product recall)
  • Forced disclosure of own intellectual property or claims for damages

Security Risk and Vulnerability in Software Supply Chains

  • Unclear provenance, compliance, and security (e.g., CVE) of software components in deliveries from your suppliers
  • Uncertain quality management practices of code and artefact generation

Compliance requirements in business relations

  • Exclusion from supply chains through unmanaged Open Source risks or missing required compliance documentation 
  • Directors’ liability, when not applying State of Technology risk management, such as ISO 5230 certification

PwC Open Source Software Management Framework

Rolling out a fully integrated Open Source Management Framework enables leveraging the advantage of OSS chances and benefits for your organisation, employees and digitalisation endeavors, while effectively managing the inherent risk of security and compliance.

At PwC we provide tailored services to encompass and serve all dimensions of the Open Source Management Framework.

Infographic: PwC Open Source Software Management Framework

Our services for an integrated OSS management

Open Source Management Benchmarking & Optimisation

Some Open Source Compliance Management System experience a massive backlog of curation, clearing, and approval activities, caused by inefficient processes and lack of resources. Solving these problems PwC consults you on your already established Management System regarding the optimisation of workflows, introducing risk-based approvals, use case driven reuse, lean processes, and tailored tooling.

  • Onsite capturing of your current maturity in all OSS compliance processes, tooling, and your current degree of automation
  • Risk-based approval strategy defined for certain use cases or distribution channels to free up your resources and focus manual efforts on sensitive use cases (e.g. via easy flowcharts for internal use for R&D only)
  • Ease up existing process flows through standardisation of form and necessary information, exemplary through the creation of document templates for processes and their inputs (e.g. OSS self-assessment and usability check)
  • Creation of guidance documents for (legal) OSS license requirements (e.g. OSS License Charts, license compatibility chart)
  • Selection and implementation of Software Composition Analysis (SCA) tooling for code scanning regarding compliance and security as well as Software Asset Management (SAM) tools for the optimal solution to administer your software in use

Open Source Security Optimisation

Open Source Software usage exposes you to security risks as every other software does. Knowing which Open Source Software components are used and build into, and distributed with your device or solution is key for identification of related security risks. Security risk may range from quality flaws in the code and CVEs, to business continuity risk of OSS projects, or infiltration for components with unclear provenance.

  • Assessment of your status quo in managing Open Source Security and report on identified weaknesses
  • Benchmarking against The Linux Foundation’s OpenChain Security Assurance Specification
  • Design and implementation of instructions, policies, safeguards, responsibilities, and processes for your Open Source Security Management
  • Establishment of Security Toolchains to securely use inbound Open Source Software, e.g. via automated CVE scanning tools

Open Source Strategy and Enablement

Not using Open Source Software or using it unmanaged not only cuts off from tremendous benefits of OSS but also imposes risks, which can be mitigated with a clear OSS strategy and management system. To bring your Open Source Software interaction on track, PwC provides all the necessary help for developing a solid strategy to build upon.

  • Identification and analysis of company-specific OSS opportunities, challenges, and status quo of OSS usage
  • Identification of the resulting application-specific OSS risks and definition of risk appetite
  • Definition of strategic OSS focus areas (e.g. specific business areas, application scenarios (Use, Contribute, Create), strategically relevant OSS communities, development alliances, Inner Source)

Open Source Program Implementation

Having an Open Source Strategy and Policy does not unfold its maximum potential if it is poorly implemented. Benefit from the experience of PwC experts to successfully implement an Open Source Program starting from zero to a fully functional cross-division Management System including all necessary processes and tools.

  • Definition of all necessary policy aspects regarding exemplary: releasing code, accepting and committing contributions, internal consumption of inbound, and compliance, license and obligation management
  • Establishment of all necessary Open Source Processes e.g. inbound software usage, contribution to existing projects or the release of new projects
  • Phased rollout over one department at a time including selection of candidates / business units for pilot introduction
  • Allocation of roles to your personnel according to their competencies for a sustainable management system, if applicable definition of necessary competencies for your recruiting

Inner Source

Inner Source, the application of Open Source software methodologies and culture within an organisation, leads to the unleashing of the great potential of cross-organisational collaboration, reuse, interdisciplinary excellence, quality, commitment, and motivation. PwC helps to analyse, plan, develop and rollout your individual strategy towards Inner Source. But it’s not that simple. Who owns the source-code cross-entity developers contribute? What about transfer pricing, security, and corporate espionage?

  • Analysis of stakeholders, organisational structures, legal boundaries, benefits and challenges for Inner Source, and drafting of an Inner Source Strategy 
  • Planning all necessary processes and infrastructure to enable Inner Source benefits (e.g. internal code and artifact repository, issue tracker)
  • Developing all necessary governance around the internal code repository (e.g. policy and rules, terms of usage, code of conduct)
  • Definition of all necessary roles and competences to handle Inner Source project management, if necessary, provision of complete training material
  • Onboarding your personnel on the new Inner Source Strategy (e.g. training and guidance on new processes incl. CI/CD practices)

ISO 5230 / ISO 18974 Certification / Audits

Complying with the global industry standard on Open Source Compliance Management, ISO 5230:2020 and Open Source Security, ISO 18974:2023 is a demanded selling point for your business as companies worldwide seek for security and compliance in software and product supply chains. PwC as the global third-party certifier can audit your OSS practices and issue prove of your compliance.

