Más contenido relacionado La actualidad más candente (20) Similar a How to build effective and cheaper m-payments with Open Source (20) How to build effective and cheaper m-payments with Open Source1. sqs.com
Whitepaper
SQS – the world’s leading specialist in software quality
Accelerate deployment of mobile
payments using Open Source
Understand the benefits and how to govern its use effectively
Introduction
Mark Driver of Gartner states that “Open source is ubiquitous.
Having a policy against open source is impractical and places
you at a competitive disadvantage”. The financial services
and payments industry is undergoing major change as a result
of advances in mobile technology, software, social media
and higher consumer expectations. Here we examine the
opportunity that open source presents for the financial sector.
We establish how open source software can speed up the
development of mobile financial services, while reducing costs,
improving quality and accelerating uptake. This paper also
highlights the importance of understanding exactly what open
source components are in use within an organisation, and
whether the legal, security, intellectual property and quality
risks are being effectively managed.
Author: Julian Brook
Associate Director
SQS Group Limited, United Kingdom
julian.brook@sqs.com
Published: March 2014
2. Page 2© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
Marc Andreesen said that “software is eating the world” and
Jeffrey Hammond of Forrester believes that software costs
90 % less to develop today than in 1999. No wonder then that
software is shaking up every industry: Amazon is now bigger
than Waterstones, Netflix has superseded Blockbuster and
Spotify and iTunes have replaced HMV. The financial services
industry is no different and is being transformed by software
too. New financial services models, customer channels and
competition are reaching the market faster than ever before.
These include:
• Mobile payments services that enable customers to send
money to each other include PingIt, Swish and the upcoming
Mobile Payments Service from the Payments Council
• E-wallets such as V.me, MasterPass, Google Wallet, PayPal,
Weve and Monitise
• Mobile payments services enable customers to pay for
goods and services in shops such as PayPal’s pay-by-face
feature
• Mobile Chip and PIN payments services that make it easier
and cheaper for small merchants to accept credit and debit
cards like CardEase, InuitPay or iZettle
• Peer lending models such as Zopa, RateSetter and
FundingCircle
EngageMobile states that by 2014 mobile internet use is
predicted to overtake desktop internet use, and therefore
unsurprisingly mobile is central to the majority of these new
services. Mobile provides customers with a convenient and
personalised service. Mobile also allows organisations to
connect more deeply with their customers, enabling them to
offer more services and increase brand loyalty.
SQS’ experience shows that within the established financial
services sector the use of open source is ad hoc, supported by
policies that are overly restrictive. Visibility of what open source
is actually in use within an organisation stands at approximately
50 %, and this typically reflects the best case organisation.
1. Background
SQS’ Open Source solution increases speed to
market for a leading global mobile money platform
SQS implements open source management and
governance for an organisation that provides a new
mobile payment platform specifically designed for
financial institutions, MNOs and distribution partners.
This solution enables developers to continue to use
open source code and components to accelerate soft-
ware development, while at the same time providing
visibility of what open source is used and where to
ensure it aligns with quality and security policies and
that compliance and legal risks are covered.
Live Example 1
3. Page 3© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
2. Enabling Rapid Innovation
Ensuring that innovative services reach the market quickly is
often critical to their success. Organisations must focus time
and effort on the unique selling proposition (USP) and not on
commodity functionality that is already available. Alongside
organisational, cultural and development process changes,
open source software helps to foster innovation.
According to Black Duck Software there are over one million
open source projects representing over 100 billion lines of
code (LOC) or approximately 10 million person years of soft-
ware development. The sheer number and variety of projects
enables organisations to reuse these existing building blocks
of commodity functionality and focus on developing innovative
USPs. A recent study carried out by IT analyst firm Forrester
of 542 developers suggested that as many as 92 % of banks
have been using open source software (OSS) to develop mobile
apps. Figure 1 shows that the number of mobile projects is
growing rapidly, and Black Duck reports that there are over
35,000 mobile related projects including 28,000 targeting
Android and 7,000 for iOS. Many of these are relevant for
mobile financial services:
• Near Field Communication – projects such as openNFC,
Linux NFC project, NFC tools and libNFC with related
wrappers for various languages
• Encryption – libraries including OpenSSL, BouncyCastle,
libtomcrypt, libgcrypt, crypto++, SQLcipher, StrongSwan and
Crypton
• Financial – projects like quantlib, OpenMAMA, A+,
OpenGamma, OpenAdaptor, Open Bank Project
• Payments – APIs for devices from Simplify, Handpoint and
messaging apps like ussdgateway
• Mobile UI – widgets and frameworks – jQT, ZK Framework,
ipfaces, phonegap, Slide MwF Navigation View Controller
Open source software also represents a different way of
working. As a copyright owner releases software under an open
source license, communities often form around the software
and contribute to its maintenance and future growth. This
collaborative development approach is hugely powerful: many
of the world’s most talented software engineers are passionate
about supporting and improving specific open source projects.
