Productivity Through Open Source Policy Compliance



Similar documents
How to Ensure IT Compliance Without Compromising Innovation. Nik Teshima, IBM Phil Odence, Black Duck

The Corporate Counsel s Guide to Open Source Software Policy Implementation

Configuration Management One Bite At A Time

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

Converting Leads into Profitable Sales 5 Reasons Why Lead Verification Works. An IDology, Inc. Whitepaper

HOW TO UTILIZE OPEN SOURCE IN YOUR CODE BASE AND BUILD PROCESS Black Duck Software, Inc. All Rights Reserved.

Configuration Management

Inside the Binary Analysis Tool

WEB APPLICATION SECURITY TESTING GUIDELINES

Quality Programs for Regulatory Compliance

Your Software Quality is Our Business. INDEPENDENT VERIFICATION AND VALIDATION (IV&V) WHITE PAPER Prepared by Adnet, Inc.

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

Your advantages at a glance

Code Estimation Tools Directions for a Services Engagement

Open Source Policy Builder

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

BOM based on what they input into fossology.

ITSM. Maturity Assessment

WILLIAM J. DOWLING VICE PRESIDENT, ENGINEERING

ISO 9001 and ISO Quality Management Guidance for CM Relative to CMII (Rev B)

Open Source in the Real World: Beyond the Rhetoric

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

AS9100 B to C Revision

Introduction to AS 9100

Chapter 13 Configuration Management

IBM Connections Cloud Security

NSSC Enterprise Service Desk Configuration Management Database (CMDB) Configuration Management Service Delivery Guide

Top 10 Tips for Hospital Inventory Management

nexb- Software Audit for Acquisition Due Diligence

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

DISCOVERING AND SECURING SENSITIVE DATA IN HADOOP DATA STORES

Open Source Policy Builder

Updating Device Firmware Via FTP

Open Source Policy Builder

I Just Received a Mail Piece Regarding Student Loan Relief Is It Legitimate?

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

Tool 1: The Board s Role in Fair Lending Compliance

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Cisco Unified Contact Center Planning and Design Service

The ISO standard

HFCC Math Lab Arithmetic - 4. Addition, Subtraction, Multiplication and Division of Mixed Numbers

Realizing the Breakthrough Economics of Linux and Open Source through Hybrid Development. Tim Yeaton, President and CEO Black Duck Software

Rational Quality Manager. Quick Start Tutorial

Best Practices in Contract Migration

Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0

The Business Case for Integrated ERP and Job Management

Cisco Unified Communications Predeployment, Deployment, and Postdeployment Service Bundle

Module 13. Software Reliability and Quality Management. Version 2 CSE IIT, Kharagpur

Spillemyndigheden s change management programme. Version of 1 July 2012

Identifying & Implementing Quick Wins

Implementing Portfolio Management: Integrating Process, People and Tools

SECURITY ASPECTS OF OPEN SOURCE

Internal Quality Management System Audit Checklist (ISO9001:2015) Q# ISO 9001:2015 Clause Audit Question Audit Evidence 4 Context of the Organization

BPMN Business Process Modeling Notation

Electronic Bill of Lading for Carriers

PinkVERIFY IT SERVICE MANAGEMENT TOOLS: COMPATIBILITY CONSIDERATIONS

Correlation matrices between 9100:2009 and 9100:2016

ISO 9001:2008 Internal Audit Guidance

REGULATIONS COMPLIANCE ASSESSMENT

Complete Document & Process Management for Life Sciences on SharePoint 2010

CA Endevor Software Change Manager Version 15.0

Draft for Discussion Quality Assurance and Configuration Management Requirements March 7, 2007

WHITE PAPER: STRATEGIC IMPACT PILLARS FOR EFFICIENT MIGRATION TO CLOUD COMPUTING IN GOVERNMENT

Cisco Network Optimization Service

EMDEON REVENUE OPTIMIZATION SERVICES

Realizing business flexibility through integrated SOA policy management.

Build products with visual solution configuration in an integrated quotation management application.

