Phil Marshall Black Duck Software ISACA Webinar Program ISACA. All rights reserved.

Transcription

2 Welcome Type in questions using the Ask A Question button All audio is streamed over your computer Having technical issues? Click the? button Download the slide deck from the Event Home Page After viewing the webinar, ISACA Members may earn 1 CPE credit. To earn 1 CPE, click the CPE Quiz link on the Event Home Page. Once you pass the quiz, you will receive a printable CPE Certificate. t Question or suggestion? them to elearning@isaca.org 2012 ISACA Webinar Program ISACA. All rights reserved. 2

3 About Black Duck Software OSS Enablement for Multi-Source Development Enable organizations and developers to build better software faster by automating and managing their selection, use and governance of OSS Founded in Backed by industry leaders Recognized as a market leader & innovator Cool Vendor 2010 Nifty 150 Application Development Cloud Computing Innovation Award ISACA Webinar Program ISACA. All rights reserved. 3

7 Today s Agenda Open Source Component use is Proliferating Benefits and Challenges Unique to OSS use? Best in Class Strategic Use of OSS Does it makes sense to apply the COBIT Framework 2012 ISACA Webinar Program ISACA. All rights reserved. 7

10 OSS Governance in Job Descriptions? Open source is ubiquitous, awareness of the need for management and governance is growing in EIT Gartner 2011: In % of Global 2000 enterprises include OSS in mission-critical software portfolios (going to 99% by 2016) Increasing numbers of IT organizations depend on use of open-source software (OSS), while only a minority have established, open-source governance policies in place By 2014, 50% of Global 2000 organizations will experience technology, cost and security challenges through lack of open-source governance OSS IS NOW IN THE JOB DESCRIPTION 2012 ISACA Webinar Program ISACA. All rights reserved. 10

11 Why OSS? Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage ISACA Webinar Program ISACA. All rights reserved. 11

12 Why OSS? Competitive advantage Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage ISACA Webinar Program ISACA. All rights reserved. 12

13 Why OSS? Competitive advantage Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage. Flexibility 2012 ISACA Webinar Program ISACA. All rights reserved. 13

14 Why OSS? Competitive advantage Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage. Flexibility Faster 2012 ISACA Webinar Program ISACA. All rights reserved. 14

15 Why OSS? Competitive advantage Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage. Flexibility Cheaper Faster 2012 ISACA Webinar Program ISACA. All rights reserved. 15

16 Why OSS? Competitive advantage Innovation Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage. Flexibility Cheaper Faster 2012 ISACA Webinar Program ISACA. All rights reserved. 16

17 Why OSS? Competitive advantage Innovation Open source is ubiquitous, it s unavoidable.having a policy against open source is impractical and places you at a competitive disadvantage. Flexibility Cheaper Faster 2012 ISACA Webinar Program ISACA. All rights reserved. 17

18 Faster, Better, Cheaper Cost Schedule Features Open source is a silver bullet that allows simultaneous improvement along all three dimensions of the software iron triangle of cost, schedule, features. Jeffrey Hammond - August ISACA Webinar Program ISACA. All rights reserved. 18

20 Change, Risk and Opportunity "We make extensive use of open source [for trading systems], and I expect it will continue to be a very big part of what we do for the next few years," said Jeremy Lehman, the Chief Software Architect at Citigroup's Global Equities group. FOSS Analysis (Nov. 2011) Large growth in Bank consumption of open source technologies to enable rapid delivery of new services to market. 50% of companies will face challenges due to lack of OSS policy and management 2012 ISACA Webinar Program ISACA. All rights reserved. 20

21 Mixed OSS-Internal Code Risks Loss of Intellectual Property License Rights and Restrictions Export Regulations Software Defects Injunction? Security Vulnerabilities Contractual Obligations? Escalating Support Costs 2012 ISACA Webinar Program ISACA. All rights reserved. 21

22 Governance without Considering OSS Use? Risks Brand impact Security vulnerability Customer service Not including the use of open source software in a governance program represents a major business risk 29% Open Source Software IPR impact Legal infringement 2012 ISACA Webinar Program ISACA. All rights reserved. 22

23 What Development Executives Tell Us I have little/no visibility into the open source used in our projects I m accountable for all of this and I have little control Our open source compliance will slow down our development schedules It s difficult to support applications that contain open source code We need standardization our developers use multiple different versions of the same/similar component 2012 ISACA Webinar Program ISACA. All rights reserved. 23

25 What do we typically find? Conclusion: An Under-developed Governance program is hindering this client from realizing the value of Open Source. Operational and legal risk reduction require Managing level across all disciplines. To fully realize the value of OSS (beyond risk reduction) companies should strive to be at the Participating or Driving levels. Client is exposed in several areas and only partially developed in others. Supply Chain & Compliance are the most developed. Discovery, Maint. & Support, Community Interaction and Executive Oversight are undeveloped 2012 ISACA Webinar Program ISACA. All rights reserved. 25

26 Why Manage Code/Components Acquisition? Quality issues 85% Found 0 Coding Unit test Function Field test Post test stage release Capers Jones, applied software measurement: assuring productivity and quality. Introduced 2012 ISACA Webinar Program ISACA. All rights reserved. 26