Dubbed “inner-sourcing”, this collaborative, community style
development approach is now starting to be adopted within
organisations to channel the nascent energy and passion for
new ideas from internal engineering resources to deliver inno-
vation. Inner-sourcing also complements the agile development
approach allowing communities to self-organise to meet business
and technical needs in unimagined ways.
Figure 1: New Mobile OSS Projects (Source: Black Duck Software)
New Mobile
OSS Projects
Android
iOS
Other Mobile
Platforms
201220112010200920082007
20,000
17,500
15,000
12,500
10,000
7,500
5,000
2,500
0
4. Page 4© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
Just look at how organisations such as Google, Amazon, Face-
book and extensively use open source components in their
software, products and websites and also release non-USP
software and components under open source licenses.
Figure 2 shows open source software is helping organisations
in many different ways including:
1. Faster customer uptake: by reusing UI components and
touch screen interactions that customers are already familiar
simplifies the use of software. Releasing code to the open
source community can encourage developers to embed a
new service into a wide variety of applications, web sites and
services which helps to speed up market penetration.
2. Bring software to market more quickly: open source
software is often at the forefront of new technology.
Organisations are able to leverage this to bring new services
and features to market more quickly.
3. Improve flexibility: open source software tends to use
open standards and therefore reduces vendor or technology
lock in. This provides the flexibility to change direction more
easily in the future.
4. Reduce development costs: using open source not only
means reducing software purchasing costs, it also means
less development effort, less testing effort and over time
reduced maintenance effort. Similar to above, using open
standards also reduces costs by avoiding vendor and
technology lock in.
5. Improve quality: using software that has already been
proven in the field reduces the likelihood of quality issues.
Access to source code also reduces dependency on a third
party and empowers users to either fix issues directly or ask
the community of developers if they are unable to resolve an
issue.
Lowering the company’s
overall operating costs
Improving quality of
products and/or processes
Achieving faster
time-to-market
Driving innovative new market
offerings or business practices
Acquiring and
retaining customers
Managing our
customer relationships
Re-engineering core
business processes
Figure 2: A commissioned study conducted by Forrester Consulting on behalf of Unisys (Percentages may not total 100 because of rounding)
“Please rate the extent to which you agree or disagree with the statement that open source software
can help your company achieve the following business goals” (N = 486)
10 %
12 %
21 %
14 %
33 %
31 %
19 %
28 %
31 %
29 %
37 %
36 %
33%
36%
33 %
39 %
33 %
36 %
18 %
21 %
35 %
29 %
17 %
15 %
12 %
11 %
14 %
14 %
Not at all important ... ... Very important N.A. / Don’t know
5. Page 5© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
Common component
of e.g. HDTVs,
DVD players, using
the GPL v2 licence
Busybox code
inserted in electronic
components
Components used
in HDTVs and
DVD players
Reseller of the
HDTVs and
DVD players
3. What are the Risks?
Without suitable governance processes, open source does
present risks which can impact brand, competitive advantage
and the bottom line. Risks increase when open source has been
used in an ad-hoc and unstructured manner. The risks include:
1. Legal: although open source software is free of charge, it is
still licensed like any other software. Users need to ensure
that any open source software use is in compliance with
each and every license. Some licenses prohibit commercial
use, while others may impact on intellectual property (see
below). Many require an attribution regarding their use and a
few licenses have rude names. Some software may infringe
third party patents. The legal implications for an organisation
can only be fully understood if there is clear visibility of the
level of open source in use.
2. Intellectual Property (IP): some open source licenses require
their license terms to be applied either to the entire piece of
software the open source is included in or to any modifications
made to the open source code. This reciprocal concept is
also known as “copyleft” and some commentators refer to
these types of licenses as “viral licenses”. Not only does
this prevent an appropriate proprietary license being applied
to the software under development, these license terms
usually include the requirement to provide the source code
also. This means that the proprietary code within a piece of
software may also need to be made available. The most well-
known reciprocal open source license is the GNU General
Public License (GPL), but there are others too. Licensing
obligations are often only triggered when the software is
distributed. So when an organisation starts to develop
mobile applications, and distributes applications for the first
time, it often does not have the relevant expertise in place
to ensure these risks are controlled. Figure 3 shows how this
has affected the embedded software industry.
