OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

Transcription

1 OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA Phil Granof EVP & Chief Marketing Officer Black Duck Software 2014 Black Duck Software, Inc. All Rights Reserved.

2 OVERVIEW Introduction Open Source Market Trends SITA Case study The OSS Logistics Framework Conclusions Black Duck Software, Inc. All Rights Reserved.

3 OSS TRENDS 3

4 OS CRITICAL ACROSS MANY NEW TECHNOLOGIES 63% 57% 53% 51% 49% 48% 46% 27% 26% 13% 12% 10% CLOUD/ VIRTUALIZATION CONTENT MGMT MOBILE SECURITY COLLABORATION NETWORK MGMT SOCIAL MEDIA 3D PRINTING ANALYTICS AND BUSINESS INTELLIGENCE DRONES GAMING ERP Black Duck Software, Inc. All Rights Reserved.

5 THE VIRTUOUS CYCLE Foundation Participation Proliferation Democratization Black Duck Software, Inc. All Rights Reserved.

6 OPEN SOURCE WINS ON QUALITY 80% Choose based on quality Black Duck Software, Inc. All Rights Reserved.

7 OPEN SOURCE WINS ON FEATURES 67% TCO 80% Choose based on features Black Duck Software, Inc. All Rights Reserved.

8 OPEN SOURCE WINS ON FEATURES Black Duck Software, Inc. All Rights Reserved.

9 ACCESS TO TECHNICAL FEATURES #8 Reason for adoption #4 Reason for adoption Black Duck Software, Inc. All Rights Reserved.

10 CHOOSING BASED ON SECURITY 72% Choose based on Security Black Duck Software, Inc. All Rights Reserved.

11 CHOOSING BASED ON SECURITY? Black Duck Software, Inc. All Rights Reserved.

12 CORPORATE REACTION Black Duck Software, Inc. All Rights Reserved.

13 OPEN SOURCE ADOPTION IS RISING XX%??? 30% 5% Source: Black Duck audit results Source: IDC Survey of G Black Duck Software, Inc. All Rights Reserved.

14 SITA Case Study Open Source Compliance Alex Bigmore Open Source Governance Programme Manager

15 15

16 First Steps to Compliance SITA developed an Intellectual Property software asset registry with the objective of better understanding the composition of its software in terms of IP ownership, applicable licensing terms and code used to generate SITA s revenue streams Together with developer surveys this revealed that software is mixed IP, using internally developed, outsource developed, third party proprietary and Open Source software Two questions emerged How much Open Source Software (OSS) was used as part of the code base? What were the licensing details of each OSS component? The need to answer these questions was the first step toward establishing an Open Source Governance (OSG) programme 16 Open Source Compliance Confidential SITA 2014

17 Creating the Governance Programme IP Asset Registry created OSS usage revealed Establish Stakeholders Pilot how much OSS is really used? Do we need OSS? Governance Programme 17 Open Source Compliance Confidential SITA 2014

18 Governance Objectives Ensure compliance with OSS licenses and distribution requirements Enable greater use of OSS across the organization to improve software development efficiency and quality 18 Open Source Compliance Confidential SITA 2014

19 Achieving Governance Objectives Strategy, policy, process License review Communication & training Approval Discovery & remediation Compliance and OSS Enablement 19 Open Source Compliance Confidential SITA 2014

20 Compliance and OSS Enablement Approval before use Policy requires teams to request approval before OSS is used to minimise remediation Black Duck Code Center used to manage approval process Verification scanning Determines whether there is OSS present that has not been approved Reports on licence compliance Black Duck Protex used for OSS scanning Automation wherever possible Impact the development teams as little as possible Automate responses to approval requests where possible SITA licence guidance rules implemented, others addressed manually Enable teams to trigger verification scans OSG team involved as needed 20 Open Source Compliance Confidential SITA 2014

21 Summary OSG and supporting tools have enabled SITA to Ensure compliance with licences of OSS used Encourage and support greater use of open source in current and future projects Notify project teams of vulnerabilities in OSS used Automate to minimise impact Self service OSS approvals Self service OSS scanning 21 Open Source Compliance Confidential SITA 2014

22 Thank you Alex Bigmore, OSG Programme Manager 22 Open Source Compliance Confidential SITA 2014

23 OSS LOGISTICS 23

24 OSS SHOULD BE MANAGED, NOT FEARED 50% of companies will face challenges due to lack of FOSS policy and management FOSS Survey Black Duck Software, Inc. All Rights Reserved.

