Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc.

Transcription

1 Open Source and the New Software Supply Chain Mark Tolliver, CEO Palamida Inc.

2

3 Could You Sign This?

4 Typical Software Project Metrics 2.9 GB 87,863 Files 8,535,345 LOC Copyright holders ~350 Archives 178 Binaries 801 JARs 228 Where Did We Get These Components?

5 Open Source Now Makes Up Over 50% of Most Software Projects Audit Example Size 15.9GB 59.1M LOC Documented OS components Undocumented OS components Total # 838 % LOC from Open Source 60-65% Result of an audit engagement performed by Palamida

6 Open Source Now Makes Up Over 50% of Most Software Projects Audit Example Size Documented OS components Undocumented OS components 15.9GB 59.1M LOC Total # 838 % from Open Source 60-65% Result of an audit engagement performed by Palamida

7 Licenses Found by Type 30% Audit Breakdown by License 25% 20% 15% 10% TOTAL % 5% 0% Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional Services

8 How Did This Happen? Content predates existing processes and systems: ie limited or no formal record Acquired code: incomplete diligence at acquisition time Envelope problem: subcomponents of top level OSS components are not visible and therefore not subject to review

9 Managing Software Content Has Become an Essential Part of Software Development Opportunities Reduced development costs Reduced development times Improved time-to-market Challenges Reduce Intellectual Property and Security Risks Comply with requirements from customers and government regulations

10 Opportunity The Business Value of Open Source Development time and cost 100,000 lines of code = $1.9M (20 lines/day, 222 days/year, $85k/year) Support expense Leverage community support vs. complete in-house strategy Per incident example: 2 day resolution vs 5 = 60% reduction Tools Source code control system, build system, bug tracking etc

11 Today a Palamida customer Expects to manage over 10,000 updates per year from external software suppliers Will require a certification of software content from these external suppliers as part of their supplier contracts Will audit all suppliers multiple times per year Will require their product VPs to certify the content and compliance of their software

12 So What s a software Bill of Materials?

13 Software Bill of Materials #1 - It s a critical quality tool to insure that software components meet quality standards Boeing 787 Supplier Chart

14 Software BOM (Bill of Materials) Component Location License Assigned Issues Vulnerabilities Encryption Status

15 Software Bill of Materials #2 - It s a way to meet your obligations to the owners of the intellectual property you use and avoid a claim of copyright infringement Settings General About Legal

16 Third Party Notices File (Example) Component Name: foo Version: Description: <description text> NOTICES Copyright copyright owner License Text: <text of license> Component Name: bar Version: 4.0 Description: <description text> NOTICES Copyright copyright owner License Text: <text of license>

17 Obligations End User License Agreement (EULA): capture all licenses in the software product and deliver them with each customer shipment (license.txt or other file) Display in the about box: determine which licenses require additional attribution and be sure that the about box content is updated (Third Party Notices) Display in the documentation Offer to provide a copy of the code used: Add source code to a distribution site if available Commercial Terms: Royalties etc

18 Offer To Provide a Copy KDL-40W5100, KDL-40W5600, KDL-40XBR9, KDL-40Z5100, KDL-40Z5600, KDL-46W5100, KDL-46W5150, KDL-46W5600, KDL-46XBR9, KDL-46Z5100, KDL-46Z5600, KDL-52W5100, KDL-52W5150, KDL-52W5600, KDL-52XBR9, KDL-52Z5100, KDL-52Z5600, KDL-65W5100, KDL-46XBR10, KDL-52XBR10 GPL LGPL Other kernel _gtx.tgz (40 MB) busybox-1.00.tgz (1.5 MB) pump tgz (55 KB) popt.tgz (562 KB) dosfstools-2.11.tgz (122 KB) sfdisk-2.14.tgz (4 MB) glibc src.rpm (12.5 MB) glibc src.rpm (12 MB) mipsel-gcc src.rpm (27 MB) mipsel-uclibc src.rpm (5 MB) freetype tgz (1.5 MB)

19 Next Question What s our policy?

20 Policy Questions What is the name and version of this software component? What is the license? Where did we get it? Is this component in a software product that ships to customers? Does this component contain encryption? Have we modified this component? When was the last time we checked this software? Does this component contain known vulnerabilities? Have we added this component to the notices file?