3. Security: Security is critical to confidence in existing and new
financial services. We have become accustomed to ensuring
that our Microsoft Windows operating system and web browser
is kept up-to-date to protect against new security vulnera-
bilities. In the same way, open source components can also
be affected by security issues. It is worth noting that open
source code is often argued to bring security benefits due
to its open, peer reviewed nature and the speed of security
fixes. However, without knowing what code and components
are in use, how can an organisation and its customers be
protected from new security threats in those components?
Key questions when determining security risks are:
• What security vulnerabilities are already known?
• What is the provenance of this code?
• What does code really do and is it malicious in any way?
Figure 3: An example of a software supply chain resulting in a legal action
14 electronics manufacturers are sued by Software Freedom Law Center (SFLC) in violation of the governing of the
open source software. US court stopped distribution of all out-of-compliance software.
6. Page 6© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
4. Quality: As with all code, some is well written adhering to
good software engineering practices and coding standards
and accompanied by good unit tests and documentation
and other software may fall short of expected standards,
may not be a suitable technical fit for the overall software
architecture or may lead to technology proliferation. The
open nature of this software also means communities can
splinter or disappear when a better technology/approach
comes along. The communities also may not subscribe to
an organisation’s particular agenda or provide a service level
agreement, which can lead to support issues.
SQS audits UK’s first m-payment service for
Open Source issues
SQS helped Europe’s first retail bank to find code and
components used within its application, a contactless
money-sending service for smartphones, allowing current
account customers to send and receive cash using their
mobiles.
The team successfully worked in partnership to audit
the code as part of the bank’s legal and compliance
governance processes. As a result, SQS determined the
license compliance and legal risks as well as obligations
that were triggered by distributing the application to
customer’s phones from the open source it contained.
Live Example 2
7. Page 7© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
4. Governing Open Source
With the benefits outlined, there is no wonder that financial
organisations are looking to take full advantage of open source
as part of the mobile and wider software development mix.
However, many financial organisations have no strategy, policy
or process in place for the governance of open source. This
means they are at best using open source in a non-strategic
manner, or worse still proactively avoiding its use. The result
is that open source is unlikely to be delivering the maximum
business benefit.
As open source software can easily be downloaded by deve-
lopers from the internet free of charge, the due diligence that
would usually be overseen by the procurement department
when bringing third party software into an organisation is not
undertaken. This leads to unmanaged risks.
Having a policy and process to maximise and govern positive
open source use helps organisations to realise the full benefits
of open source and manage the risks appropriately.
Initially, the organisation needs a clear vision and strategy on
the levels of engagement with open source.
Key questions include:
• How will open source be consumed?
• How will teams contribute to open source projects?
• How does open source align with business strategy?
Answers can inform the policy and process, and determine how
to:
• align technical, legal, security, procurement and other teams
to achieve a suitable level of due diligence when selecting
open source and automate decisions around open source as
much as possible
• avoid introducing issues and risk in the first place
• detect and catalogue open source usage as software is
developed
Good software development governance brings further benefits
such as increased standardisation of the code and components
in use across an application estate; this helps focus technical
knowledge and expertise of open source software used and
increases resource flexibility across the organisation.
8. Page 8© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
Software is essential to capitalise on the opportunities the
mobile ecosystem offers to both established financial services
organisations and new entrants. Developing this software
quickly, making it easy-to-use and encouraging its rapid uptake
is critical to its success.
There are already vast resources of open source code, libraries
and applications, and this is being added to every day. By using
open source software when developing applications avoids the
need to reinvent the wheel and enables organisations to focus
on innovation while saving time and money. Releasing code
into the open source community can also help seed and drive
uptake of a new technology or service.
However, open source also presents risks. The right strategy
and relevant governance processes will ensure that organisations
can strike the right balance between the benefits open source
brings and the risks.
“Open source is ubiquitous. Having a policy against open
source is impractical and places you at a competitive
disadvantage”
Mark Driver – Gartner
5. Summary
9. Page 9© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
6.1. About SQS
SQS is the world’s leading software quality specialist. As
part of its portfolio of services, SQS assists organisations to
implement open source software and techniques. SQS services
support business transformation and increase the productivity
of software development while ensuring governance processes
manage associated risks. SQS also provides a full range of
technical due diligence and audit services for mergers and
acquisitions and outsourcing. SQS partners with Black Duck
Software to help organisations build better software faster with
open source.
6.2. What is Open Source?
Open source software ranges from complete operating systems,
enterprise application suites and individual applications through
to components and widgets that perform very specific functions.
There are various definitions of open source software. One
of the most common definitions is the Open Source Initiative
(OSI) Open Source Definition (OSD) – see 7.3. The fundamental
differences relate to:
• Free redistribution: This is the most obvious business
benefit. Whereas most proprietary software imposes a fee
for its redistribution and use, open source may not restrict
the redistribution of software with a fee.