  • Define scope of certification / audit
  • Perform audit, phase 1 and phase 2
  • Issuance of certification or audit report

ISO 5230 / ISO 18974 Readiness Support and Assessment

To be best prepared for an ISO 5230 / ISO 18974 certification PwC offers readiness support and assessments before certification. Learning from the expert knowledge of PwC through a dry-run assessment and qualified feedback and benchmarking on the status of your Open Source Compliance and Security Management Program increases your speed of optimisation and gives you peace of mind for an upcoming certification.

  • Assessment regarding the existence of all necessary processes and documents
  • Review of Design-Effectiveness and Operational-Effectiveness via Test-of-Ones
  • Report on current expected certifiability, status quo and possible optimisations and certification issues

M&A Open Source Compliance Assessment

In almost every Deal and M&A, software is included in the key assets, if it is not the key asset itself. Open Source Software poses a high risk to the deal’s value, the usability and business-continuity of transferred assets, whether this be physical devices, software, or services. PwC audits and analysis deals’ assets to identify, value, and report these OSS risks.

  • OSS risk identification and scoping of assessment based on deal structure, involved assets, and software prevalence 
  • Tool-based code scanning, dependency resolution, and license and security evaluation of OSS components 
  • Creation of state-of-the-art Software Bill of Materials (SBOM) for in-depth evaluations
  • Report and opinion on aspects regarding Open Source compliance and security
  • Checking the maturity level of the applied Open Source Software Management System

OSS Compliance & Security Audits of Suppliers

Knowing your suppliers’ OSS Compliance and Security Management maturity is key to reduce internal efforts and avoid double checking external code and artefacts.

  • Assessment of your suppliers’ OSS Management practices
  • Audit as per individually designed OSS audit program or per ISO 5230 / ISO 18974 requirements
  • Spot checks of SBOM and OSS compliance and security artefacts
  • Live and transparent dashboarding of progress and issues identified
  • Generate trust in your Software Supply Chain through PwC supplier audits

Code Scanning & SBOM Creation

Reduce the need for internal resources, knowledge and tools for code scanning and achieve professional and compliant SBOMs for your products and solutions.

  • Usage of PwC OSS compliance tooling (or operation of your toolchain) to scan your source code regarding OSS compliance and security aspects
  • Clean-up and curation of identified components
  • Clarification and remediation of identified issues, if any
  • Provision of complete Software Bill of Materials (SBOM) for your software in defined data formats, e.g. SPDX 2.2.1 / ISO 5962

Suppliers SBOM Verification

Using your suppliers' SBOMs can drastically reduce the internal effort required to check incoming code. We check the correctness and completeness of your suppliers' SBOMs so you can trust them.

  • Reviewing SBOMs that you receive from your suppliers
  • Verify the correctness of information, completeness and validity per gathered background information and professional judgement
  • Where possible, perform detailed review and check of SBOM in cooperation with supplier through code review on supplier side
  • Report, discuss, and clarify identified issues and cases of doubt
  • Rate and categorize results of review and suggest according further measures, where applicable

OSS Process & Compliance Training

Benefit from first-hand experience of industry experts through OSS Process and Compliance Trainings tailored to your employees’ specific needs.

  • Design and align training program
  • Perform target group-specific training from new hire up until senior staff per virtual sessions, web-based trainings, and on-site where possible
  • Integration in annual compliance assessments including learning success control and its documentation

Supplier OSS Compliance Audits

Knowing your suppliers’ OSS Compliance Management maturity is key to reduce internal efforts and avoid double checking external code and compliance artefacts.

  • Assessment of your suppliers’ OSS Compliance Management practices
  • Audit as per individually designed OSS compliance audit program or per ISO 5230 requirements
  • Spot checks of SBOM and OSS compliance artefacts 
  • Live and transparent dashboarding of progress and issues identified, if any
  • Generate trust in your Software Supply Chain through trusted channels

OSPO as a Service

Access to cutting-edge OSS industry knowledge on Open Source programs can be your answer to the war of talent and the lack of in-house expertise and capacity.

  • First point of contact for all questions regarding OSS compliance management
  • Support the whole lifecycle of products and services to stay OSS compliant
  • Ad-hoc support for OSS tooling, OSS component, OSS license, OSS integration questions, OSS security
  • Check of use case, risk triggers as per use case and according license compliance considerations

“On basis of a mature Open Source Software strategy, you can set up the right compliance measures and enabling processes. The aim is to embrace OSS while building trust in its use – internally and with your suppliers.”

Marcel Scholze,Director at PwC, Head of Open Source Software Services
Follow us

Contact us

Marcel Scholze

Marcel Scholze

Director Open Source Software Services & IT Sourcing, PwC Germany

Tel: +49 151 16157049

Thomas  Urband

Thomas Urband

Senior Manager, lawyer, PwC Legal AG, PwC Germany

Tel: +49 160 9627-3689