Sarbanes-Oxley Compliance for Cloud Applications

Surviving an IRS Audit of Your 403(b) Plan. Part I

ISO 9001:2000 Gap Analysis Checklist

Corporate Responsibility Corporate Citizenship Guidelines

Goals. Understanding security testing

How to obtain tax return transcripts from the IRS website

ITAR Compliant Data Exchange

Rational Reporting. Module 3: IBM Rational Insight and IBM Cognos Data Manager

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

SVN Setup and Configuration Management

CUPA I-9 Reciprocal Processing Consortium

QW Enterprises, LLP. Quality Manual

Dynamic Service Desk. Unified IT Management. Solution Overview

Reining in the Effects of Uncontrolled Change

Space Project Management

Provisioning Technology for Automation

ICS Technology. PADS Viewer Manual. ICS Technology Inc PO Box 4063 Middletown, NJ

Information Security Services

IAS ACCREDITED INSPECTION AGENCIES: GUIDELINES FOR CONDUCTING INTERNAL AUDITS AND MANAGEMENT REVIEWS. Revised January, 2016

Individualized Prior Learning Assessment: A Guide for Students

Creating an itunes App Store account without a credit card

Class 3 Registration Authority Charter

EXAM PREPARATION GUIDE

Balancing the Risk and Reward of Outsourcing Contracts

Select the right configuration management database to establish a platform for effective service management.

Patch and Vulnerability Management Program

Open Source Software and the impact on Mergers & Acquisitions

Basic, Professional & Professional Box

Quality & Safety Manual

Managing Open Source Code Best Practices

Closing the Business Analysis Skills Gap

Transcription:

Productivity Through Open Source Policy Compliance This article is part of a series on how Rational Collaborative Lifecycle Management (CLM) solutions support software development compliance. Today the use of open source components is a necessary and desirable part of software development. In order to be protected from the various challenges and risks of using open source, organizations need policies and processes to ensure policy compliance. This article shows how a using Rational Team Concert and Black Duck s Protex product and organization can simply manage and guide developers use of open source. Consider the example of a company having great success in speeding time to market and accelerating innovation by encouraging its developers to use appropriate open source components to implement basic functionality, thus allowing them to focus resources on differentiating features. Only develop what you can t download, half-jokes one development manager. Our company s senior management realizes, however, that they need to protect the delivery of software from various risks by only allowing the use of authorized open source components that conform to company policy. Risks include IP (from uninformed use of certain licenses), security, quality and supportability. Someone representing the management team could add this requirement to the Internal Controls requirements in Requirements Composer.

Let s say a team of development managers and lawyers who have expertise in this area have worked out a policy. A simple open source policy might include a list of approved and disapproved licenses and the provision that developers may only use components with approved licenses. Many companies, for example, avoid the use of software governed under reciprocal licenses, such as the GNU General Public License or GPL. Now a process and tooling engineer could configure Black Duck to run automatically with the each Rational Team Concert build in order to assure compliance with the policy. In this example, let s say that an issue that arises from a policy violation will not kill the build, but will be flagged to responsible developers for verification and remediation. Now, a developer introduces some open source code into the code they are developing for a project. They utilize some binaries that are part of open source projects. They also copy and paste source code into their own, and perhaps modify the code. The nature of open source, and a big advantage, is that the source code is available and can be customized to the purpose at hand.

The Black Duck analysis runs automatically as part of the build process.

The analysis will create and audit report including a Bill of Materials, identify open source components in the code and flag potential license conflicts. Rational Team Concert tracks the progress of the analysis and indicates completion. The Black Duck analysis is intergrated into the build environment. Here s a zoomed in view.

The build log shows that there are some files that need attention. Rational Team Concert is configured to automatically create a work item for the engineer responsible for the code in question as well as a link to more detail on the issue at hand. Here s a zoomed in view of the task being created with Rational Team Concert.

The developer can see the potential license issue clearly flagged and described. In this case it appears that a component called JEP is licensed under the GPL license, clearly a conflict with the company s open source policy. Conflict reported

In many cases, such as this, the developer may not have intentionally included code from this component. There are many ways this can happen, for example, the developer may have borrowed the code from elsewhere inside the company. Perhaps, that implementation was only intended to be used internally, in which case the GPL-licensed component might not be an issue. To verify that the code is in fact code from JEP, the developer can look at a side by side comparison. Clearly the code matches. The developer needs to go back and either create or find another component that will perform the same function. Once that is done they can close out the issue in Rational Team Concert and it should not surface in the net build. Here s the result of the analysis that runs with the next build which verifies that the issue has been remediated.

In this article we looked at how a company can automate assurance of compliance with their open source policy using Rational Team Concert integrated Black Duck.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information