HOW TO UTILIZE OPEN SOURCE IN YOUR CODE BASE AND BUILD PROCESS Black Duck Software, Inc. All Rights Reserved.

Size: px

Start display at page:

Gerard Gibbs
10 years ago
Views:

3 AGENDA Open Source Trends How automated binary management plays a key role in the process How to track and maintain continuous visibility of your open source utilization JFrog Artifactory and Black Duck Suite Suite/Artifactory Integration Q&A Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE TRENDS 1,500,000 Open Source Projects 1,000,000 Black Duck KnowledgeBase

OPEN SOURCE IS APPROACHING A TIPPING POINT Faster release cycles Open source (Android): 3 months Closed source (Windows): 3 years Rate of Innovation

5 OPEN SOURCE IS APPROACHING A TIPPING POINT Faster release cycles Open source (Android): 3 months Closed source (Windows): 3 years Rate of Innovation Mobile Cloud Big Data Increasing Co-opetition Mobile - Android Automotive GENIVI Financial Lodestone Black Duck Software, Inc. All Rights Reserved.

COMMUNITY AND CO-OPETITION Financial Services

Infrastructure The Apache Foundation The

8 TOP 20 OPEN SOURCE LICENSES Ranked according to number of open source projects using the license Top 10 licenses account for 93% Top 20 licenses account for 97% GPL family of licenses account for 53% Apache+BSD+MIT licenses account for 31% Source: // January Black Duck Software, Inc. All Rights Reserved.

18 VISIBILITY How much OSS are we using? Are we leveraging enough? What components are important to my project? To my Organization? What components are being used? In which apps? Which versions? Black Duck Software, Inc. All Rights Reserved.

19 GAINING VISIBILITY INTO OSS USE Discover Code Analysis Component approval process Catalog Tied into approval and analysis Track what s used in which applications Analyze Version proliferation analysis Popular projects and versions Black Duck Software, Inc. All Rights Reserved.

21 SECURITY VULNERABILITIES Are there known security vulnerabilities in components that I want to use? Is anyone paying attention to vulnerability reports postdeployment? Are version updates available that resolve security vulnerabilities? Black Duck Software, Inc. All Rights Reserved.

MONITORING THE NVDB Examples (as of February 14, 2014) Apache Tomcat: 125 PHP: 340

23 VERIFY, CATALOG AND MONITOR Verify no vulnerabilities at selection and approval 1 2 Catalog all components in use OSS Catalog 3 Monitor NVDB against cataloged components Black Duck Software, Inc. All Rights Reserved.

25 WHAT IS A LICENSE? Permission by the owner of property to take some act that the owner has the ability to control due to their ownership of intellectual property rights By default, the author of the a software program owns copyrights No one can copy or use without permission a license Black Duck Software, Inc. All Rights Reserved.

27 GPL AND RECIPROCAL LICENSES GPL is reciprocal (viral or copyleft v permissive) Most popular open source license; nearly 50% marketshare Key elements Disclosure of source code if distributed Derivative works must use same license: Works that incorporate the software Linking debate Auto termination Can conflict with other license, particularly commercial licenses Black Duck Software, Inc. All Rights Reserved.

28 NO LICENSES MEANS NO PERMISSION 100% 90% 80% 70% 60% 50% 40% 7% 93% 77% No Declared Declared 42% have Embedded Licenses 30% 20% 10% 23% These embedded licenses contain specific obligations that govern the use of the overall project. 0% Non GitHub GitHub The lack of a declared license for an open source project can cause an enterprise to steer clear of it, limiting the projects organizations can use. The ability to access embedded license information and obligations up-front during the code selection process opens a sizeable opportunity for enterprises and could have significant impact on their bottom line. - Mark Driver, Vice President and Research Director, Gartner Black Duck Software, Inc. All Rights Reserved.

29 LICENSE MANAGEMENT SOLUTIONS License Policy Know what licenses apply to what use cases Informed Choices Helping developers have up-front insight into licenses and policy Approvals Streamlined, automated approval process Auditing OSS still sneaks in, so auditing is required throughout the process Black Duck Software, Inc. All Rights Reserved.

JFROG AND BLACK DUCK AN INTEGRATED SOLUTION 30

decisions Managers: Earlier visibility, more standardization Management and

31 JFROG AND BLACK DUCK AN INTEGRATED SOLUTION Easy, efficient use of open source binary artifacts Developers: No hassle, more informed component use decisions Managers: Earlier visibility, more standardization Management and control of open source use Black Duck Software, Inc. All Rights Reserved.

Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography

32 BLACK DUCK AND JFROG AUTOMATE OPEN SOURCE MANAGEMENT Application development cycle Plan Code Build Test Release Open source governance lifecycle Acquire Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography License Maturity Black Duck KnowledgeBase Black Duck Software, Inc. All Rights Reserved.

Questions? Dave Gruber Black Duck dgruber@blackducksoftware.

How To Improve Your Software

How To Improve Your Software Driving Quality, Security and Compliance in Third- Party Code Dave Gruber Director of Product Marketing, Black Duck Keri Sprinkle Sr Product Marketing Manager, Coverity Jon Jarboe Sr Technical Marketing