Driving Quality, Security and Compliance in Third- Party Code Dave Gruber Director of Product Marketing, Black Duck Keri Sprinkle Sr Product Marketing Manager, Coverity Jon Jarboe Sr Technical Marketing Manager, Coverity
Software is at the heart of disruptive business models 2 Copyright Coverity, Inc. and Black Duck, 2013
The Global State of Open Source Software is Eating the World Marc Andreessen And Open Source is Driving the Software World Open Source Projects 1M Projects 100B LoC 10M personyears Source: Black Duck Software 3 Copyright Coverity, Inc. and Black Duck, 2013
81% of business leaders believe that technology is a fundamental element of their business model Over 60 million tablets and 175 million smartphones will be in the workplace by the end of 2012 Software By 2016, open source software will be included in mission-critical applications within 99% of Global 2000 enterprises 4 Copyright Coverity, Inc. and Black Duck, 2013
Software today is Multi-Source OSS Communities Internally Developed Code Outsourced Code Development Commercial 3 rd- Party Code Your Software Application THE ENTERPRISE TOOLS, PROCESSES Global 2000 organizations increasingly leverage code from a vast array of sources including internally built, open source, outsourced, commercially built, and customized applications. - Melinda Ballou, IDC 5 Copyright Coverity, Inc. and Black Duck, 2013
3 rd Party Code Software Supply Chain Out sourcing Commercial 3 rd -party OEM Open Source Multi-tier Supply Chain 3 rd Tier Supplier 2 nd Tier Supplier 1 st Tier Supplier 6 Copyright Coverity, Inc. and Black Duck, 2013
Defect/Issue Types Code Quality Defects 7 Copyright Coverity, Inc. and Black Duck, 2013
Defects, Quality and Cost Quality issues 85% Quality Costs Found Introduced Coding Unit test Function Field test stage test Capers Jones, applied software measurement: assuring productivity and quality. Post release 8 Copyright Coverity, Inc. and Black Duck, 2013
But what about supply chain? Near-finished SW arrives at your doorstep Cycles are Costly and Time-Consuming Discovering issues at this point requires a cycle back to one or more suppliers Supply Chain Supply Chain Supply Chain 9 Copyright Coverity, Inc. and Black Duck, 2013
60 million lines of code written by developers every day $60 billion annual U.S. cost due to poor software quality 80% software development budget spent fixing software defects 10 Copyright Coverity, Inc. and Black Duck, 2013
Development Testing Build Better Software Faster Analyze Accurately detect issues difficult to find through traditional testing Remediate Quickly and efficiently manage issues to resolution Govern Enforce a consistent standard for quality, security, licensing and testing 11 Copyright Coverity, Inc. and Black Duck, 2013
Coverity is the leader Company and Technology Innovation Founded in 2003 at Stanford Computer Science Laboratory 300 employees across 13 offices and 10 countries worldwide 16 patents and 4 pending for platform and analysis algorithms Customer and Market Leadership Over 1,100 world-class customers Over 5 billion lines of code under management #1 in Software Quality Analysis market IDC #1 in Automated Test and Verification market VDC Transformational company in testing market voke Best software development solution
Authoritative source on OSS quality Coverity Scan: free cloud-based service for open source 400 45,000 leading open source projects defects fixed by community The bottom line is that Coverity has an excellent product, and if you run or contribute to an open source project written in C/C++ you should be using Coverity Scan. It will likely find bugs that can certainly have security implications in your code. -Michael Rash, Security Researcher
Development Testing Transform software testing from reactive to proactive Fewer defects escape dev Design Development Quality Assurance Product Release & Management 5x cost 10x cost 30x cost 14 Copyright Coverity, Inc., 2013
Coverity Development Testing Platform Analyze Remediate Govern Analysis Packs Dynamic Analysis Policy Manager Coverity Connect SDLC Integrations Third Party Metrics IDE Architecture Analysis Analysis Integrations Quality Advisor Security Advisor Test Advisor Code Coverage Test Execution Build/ Continuous Integration Defect Tracking Analysis Integration Toolkit Coverity SAVE Static Analysis Verification Engine SCM ALM Proprietary Code Open Source Code 15 Copyright Coverity, Inc., 2013
The industry s first developer-friendly software testing platform Integration into development workflow IDE Defect tracking SCM Build/CI ALM Analysis Accuracy Proven false positive rate of less than 10% on codebases over 1M lines of code Remediation Guidance Show path to defect and fix guidance in context of developer s code patent-pending security remediation engine Performance and Scale Proven scale on codebases up to 100M Analysis runs in minutes to hours vs. days to weeks Coverity enables developers to produce secure code and gives developers a more positive attitude about addressing security, while ultimately leads to fixing defects. -Gerold Hubner, Chief Product Security Officer at SAP
Automate testing within the inner loop of development 01 01001011 0101101011001 01101011000011 010100101101 01011001 Writes code Centralized Source Control build Fixes New Management Prioritized Assigned critical Creates issues generated back issues unit are defects System found to test appropriate Prioritized developer tests Analyzes code Interprocedural quality and security defects New tests required because of change impact
Build a stage gate across the SDLC Planning Deployment Requirements Security Audit No Uninspected No New Quality Defects or Security Defects No Critical Security Quality Defects All Critical Code Tested All Critical Code Tested Analysis and Design Quality Assurance Development
Gain executive level visibility into risk Across teams, projects and components
The Golden Rule for Proper Software Supply Chain Management Treat the management of open source software as an integrated, cross functional business process, and not simply as a development process.
