5 Steps for a Winning Open Source Compliance Program Kellan Ponikiewicz Peter Vescuso @black_duck_sw Black Duck 2013
Speakers Peter Vescuso EVP of Marketing Black Duck Software Kellan Ponikiewicz IP Counsel Nuance Communications 2 Black Duck 2013
Agenda Market Trends Open Source at Nuance 5 Steps for Open Source Compliance Automating Open Source Management Q&A 3 Black Duck 2013
Software is eating the world. Marc Andreessen - 2012 4 Black Duck 2013
and Open Source is increasing its appetite Black Duck KnowledgeBase 5 Black Duck 2013
Open Source is Ubiquitous By 2016, at least 95% of IT organizations will leverage nontrivial elements of open-source software technology in their mission-critical IT portfolios, including cases where they might not be aware of it an increase from 75% in 2010. 6 Black Duck 2013
Open Source is Ubiquitous Open source makes up 30% or more of the code at major G2000 organizations 7 Black Duck 2013
Why is Open Source Important? 8 Black Duck 2013 27
Open Source at Nuance 2002-20 13 Nuance Communications, Inc. All rights reserved. Page 9
Approximately 12,000 full-time employees Worldwide headquarters in Burlington, MA FY 2012 non-gaap revenue was ~$1.7 billion Nearly two-thirds of Fortune 100 companies rely on Nuance solutions The 8 largest handset and 10 largest auto makers use Nuance solutions Nuance solutions have shipped in more than 5 billion mobile phones and 70 million cars At Nuance, everything we do is focused on developing the most human, natural, intuitive ways to use your voice to take command of information. 2002-2013 Nuance Communications, Inc. All rights reserved. Page 10
Open Source at Nuance Nuance primarily uses open source in the following ways Development Release of sample code Integration with popular platforms 2002-2013 Nuance Communications, Inc. All rights reserved. Page 11
5 Steps to Follow for Putting a Program in Place 1. Assess the business case for an open source program 2. Gain the support of upper level management 3. Determine the type of system needed 4. Outline a policy and general open source process 5. Communicate and train 2002-2013 Nuance Communications, Inc. All rights reserved. Page 12
The Business Case for Regulating Open Source Sales Methods and Product Type(s) Typical Development Practices Industry Best Practices 2002-2013 Nuance Communications, Inc. All rights reserved. Page 13
Getting Management Buy-In Buy-In depends a large part on identifying the risks posed by not acting Sales Process & Product Type Development Practices Industry Best Practices Customer Indemnification Requests Open Source Platform Development Stringent Security Requirements Customer Open Source Usage Requests Business Requirement to Contribute Reputation in the Open Source Community 2002-2013 Nuance Communications, Inc. All rights reserved. Page 14
Open Source and Security Secure software development has many components, at least the following can be accomplished in part through open source governance Understand your Software Regular scans provide insight into code content Protect Sensitive Information Ensuring that developers follow open source guidelines can protect company trade secrets Develop Software with Secure Features Secure Software Development Education Use of open source software may introduce security issues Educating employees about open source can improve compliance with policies and procedures 2002-2013 Nuance Communications, Inc. All rights reserved. Page 15
Determining the Appropriate System Not every system is the same. Putting in a manual system can be onerous. Black Duck can assist in determining the right type of system to put in place. Considerations when determining the appropriate system. Available personnel IT infrastructure Scope of proposed program Budget 2002-2013 Nuance Communications, Inc. All rights reserved. Page 16
Policies and Process and Communication and Training Policies and Procedures Black Duck has services that can help with this Communicate New System Company-wide communication Train Relevant Employees Typically employees have pre-conceived notions about open source, it is often important to address this head on. 2002-2013 Nuance Communications, Inc. All rights reserved. Page 17
Policy Considerations Permitting code licensed under particular licenses is not a robust open source strategy, other items to consider Business need to use particular components or develop on particular platforms Attractiveness of products having certain functionality The propensity for open source projects to fork 2002-2013 Nuance Communications, Inc. All rights reserved. Page 18
Black Duck Helps Dev Teams Build Better Software Faster with Open Source Discovery Management Empowerment SCANNING ACQUISITION COLLABORATION MATCHING APPROVALS VISIBILITY SECURITY CATALOGING METRICS ANALYSIS AUDITING OPTIMIZATION ASSESSMENT MONITORING INTEGRATION 19 Black Duck 2013
Black Duck offerings rest on the world s largest database of project code information Discovery Management Empowerment 1 MILLION PROJECTS 6000 SITES 2200 LICENSES 20 Black Duck 2013
The Black Duck Suite provides a complete solution for managing open source BLACK DUCK SUITE AUTOMATED GOVERNANCE AND COMPLIANCE WITH DEEP LICENSE DATA Discovery Management Empowerment 1 MILLION PROJECTS 6000 SITES 2200 LICENSES 21 Black Duck 2013
MANAGEMENT DEVELOPMENT The Black Duck Suite integrates with the application development lifecycle BLACK DUCK SUITE AUTOMATED GOVERNANCE AND COMPLIANCE WITH DEEP LICENSE DATA APPROVALS Who, When, and How. RISK Assessment COMPLIANCE Assessment AQUIRE Find, Evaluate, and Select w/knowledgebase MONITOR License, Vulnerability, Version, Approval AUDIT License, Vulnerability, Version, Approval FULLY AUTOMATED COMPLIANCE DEVELOP e.g., Eclipse CI + BUILD e.g., Rational, Git, Maven RELEASE Internal / External 22 Black Duck 2013
Audit services - a quick, cost effective way to obtain essential information for business decisions Open Source M&A Internal Security Code Quality 1 MILLION PROJECTS 6000 SITES 2200 LICENSES 23 Black Duck 2013
Questions? Webinars www.blackducksoftware.com/resources/webinars @black_duck_sw