Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc.

Similar documents
Open Source Software: the Intersection of IP and Security

nexb- Software Audit for Acquisition Due Diligence

The Corporate Counsel s Guide to Open Source Software Policy Implementation

BOM based on what they input into fossology.

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE

Legal Issues for FOSS-based Supply Chain Management. Herve Guyomard, Black Duck Software

Best Practices of Securing Your Software Intellectual Property Integrity...

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

How To Manage An Open Source Software

How To Improve Your Software

An Open Source Software Primer for Lawyers

The FOSSology Project Overview and Discussion. » The Open Compliance Program. ... By Bob Gobeille, Hewlett-Packard

Managing Open Source Code Best Practices

An Introduction to the Legal Issues Surrounding Open Source Software

Free and Open-Source Software Diligence in Mergers, Acquisitions, and Investments

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

Open Source Software and the impact on Mergers & Acquisitions

Scanning Open Source Software and Managing License Obligations on IBM SmartCloud. Because code travels

Inside the Binary Analysis Tool

Intellectual Property& Technology Law Journal

How To Manage Security On A Networked Computer System

The SIEM Evaluator s Guide

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

CSPA. Common Statistical Production Architecture Descritption of the Business aspects of the architecture: business models for sharing software

Vulnerability Management

XEROX TALKS BEST PRACTICES FOR OPEN SOURCE GOVERNANCE

Controlling Risk Through Software Code Governance

Development Testing for Agile Environments

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Open Source in the Real World: Beyond the Rhetoric

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Information Risk Management. Alvin Ow Director, Technology Consulting Asia Pacific & Japan RSA, The Security Division of EMC

Your Cloud, Your Data, Your Way! owncloud Overview. Club IT - Private and Hybrid Cloud. Austrian Chambers of Commerce Vienna, January 28th, 2014

Open Source Policy Builder

IBM QRadar Security Intelligence April 2013

Third Party Security: Are your vendors compromising the security of your Agency?

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Intellectual Property Group Presentation. Using Open Source Software Issues to Consider. Peter J. Guffin, Esq. Pierce Atwood LLP January 22, 2009

Copyright 11/1/2010 BMC Software, Inc 1

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

<Insert Picture Here> Oracle Database Security Overview

Security Compliance and Data Governance: Dual problems, single solution CON8015

State of Oregon. State of Oregon 1

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Best Overall Use of Technology. Jaspersoft

Open Source Policy Builder

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

The Benefits of Utilizing a Repository Manager

Comparative Analysis of Free IT Monitoring Platforms. Review of SolarWinds, CA Technologies, and Nagios IT monitoring platforms

A Global IT Managed Service Provider

Delivering Quality Service with IBM Service Management

IT Security & Compliance. On Time. On Budget. On Demand.

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

An ITIL Perspective for Storage Resource Management

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

BMC Service Assurance. Proactive Availability and Performance Management Capacity Optimization

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Open Source. Knowledge Base. By: Karan Malik INTRODUCTION

Presentation. Open Source is NOT Free. For ISACA. By Dave Yip / Gamatech Ltd. Agenda

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

tdodo Internet Web Hosting Terms and Conditions

Intelligent End User Compute Strategy. Ted Smith Nigel Brown

FOSS Governance Fundamentals

Vistara Lifecycle Management

INCIDENT RESPONSE CHECKLIST

How To Monitor Your Entire It Environment

Buyer s Guide to Automated Layer 2 Discovery & Mapping Tools

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER

USER GUIDE: MaaS360 Services

Applying ITIL v3 Best Practices

2011 NASCIO Nomination Business Improvement and Paperless Architecture Initiative. Improving State Operations: Kentucky

OPEN SOURCE SECURITY

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Concierge SIEM Reporting Overview

Dynamic Service Desk. Unified IT Management. Solution Overview

Services Providers. Ivan Soto

Minimizing code defects to improve software quality and lower development costs.

MassTransit vs. FTP Comparison

Issues in Software Licensing, Acquisition and

Information & Asset Protection with SIEM and DLP

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Transcription:

Open Source and the New Software Supply Chain Mark Tolliver, CEO Palamida Inc.

Could You Sign This?