25 CHALLENGES OF THE ARCHITECT I want to know what open source I use. I want to know where I use open source. I want to eliminate the security risks associated with open source. I want more control over the open source my developers use. I want help choosing open source. I want to decrease the amount of code we need to maintain. I want to reuse code. I want to participate in the open source ecosystem Black Duck Software, Inc. All Rights Reserved.

26 KNOWLEDGE BASE Black Duck Software, Inc. All Rights Reserved.

27 OUR VALUE We help companies manage their use of open source code in order to see enormous gains across fundamental competitive dimensions. Speed Cost Security Innovation Black Duck Software, Inc. All Rights Reserved.

28 THINK LIKE LINUX, ACT LIKE UPS, SMILE LIKE AMAZON Black Duck Software, Inc. All Rights Reserved.

29 WHAT IS OSS LOGISTICS? Choose Scan Approve Inventory Secure Deliver Black Duck Software, Inc. All Rights Reserved.

30 CHOOSE OSS Choice begins with data. The Black Duck Knowledgebase is the world s most comprehensive database of open source project information. License Version Vulnerability Maturity Cryptography Black Duck KnowledgeBase Description Black Duck Software, Inc. All Rights Reserved.

31 CHOOSE OSS The Black Duck Knowledgebase is at the heart of OSS Logistics, continually gathering data throughout the open source community: Over one million projects From 6,000 sites For over 2,200 unique software licenses. Secure Black Duck Open Hub Approve Scan Inventory Black Duck Open Source KnowledgeBase Community Black Duck Software, Inc. All Rights Reserved.

32 CHOOSE OSS The Black Duck Open Hub provides a window into the world of open source. Find reports about the composition and activity of project code bases Track the changing demographics of the FOSS world Follow developers and their contributions Search for code with Code Sight Secure Black Duck Open Hub Approve Scan Inventory Black Duck Open Source KnowledgeBase Community Black Duck Software, Inc. All Rights Reserved.

33 CHOOSE OSS Black Duck Software, Inc. All Rights Reserved.

34 APPROVE OSS Empower developers with automated approval processes built on the right policies for governing the use of open source. Eliminate uncertainty and re-work Speed identification of software components Mitigate risk without slowing developers down Collaborate seamlessly Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community Black Duck Software, Inc. All Rights Reserved.

35 SCAN OSS Automatically scan, discover and identify what open source code is used within specific applications. Understand code origin Identify licenses and support compliance Eliminate manual effort Increase reliability and visibility Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community Black Duck Software, Inc. All Rights Reserved.

36 INVENTORY OSS Create a company-wide intelligent catalog of approved software that grows smarter over time. Track where components are used in other applications. Encourage standardization and re-use. Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community Black Duck Software, Inc. All Rights Reserved.

37 SECURE OSS Continuous monitoring ensures that future security vulnerabilities associated with a specific component are quickly flagged for resolution. Receive daily alerts Alter workflows in response to severity Quickly locate and remediate Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community Black Duck Software, Inc. All Rights Reserved.

38 DELIVER We provide a license obligation report and an easily consumable bill of materials (BOM) that you can deliver to your customers or internal stakeholders. Incoming Code Automated Scanning and Built-In Approval Policies Outgoing Code Black Duck Software, Inc. All Rights Reserved.

39 DELIVER Automatically discover encryption algorithms within a code base and identify applicable export rules: Cryptography export compliance Government reporting Licensing requirements Policy management challenges Outgoing Code Approve Scan Black Duck Software, Inc. All Rights Reserved.

40 CONCLUSIONS The open source debate is over. Mostly. Complexity and quality are colliding. Reaping the benefits requires management. Logistics provides the best conceptual model for see reaping the benefits of open source Black Duck Software, Inc. All Rights Reserved.

41 QUESTIONS? 41