21 IP Policy Policy for Apache 2.0 License: Global, Approve, Any Component, Last Update Detailed Policy Example: Modified? Type of redistribution?

22 You Need to Pay Attention Its still cheaper and faster to download a million lines of code than to write it You will have to disclose at some point The wrong time to think about it is when time is short black boxes are no longer black

23 Challenges: Intellectual Property GPL scores historic court compliance victory By Gavin Clarke in San Francisco Posted in Software, 4th August :55 GMT Open sourcers have scored a major victory in a US court over violation of the GPL. The Software Freedom Conservancy has secured $90,000 in damages for willful infringement of GPLv2, plus nearly $50,000 in costs from Westinghouse Digital Electronics over its illegal distribution of the Unix utility BusyBox. The company has also been ordered to stop shipping product loaded with BusyBox.

24 September 25, 2010 The Defenders of Free Software Herman Wouters for The New York Times Armijn Hemel of the Netherlands is part of a movement that wants to make sure that big companies adhere to the rules of open-source software. By ASHLEE VANCE Published: September 25,

25 The Mobile Battlefield Source: The Guardian and New York Times

26 Challenges: Security Android faces critical security study By Joseph Menn in San Francisco Published: October :29 Last updated: October :29 Source: Financial Times FT.com October 31,

27 A Search Engine for Software Your Code Base Palamida Compliance Library Inventory of Software Content Vulnerability Status Reports IP Compliance Reports

28 Code Scanning Scans Binaries / Images / Source / etc.. Schedule Scans (queue) schedule scans (api) Incremental scans Scale Out multiple servers for parallel scans

29 Code Analysis Dual Pane Side-by-Side Comparison of your code with matched library code Tag and Filter System and user-defined tags Example: Has copyright holder = <our company name> and has SCF: Why are we copyrighting third party code?

30 Manage Policy Allowed/Rejected Licenses Products Usage Conditions of use Sign-off

31 Manage Developer Requests Workflow Fully Configurable Quick Review Remediation

32 Report Everything Forensic Data Project Data License Obligations Cross Project Reports Security Issues Version specific Potential Audit Reports Prioritized EULA Copyrights

33 Identify 3 rd Party Security Issues Vulnerabilities in OSS Automated Discovery Association with NVD/CVE Warning Alerts Updates

34 Managing Your Software Supply Chain What s Next?

35 The world expects an accurate software BOM* Your customers will require this and you should require it from your software suppliers (your software supply chain) You can t claim to build quality software if you don t know what is in your code and where it came from The open source communities expect you to respect their IP, and they are watching *Bill of Material

36 Its not just open source Although there will be more and more open source choices Commercial code has important restrictions that you need to observe as well Reuse of internal code will become a measure of development team productivity

37 Other types of code analysis (security, quality, performance) will ultimately be tied into this BOM view A framework for enterprise application security More and more automated More and more visual

38 Best Practices A centralized model is the best way to start. It allows organizations to develop expertise quickly. Audit external code before it enters the codebase (M&A, outsourced work etc) Build rules as you go. They will make repeat audits faster and more automated. The first pass audit on any codebase is a large task - consider using outside experts Hold development managers responsible by signing off on code BOM before release

39 Open Source and the New Software Supply Chain Mark Tolliver, CEO Palamida Inc.

40 Using Outside Experts 1 5 Days (Depending on target readiness) (1 n days) Depending on size of materials and depth of analysis (weekly progress reports) 1-2 Hours Phase 1 Phase 2 Phase 3 Kickoff OSS/Third Report & and Party Audit Review Scoping

41 Using Open Source Best Practices A centralized model is the best way to start. It allows organizations to develop expertise quickly. The first pass audit on any codebase is a large task - consider using outside experts Build rules as you go. They will make the next audit much easier. Audit new external code before it enters the codebase (M&A, outsourced work etc) Hold development managers responsible by signing off on code BOM before release