Typical Software Project Metrics 2.9 GB 87,863 Files 8,535,345 LOC Copyright holders ~350 Archives 178 Binaries 801 JARs 228 Where Did We Get These Components?

Open Source Now Makes Up Over 50% of Most Software Projects Audit Example Size 15.9GB 59.1M LOC Documented OS components Undocumented OS components 303 535 Total # 838 % LOC from Open Source 60-65% Result of an audit engagement performed by Palamida

Open Source Now Makes Up Over 50% of Most Software Projects Audit Example Size Documented OS components Undocumented OS components 15.9GB 59.1M LOC 303 535 Total # 838 % from Open Source 60-65% Result of an audit engagement performed by Palamida

Licenses Found by Type 30% Audit Breakdown by License 25% 20% 15% 10% TOTAL % 5% 0% Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional Services

How Did This Happen? Content predates existing processes and systems: ie limited or no formal record Acquired code: incomplete diligence at acquisition time Envelope problem: subcomponents of top level OSS components are not visible and therefore not subject to review

Managing Software Content Has Become an Essential Part of Software Development Opportunities Reduced development costs Reduced development times Improved time-to-market Challenges Reduce Intellectual Property and Security Risks Comply with requirements from customers and government regulations

Opportunity The Business Value of Open Source Development time and cost 100,000 lines of code = $1.9M (20 lines/day, 222 days/year, $85k/year) Support expense Leverage community support vs. complete in-house strategy Per incident example: 2 day resolution vs 5 = 60% reduction Tools Source code control system, build system, bug tracking etc

Today a Palamida customer Expects to manage over 10,000 updates per year from external software suppliers Will require a certification of software content from these external suppliers as part of their supplier contracts Will audit all suppliers multiple times per year Will require their product VPs to certify the content and compliance of their software

So What s a software Bill of Materials?

Software Bill of Materials #1 - It s a critical quality tool to insure that software components meet quality standards Boeing 787 Supplier Chart

Software BOM (Bill of Materials) Component Location License Assigned Issues Vulnerabilities Encryption Status

Software Bill of Materials #2 - It s a way to meet your obligations to the owners of the intellectual property you use and avoid a claim of copyright infringement Settings General About Legal

Third Party Notices File (Example) Component Name: foo Version: 2.3.1 Description: <description text> NOTICES Copyright 1995 2010 copyright owner License Text: <text of license> Component Name: bar Version: 4.0 Description: <description text> NOTICES Copyright 1995 2010 copyright owner License Text: <text of license>

Obligations End User License Agreement (EULA): capture all licenses in the software product and deliver them with each customer shipment (license.txt or other file) Display in the about box: determine which licenses require additional attribution and be sure that the about box content is updated (Third Party Notices) Display in the documentation Offer to provide a copy of the code used: Add source code to a distribution site if available Commercial Terms: Royalties etc

Offer To Provide a Copy KDL-40W5100, KDL-40W5600, KDL-40XBR9, KDL-40Z5100, KDL-40Z5600, KDL-46W5100, KDL-46W5150, KDL-46W5600, KDL-46XBR9, KDL-46Z5100, KDL-46Z5600, KDL-52W5100, KDL-52W5150, KDL-52W5600, KDL-52XBR9, KDL-52Z5100, KDL-52Z5600, KDL-65W5100, KDL-46XBR10, KDL-52XBR10 GPL LGPL Other kernel-2.6.11_gtx.tgz (40 MB) busybox-1.00.tgz (1.5 MB) pump-0.8.15.tgz (55 KB) popt.tgz (562 KB) dosfstools-2.11.tgz (122 KB) sfdisk-2.14.tgz (4 MB) glibc-2.3.3-1.src.rpm (12.5 MB) glibc-2.3.3-1.src.rpm (12 MB) mipsel-gcc-3.4.3-1.src.rpm (27 MB) mipsel-uclibc-0.9.28-1.src.rpm (5 MB) freetype-2.1.9.tgz (1.5 MB)

Next Question What s our policy?

Policy Questions What is the name and version of this software component? What is the license? Where did we get it? Is this component in a software product that ships to customers? Does this component contain encryption? Have we modified this component? When was the last time we checked this software? Does this component contain known vulnerabilities? Have we added this component to the notices file?