27 What s different about OSS? License Use and. The following table highlights some freeware and open source licenses that may be used in a given use case ISACA Webinar Program ISACA. All rights reserved. 27

28 Compliance and Governance Challenges identified at UK Bank Legal Corporate SBU1 SBU2 SBU3 SBU4 SBU5 SBU6 Project A Project B Project C Establish a policy for certifying new OSS use Develop a governance policy for your OSS portfolio Governance model undefined Global, regional, decentralized Stakeholder roles Differing levels of OSS maturity in business units Differing business models and use cases in business units Differing levels of readiness and ability (and willingness?) to assimilate change Business Case and funding 2012 ISACA Webinar Program ISACA. All rights reserved. 28

29 Manual OSS Process Challenges Identified Search & Select Web search Ask around Check the spreadsheet Sift through information Approve Fill out form Answer questions Advocate Contact legal Wait Wait Security review Catalog Update spreadsheet Arch. review Other approval boards Audit Cd Code Review Rewrite Monitor Monitor security alerts Monitor updates to components Where Used? 2012 ISACA Webinar Program ISACA. All rights reserved. 29

35 Getting to Governance Establish key stakeholder group Strategy, policy, process Open Source Governance (OSG) program Discovery Remediation Communication & training 2012 ISACA Webinar Program ISACA. All rights reserved. 35

37 Gartner s Recommendations Open-Source Software, the Power Behind the Throne Gartner, November Develop an inventory of the exposure of your IT environment to OSS 2. Establish a policy for certifying new open-source use 3. Develop a governance policy for your OSS portfolio. 4. Consider OSS offerings, along with the closed-source software, as competitive alternatives, and make selections based on technical excellence and total cost of ownership (TCO) merits ISACA Webinar Program ISACA. All rights reserved. 37

38 Black Duck Software Enabling Enterprise Open Source Adoption Gartner: average Enterprise uses 29% OSS (January 2011) Best practice companies use 60%-80% 100% 90% 80% 70% 60% 50% 40% Value of Best-in-Class Open Source Software Use 80% 30% 20% 10% 0% 29% Average Best-in-Class 2012 ISACA Webinar Program ISACA. All rights reserved. 38

39 OSS Adoption Lifecycle? Mission critical Strategic imperative Tactical decision Innovators Technology Enthusiasts Early adopters Visionaries Early Majority Pragmatists 2012 ISACA Webinar Program ISACA. All rights reserved. 39

42 Requirements for World-Class OSS Management & Governance Strategy Articulate the business objectives for use of OSS Policy & Process OSS Policy & Management Process Technology Automate governance and compliance Design In and automate policies 2012 ISACA Webinar Program ISACA. All rights reserved. 42

46 Governance and Management Defined What sort of framework is COBIT? An IT audit and control framework? COBIT (1996) and COBIT 2 nd Edition (1998) Focus on Control Objectives An IT management framework? COBIT 3 rd Edition (2000) Management Guidelines added An IT governance framework? COBIT 4.0 (2005) and COBIT 4.1 (2007) Governance and compliance processes added Assurance processes removed BUT what is the difference between governance and management? 2012 ISACA Webinar Program ISACA. All rights reserved. 46

47 Governance and Management Defined (cont.) Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM) ISACA Webinar Program ISACA. All rights reserved. 47

48 COBIT 5 Holistic? COBIT 5 processes now cover end-to-end business and IT activities, i.e., a full enterprise-level view. This provides for a more holistic and complete coverage of practices reflecting the pervasive enterprise-wide nature of IT use. It makes the involvement, responsibilities and accountabilities of business stakeholders in the use of IT more explicit and transparent. But, are you considering OSS use at the application and component level? 2012 ISACA Webinar Program ISACA. All rights reserved. 48

50 Stakeholder Value and Business Objectives Principle 1. Meeting Stakeholder Needs: Stakeholder needs have to be transformed into an enterprise s actionable strategy. The COBIT 5 goals cascade translates stakeholder needs into specific, practical and customized goals within the context of the enterprise, IT-related goals and enabler goals. Source: COBIT 5, figure ISACA All rights reserved ISACA Webinar Program ISACA. All rights reserved. 50

54 COBIT Touch Points for OSS Governance Search & Select Simple, Consolidated Entry Point Trusted Source Updated & Maintained Approve Configurable Approval Forms Automated Approval Workflow Audit Automated Delta Scans Custom Code Printing Rapid Identification CLI & SDK Knowledge Base Catalog Approved Multi-Source Stack Custom Components & Licenses Bill of Materials Monitor Automated NVD Notifications Where FOSS used 2012 ISACA Webinar Program ISACA. All rights reserved. 54

55 Automated Governance and Compliance Application development cycle Plan Code Build Test Rl Release Open source governance lifecycle Acquire Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography License Maturity Black Duck KnowledgeBase 2012 ISACA Webinar Program ISACA. All rights reserved. 55

56 What Next? Strongly consider discovering your OSS exposure Speak to development teams about OSS use Consider a true holistic approach to Governance Become a strategic, optimized user organization 2012 ISACA Webinar Program ISACA. All rights reserved. 56