OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE

Similar documents
Vulnerability Management

HOW TO UTILIZE OPEN SOURCE IN YOUR CODE BASE AND BUILD PROCESS Black Duck Software, Inc. All Rights Reserved.

BOM based on what they input into fossology.

Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc.

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

PCI DSS. Payment Card Industry Data Security Standard.

G-Cloud IV Services Service Definition Accenture Cloud Security Services

NETWORK SECURITY SOLUTIONS

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

ElegantJ BI. White Paper. The Enterprise Option Reporting Tools vs. Business Intelligence

Lot 1 Service Specification MANAGED SECURITY SERVICES

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

White Paper. Managing Risk to Sensitive Data with SecureSphere

How To Monitor Your Entire It Environment

Open Source in the Real World: Beyond the Rhetoric

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

rating of 5 out 5 stars

<workers> Online Claims and Injury Management

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

Mailwall Remote Features Tour Datasheet

Managing Open Source Code Best Practices

PIVOTAL FOR GRANT MANAGEMENT

Securing the Cloud infrastructure with IBM Dynamic Cloud Security

IBM Connections Cloud Security

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

Infrastructure Information Security Assurance (ISA) Process

1 Introduction Product Description Strengths and Challenges Copyright... 5

Compliance and Security Solutions

Software Vulnerability Assessment

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Enabling Storage Services in Virtualized Cloud Environments

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

IPLocks Vulnerability Assessment: A Database Assessment Solution

Information security controls. Briefing for clients on Experian information security controls

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

G-Cloud Service Definition. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

ORACLE SOURCING & SOURCING OPTIMIZATION

PCI Compliance for Cloud Applications

Devising a Server Protection Strategy with Trend Micro

How to Grow and Transform your Security Program into the Cloud

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Confident in our Future, Risk Management Policy Statement and Strategy

The Cisco ASA 5500 as a Superior Firewall Solution

nexb- Software Audit for Acquisition Due Diligence

Devising a Server Protection Strategy with Trend Micro

Contract Management The Mavericks Won t Like This!

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Network Security and Vulnerability Assessment Solutions

IT Security & Compliance. On Time. On Budget. On Demand.

G-Cloud II Services Service Definition Accenture Cloud PaaS Implementation Services AWS Beanstalk

HP Service Manager software

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

TECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

CloudPassage Halo Technical Overview

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Innovation in Work Health and Safety Solutions

BELTUG Paper. Software Licensing Audits Checklist

Payment Card Industry Data Security Standard

Dashboard solutions Executive brief April Capitalize on the value of active dashboards to improve business flexibility and decision making.

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management

CloudPassage Halo Technical Overview

Datasheet FUJITSU Cloud Monitoring Service

Avoiding the Top 5 Vulnerability Management Mistakes

Telstra Service Management Framework. Your assurance of first-class network support

Nipper Studio Beginner s Guide

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Digital Marketplace - G-Cloud

How To Protect A Virtual Desktop From Attack

Cisco Unified Communications and Collaboration technology is changing the way we go about the business of the University.

IT Service Management with System Center Service Manager

Choosing the Right Project and Portfolio Management Solution

How To Manage An Ip Telephony Service For A Business

Symantec Control Compliance Suite Standards Manager

NUS InfoComm Security Landscape

Symantec Consulting Services

KPMG Advisory. Microsoft Dynamics CRM. Advisory, Design & Delivery Services. A KPMG Service for G-Cloud V. April 2014

G-Cloud 7 Service Description Document. Third Party Services. Zendesk Licences 1. Zendesk Services (Consulting) 2. Nexus Pro Licences & Services 3

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

BT One. Analyst and consultant update, September BT One. Communications that unify 1

Monitoring and Operating a Private Cloud

Transcription:

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE Martin Callinan Martin.callinan@sourcecodecontrol.co Wednesday, June 15, 2016

Table of Contents Introduction... 2 Source Code Control... 2 What we do... 2 Service Description... 2 Activities:... 4 Deliverables:... 4 Timeline... 5 Security Vulnerabilities... 5 Licensing and Licence Compliance... 7 Operational Risk... 8

Introduction Source Code Control recommends and independent source code review as part of an overall risk management strategy. The service will automatically profile source code for legal/ip, security and operational risks. This transparency will aid promoting the quality assurance of our clients and their development standards to customers and prospects. This will also provide a competitive differentiation. Source Code Control Source Code Control specialises in helping customers leverage the benefits of adopting Open Source Software while minimise the associated risks. The risks are summarised below: Legal risk/licence compliance OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks Security vulnerabilities security vulnerabilities contained within components Operational risk evaluates if components meet your technical and architectural standards Community support Determines developer activity and resulting component viability based on commit history What we do Ease the adoption of Open Source Software Increase confidence in the use of Open Source Software applications Create a structure to enable compliance with OSS licence requirements and security policies Enable greater use of OSS across the organisations Quality code Compliant Code Secure code Service Description The service proposed is a fully managed service to govern and risk manage the source code of applications developed for our clients and can be extended to any third party developers who produce code for them. Source Code Control will provide monthly consolidated reports to client s management and the stakeholders of the projects in the following areas: Security vulnerabilities