• Source code: This is the key technical benefit. Source code
is analogous to the secret recipe of the software. Without
this you cannot fundamentally change the behaviour of the
software or fix bugs that may affect you. In most cases,
proprietary software does not provide access to source code.
This means you are dependent on the 3rd party software
licensor to provide you with updates or bug fixes. Open
source does provide access to the source code so you have
more flexibility with the open software components you
choose to use.
However, there is one important similarity between open
source and proprietary software; that is that the software is
licensed. A software license broadly includes:
• Copyright statements: Who the legal owner is
• Definitions: The meanings of various terms used in the
license
• Grant of license: Who the license is granted to
• Usage rights: How the software may be used
• Obligations: What you must do if you use the software
• Warranty statements: What warranties are included or
excluded
• Disclaimers: Things like limitations of liability
All software licenses are different. Not all licenses will include
all of the information above. Not all licenses will comply with
the OSI definition. The top 10 most commonly used licenses for
open source projects according to Black Duck on 1st July 2013
are:
1. GNU General Public License (GPL) 2.0
2. Apache License 2.0
3. GNU General Public License (GPL) 3.0
4. MIT License
5. BSD License 2.0
6. Artistic License (Perl)
7. GNU Lesser General Public License (LGPL) 2.1
8. GNU Lesser General Public License (LGPL) 3.0
9. Eclipse Public License (EPL)
10. Code Project Open 1.02 License
6. Appendix
10. Page 10© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
6.3. The Open Source Initiative:
The Open Source Definition
Introduction
Open source doesn’t just mean access to the source code. The
distribution terms of open-source software must comply with
the following criteria:
1. Free Redistribution
The license shall not restrict any party from selling or giving
away the software as a component of an aggregate software
distribution containing programs from several different sources.
The license shall not require a royalty or other fee for such sale.
2. Source Code
The program must include source code, and must allow dis-
tribution in source code as well as compiled form. Where some
form of a product is not distributed with source code, there
must be a well-publicized means of obtaining the source code
for no more than a reasonable reproduction cost preferably,
downloading via the Internet without charge. The source code
must be the preferred form in which a programmer would modify
the program. Deliberately obfuscated source code is not allowed.
Intermediate forms such as the output of a preprocessor or
translator are not allowed.
3. Derived Work
The license must allow modifications and derived works, and
must allow them to be distributed under the same terms as the
license of the original software.
4. Integrity of The Author’s Source Code
The license may restrict source-code from being distributed
in modified form only if the license allows the distribution of
“patch files” with the source code for the purpose of modifying
the program at build time. The license must explicitly permit
distribution of software built from modified source code. The
license may require derived works to carry a different name or
version number from the original software.
5. No Discrimination Against Persons or Groups
The license must not discriminate against any person or group
of persons.
6. No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the
program in a specific field of endeavor. For example, it may
not restrict the program from being used in a business, or from
being used for genetic research.
7. Distribution of License
The rights attached to the program must apply to all to whom
the program is redistributed without the need for execution of
an additional license by those parties.
8. License Must Not Be Specific to a Product
The rights attached to the program must not depend on the
program’s being part of a particular software distribution. If
the program is extracted from that distribution and used or
distributed within the terms of the program’s license, all parties
to whom the program is redistributed should have the same
rights as those that are granted in conjunction with the original
software distribution.
9. License Must Not Restrict Other Software
The license must not place restrictions on other software that
is distributed along with the licensed software. For example,
the license must not insist that all other programs distributed
on the same medium must be open-source software.
10. License Must Be Technology-Neutral
No provision of the license may be predicated on any individual
technology or style of interface.
Reproduced from http://opensource.org/osd under the
Creative Commons Attribution 3.0 license
11. Page 11© SQS Group 2014
Whitepaper | Accelerate deployment of mobile payments using Open Source
© SQS Software Quality Systems AG, Cologne 2014. All
rights, in particular the rights to distribution, duplication,
translation, reprint and reproduction by photomechanical or
similar means, by photocopy, microfilm or other electronic
processes, as well as the storage in data processing systems,
even in the form of extracts, are reserved to SQS Software
Quality Systems AG.
Irrespective of the care taken in preparing the text, graphics
and programming sequences, no responsibility is taken for
the correctness of the information in this publication.
All liability of the contributors, the editors, the editorial
office or the publisher for any possible inaccuracies and
their consequences is expressly excluded.
The common names, trade names, goods descriptions etc.
mentioned in this publication may be registered brands or
trademarks, even if this is not specifically stated, and as
such may be subject to statutory provisions.
SQS Software Quality Systems AG
Phone: +49 2203 9154-0 | Fax: +49 2203 9154-55
info@sqs.com | www.sqs.com