Best Practices for Managing Open Source Policy Process Technology 1. Adopt and enforce an open source and third-party code policy 2. Identify and track all external code that is used 3. Automate validation at the point of acquisition and development 4. Automate monitoring and tracking open source components 5. Control the use of components and promote standardization 6. Use automation tools to produce complete Bills of Material and reports for supply chain partners
License Management License Policy Know what licenses apply to what use cases Informed Choices Helping developers have up-front insight into licenses and policy Approvals Streamlined, automated approval process Auditing OSS still sneaks in, so auditing is required throughout the process
Visibility and Monitoring of Security Vulnerabilities Are there known security vulnerabilities in components that I want to use? Is anyone paying attention to vulnerability reports postdeployment? Are version updates available that resolve security vulnerabilities?
Automating the Process Application development cycle Plan Code Build Test Release Open source governance lifecycle Acquire Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography License Maturity Deep License Data Black Duck KnowledgeBase
Starting Point Baselining your codebase Bill-of-Materials Open Source Components Licenses Versions Auditing all inbound SW from suppliers BOMs Licenses and obligations Cataloging OSS for fast access when issues/defects are reported Using SPDX to communicate with your supply chain
Software Package Data Exchange (SPDX ) The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included. The specification defines a common file format to communicate this information. Working group of FOSSBazaar (governance best practices group under Linux Foundation) Charter: Create data exchange standards to enable license and component information sharing (metadata) Participation from software, systems and tool vendors, consultants and foundations
Working with Suppliers Setting expectations with suppliers at the beginning of your relationship Share your open source policy Require a Bill of Materials for all OSS used Audit/Scan results for quality, security and license You must be able to audit their contributions For Code Quality For Licenses For Security Vulnerabilities Automated tools are critical with supply-chain, inbound SW
No licenses means no permission 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 7% 93% Non GitHub 77% 23% GitHub No Declared Declared 42% have Embedded Licenses These embedded licenses contain specific obligations that govern the use of the overall project. The lack of a declared license for an open source project can cause an enterprise to steer clear of it, limiting the projects organizations can use. The ability to access embedded license information and obligations up-front during the code selection process opens a sizeable opportunity for enterprises and could have significant impact on their bottom line. - Mark Driver, Vice President and Research Director, Gartner.
Strategic Use of Open Source 80% 30% Average* Best in class *Source: IDC 2012
Black Duck Coverity Integration Solution demo
Simplified Architecture Combining Coverity and Black Duck Policy Manager Coverity Connect Unified Database Coverity Analysis Commit Results Issue Repository Black Duck Analysis IDE (Eclipse, Visual Studio, etc.)
Remediate Critical Quality Defects Leveraging a Robust Issue Management Repository Prioritize and filter based on impact CWE compatible mapping and knowledge base Automatically assign defects to owners Identify the exact path to the defect Automatically identify every occurrence of a defect across branches
Example Licensing Issue from Black Duck
Coverity Policy Manager
Coverity Policy Manager
Coverity Policy Manager
Coverity Policy Manager
Coverity Policy Manager
Coverity Policy Manager 2 1
Development Testing Maturity Model Level 5 Integration into SDLC High Level 1 Detection of critical quality and security defects as part of SW build process. No new defects introduced. Level 2 Identification of areas of risk caused by insufficient automated testing. Ensure critical code is prioritized and tested. Level 3 Integration into the existing SDLC using a common workflow for all defects and test effectiveness issues. Level 4 Establish and enforce consistent source code quality and security policies. Establish source code acceptance criteria. All legacy defects eliminated, build fails if new defects are introduced. All critical code and code impacted by change is tested. Development Testing Adoption High 41 Copyright Coverity, Inc. and Black Duck, 2013
Black Duck and Coverity Build Better Software Faster Analyze Accurately detect issues difficult to find through traditional testing Remediate Quickly and efficiently manage issues to resolution Govern Enforce a consistent standard for quality, security, licensing and testing 42 Copyright Coverity, Inc. and Black Duck, 2013
Questions? www.blackducksoftware.com www.coverity.com