IP Policy Policy for Apache 2.0 License: Global, Approve, Any Component, Last Update Detailed Policy Example: Modified? Type of redistribution?

You Need to Pay Attention Its still cheaper and faster to download a million lines of code than to write it You will have to disclose at some point The wrong time to think about it is when time is short black boxes are no longer black

Challenges: Intellectual Property GPL scores historic court compliance victory By Gavin Clarke in San Francisco Posted in Software, 4th August 2010 18:55 GMT Open sourcers have scored a major victory in a US court over violation of the GPL. The Software Freedom Conservancy has secured $90,000 in damages for willful infringement of GPLv2, plus nearly $50,000 in costs from Westinghouse Digital Electronics over its illegal distribution of the Unix utility BusyBox. The company has also been ordered to stop shipping product loaded with BusyBox. http://www.theregister.co.uk/2010/08/04/gpl_violation_westinghouse/

September 25, 2010 The Defenders of Free Software Herman Wouters for The New York Times Armijn Hemel of the Netherlands is part of a movement that wants to make sure that big companies adhere to the rules of open-source software. By ASHLEE VANCE Published: September 25, 2010 http://www.nytimes.com/2010/09/26/business/26ping.html?hpw

The Mobile Battlefield Source: The Guardian and New York Times

Challenges: Security Android faces critical security study By Joseph Menn in San Francisco Published: October 31 2010 18:29 Last updated: October 31 2010 18:29 Source: Financial Times FT.com October 31, 2010 http://www.ft.com/cms/s/2/10b955ba-e519-11df-8e0d-00144feabdc0.html

A Search Engine for Software Your Code Base Palamida Compliance Library Inventory of Software Content Vulnerability Status Reports IP Compliance Reports

Code Scanning Scans Binaries / Images / Source / etc.. Schedule Scans (queue) schedule scans (api) Incremental scans Scale Out multiple servers for parallel scans

Code Analysis Dual Pane Side-by-Side Comparison of your code with matched library code Tag and Filter System and user-defined tags Example: Has copyright holder = <our company name> and has SCF: Why are we copyrighting third party code?

Manage Policy Allowed/Rejected Licenses Products Usage Conditions of use Sign-off

Manage Developer Requests Workflow Fully Configurable Quick Review Remediation

Report Everything Forensic Data Project Data License Obligations Cross Project Reports Security Issues Version specific Potential Audit Reports Prioritized EULA Copyrights

Identify 3 rd Party Security Issues Vulnerabilities in OSS Automated Discovery Association with NVD/CVE Warning Alerts Updates

Managing Your Software Supply Chain What s Next?

The world expects an accurate software BOM* Your customers will require this and you should require it from your software suppliers (your software supply chain) You can t claim to build quality software if you don t know what is in your code and where it came from The open source communities expect you to respect their IP, and they are watching *Bill of Material

Its not just open source Although there will be more and more open source choices Commercial code has important restrictions that you need to observe as well Reuse of internal code will become a measure of development team productivity

Other types of code analysis (security, quality, performance) will ultimately be tied into this BOM view A framework for enterprise application security More and more automated More and more visual

Best Practices A centralized model is the best way to start. It allows organizations to develop expertise quickly. Audit external code before it enters the codebase (M&A, outsourced work etc) Build rules as you go. They will make repeat audits faster and more automated. The first pass audit on any codebase is a large task - consider using outside experts Hold development managers responsible by signing off on code BOM before release

Open Source and the New Software Supply Chain Mark Tolliver, CEO Palamida Inc. mark@palamida.com

Using Outside Experts 1 5 Days (Depending on target readiness) (1 n days) Depending on size of materials and depth of analysis (weekly progress reports) 1-2 Hours Phase 1 Phase 2 Phase 3 Kickoff OSS/Third Report & and Party Audit Review Scoping

Using Open Source Best Practices A centralized model is the best way to start. It allows organizations to develop expertise quickly. The first pass audit on any codebase is a large task - consider using outside experts Build rules as you go. They will make the next audit much easier. Audit new external code before it enters the codebase (M&A, outsourced work etc) Hold development managers responsible by signing off on code BOM before release

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information