security vulnerabilities contained within Open Source components including the level of security Open Source License Compliance in line with clients s Open Source Policy OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks Community support Determines component risk to developer activity and resulting component viability based on commit history Remediation Status Outstanding issues that have already been reported but not resolved Software maintenance reporting Quality of code maintenance for each project Time to resolve issues Responsiveness The service will be underpinned by a cloud based source code scanning solution (Figure 1.). Designated staff will be granted access to the portal and will be able to authorise Source Code Control to provide access to relevant stakeholders in the project team of the relevant project. Figure 1. Summarised View of Project Status At the initiation of the service the source code for the project will undergo a full deep code scan and a report will be issued detailing all vulnerabilities and risks including their severity. Source Code Control will also provide interpretation of the data and recommendations. The types of recommendations would advise on: 1. Licensing conflicts

2. Licensing that does not meet the requirements of a client s Open Source Software Policy 3. Security assessment. If a client has defined a threshold of the minimum severity rating for component vulnerabilities in their Open Source Software Policy that are mandatory to be remediated they will be summarised. Otherwise, Source Code Control will take a zero tolerance approach and flag all vulnerabilities 4. Summarise components being used with a low level commit history and community supporting the component Activities: The following activities will be included in Service: Breakdown of the Software Portfolio into audit segments if required in consultation with Client representative Full automated scanning, analysis and reporting using the scanning application Consult with software vendor to resolve copyrights, standard headers and author tags discovered in the portfolio Analyse, verify modules and issue regular audit progress reports Delivery of audit reports as described below, review of the reports with client s management and designated stakeholders, answering questions within 30 days of delivering the reports. Deliverables: The following reports ( Reports ) will be delivered to the client. Audit Report: A high level executive report, containing high level information and graphic representation of licences, copyrights, OSS projects, security vulnerabilities and encryption content within Software Portfolio. The Audit report is delivered in pdf format. Overview Report and Detailed file-by-file Reports: verified machine-generated reports on Software Portfolio. Overview Report shall be delivered in pdf format. Detailed file-by-file Report shall be delivered in CSV (readable by Microsoft Excel application) format. Concatenated Licence List report: containing the consolidated text of all available licences within Software Portfolio in pdf format. Security Vulnerability Report: A cross reference of all security vulnerability information as reported by the National Vulnerability Database in pdf format. Encryption Report: list of OSS projects detected in the portfolio that could be subject to export control, in pdf format. Access to hosted code review platform to relevant stakeholders

Timeline Entire code review per project as described by Service is expected to be completed within 7 days of access to Client software source code portfolio. Security Vulnerabilities Source Code Control will identify security vulnerabilities reported by the National Vulnerability Database (NVD). The National Vulnerability Database (NVD) is a public resource, managed by the US government, tracking security vulnerabilities reported for all types of software. The managed service will automatically dynamically cross reference vulnerabilities posted by the NVD. Each vulnerability will be reported and include a severity ranking that can also be used to filter alerts provided as part of the managed service (Figure 2.) Once the vulnerability is flagged and it is above the severity threshold defined by the client s Open Source Software Policy, Source Code Control will alert stakeholders of the project, of the vulnerability, set as the target date for remediation if defined in an SLA. Source Code Control will then report on the actual date the vulnerability was fixed. Project stakeholders can use this information to monitor and improve quality assurance and code maintenance procedures.

Figure 2. Security Vulnerabilities Full disclosure details of vulnerabilities will be available including how the vulnerability is scored: Base Score, Exploitability and Impact. (Figure 3.) Figure 3. Security Vulnerability Disclosure

Licensing and Licence Compliance It is imperative that we define as part of their Open Source Policy guidance to software developers around the issue of software licensing. Not only is there a need to be mindful of licensing obligations are being met but the desire to ensure, by default, all code created in by a client is part of a library of assets for-reuse. Conflicting IP components used that are reciprocal such as GPLv2, GPLv3 and for hosted solutions AGPL may put a client s own IP at risk and lead to any competitive advantage being lost. If in the short term if a client is not in a position to define an Open Source Policy then the managed service will report and highlight: 1. All open source components and their associated licensing 2. High level licensing risk 3. Incompatible licences e.g. Free Software Foundation views Apache 2.0 to be incompatible with GPL2 but compatible GPL3. 4. Commentary and advice regarding licensing the application based on the audience and roadmap of the product. 5. Flag potential copyright issues 6. Future proofing issues related to the types of licensing being used. Figure 4. Shows how the licensing will be reported. Although the perceived threat of legal risk today with Open Source Software licensing might be that it is a minor hazard, the significant rise in adoption of Open Source Software also means there is an increase in legal activity related to IP and copyright infringement. This is only going to increase and could be a stumbling block to the adoption of open source applications in risk averse end user management. It is much more difficult to undo licensing issues in code that has been deployed, used and which has evolved over time and the sooner a policy is defined the better for this reason.

Figure 4. Licensing Reporting Operational Risk The managed service will also include in both the on-boarding report and the monthly summary reports details on open source software components that contain operational risks by highlighting those that have fallen into disuse or have very slow commit activity, as well as versions that are far out of date.

Figure 5. Operational risk reporting

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information