How To Improve Your Software

Similar documents
How to Avoid 5 Common Pitfalls in Open Source Utilization. July 2013

HOW TO UTILIZE OPEN SOURCE IN YOUR CODE BASE AND BUILD PROCESS Black Duck Software, Inc. All Rights Reserved.

Managing Open Source Code Best Practices

What Developers, Cars & Banks Have in Common: Best Practices for Open Source Governance

Open Source Software and the impact on Mergers & Acquisitions

Streamlining Open Source License Compliance with SPDX

Adapting IT Governance Frameworks to Ensure Control and Visibility of Open Source

5 Steps for a Winning Open Source Compliance Program

Coverity Services. World-class professional services, technical support and training from the Coverity development testing experts

How To Manage An Open Source Software

Operationalizing Application Security & Compliance

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

Coverity White Paper. Reduce Your Costs: Eliminate Critical Security Vulnerabilities with Development Testing

BOM based on what they input into fossology.

Phil Marshall Black Duck Software ISACA Webinar Program ISACA. All rights reserved.

Driving Business Agility with the Use of Open Source Software

Seven Practical Steps to Delivering More Secure Software. January 2011

Scanning Open Source Software and Managing License Obligations on IBM SmartCloud. Because code travels

Accelerating Software Security With HP. Rob Roy Federal CTO HP Software

Copyright 11/1/2010 BMC Software, Inc 1

HP Application Lifecycle Management

Successfully managing geographically distributed development

Developers and the Software Supply Chain. Andy Chou, PhD Chief Technology Officer Coverity, Inc.

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

Vulnerability Management

Development Testing for Agile Environments

The Corporate Counsel s Guide to Open Source Software Policy Implementation

Q1 Labs Corporate Overview

XEROX TALKS BEST PRACTICES FOR OPEN SOURCE GOVERNANCE

Coverity White Paper. Managing Risk: Ensure Software Quality and Security Across the Automotive Supply Chain

Orchestrated. Release Management. Gain insight and control, eliminate ineffective handoffs, and automate application deployments

Simplify and Automate IT

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Open Source Compliance: The Challenge of Managing Abundance. Peter Vescuso Black Duck Software

Application Outsourcing: The management challenge

Implement a unified approach to service quality management.

What is Security Intelligence?

Detecting Critical Defects on the Developer s Desktop

BMC Software s ITSM Solutions: Remedy ITSM & Service Desk Express SOLUTION WHITE PAPER

ENJOYING OPEN SOURCE WITHOUT COMPROMISING BUSINESS. Dr. Ron Rymon Founder, White Source Software

CMDB Essential to Service Management Strategy. All rights reserved 2007

IBM Rational AppScan: Application security and risk management

CGI Payments360. Moving money with greater agility and confidence. Experience the commitment

Coverity White Paper. Effective Management of Static Analysis Vulnerabilities and Defects

Minimizing code defects to improve software quality and lower development costs.

Legal Issues for FOSS-based Supply Chain Management. Herve Guyomard, Black Duck Software

Simplify and Automate IT

White Paper Software Quality Management

Software Code Quality Checking (SCQC) No Clearance for This Secret: Information Assurance is MORE Than Security

Total Protection for Compliance: Unified IT Policy Auditing

CA Service Desk Manager

Address IT costs and streamline operations with IBM service desk and asset management.

Software Supply Chains: Another Bug Bites the Dust.

Continuous???? Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

BIG DATA ANALYTICS: THE TRANSFORMATIVE POWERHOUSE FOR BIOTECH INDUSTRY ADVANCEMENT. David Wiggin October 8, 2013

Delivering Quality Service with IBM Service Management

CA Repository for Distributed. Systems r2.3. Benefits. Overview. The CA Advantage

The Benefits of Utilizing a Repository Manager

IBM Tivoli Netcool network management solutions for enterprise

Leveraging Open Source for a Winning Enterprise Mobile Strategy

Enterprise Data Governance

Managing Open Source Software Supply Chains

Oracle Cloud: Enterprise Resource Planning

ENTERPRISE ASSET MANAGEMENT (EAM) The Devil is in the Details CASE STUDY

Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc.

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

How Virtual Compilation Transforms Code Analysis

Enabling Data Quality

SOLUTION BRIEF CA SERVICE MANAGEMENT - SERVICE CATALOG. Can We Manage and Deliver the Services Needed Where, When and How Our Users Need Them?

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

The Worksoft Suite. Automated Business Process Discovery & Validation ENSURING THE SUCCESS OF DIGITAL BUSINESS. Worksoft Differentiators

Application Security Center overview

IT Legacy Migration from Proprietary to Open Source Software. Bill Weinberg, Black Duck Software Jay Lyman, 451 Research

Controlling Risk Through Software Code Governance

SOLUTION WHITE PAPER. 6 Advantages of a Cloud-Based IT Service Desk By Jeff Moloughney, Principal Solution Marketing Manager, BMC Software

Whitepaper Accelerating Your Success with Avnet and HP

IBM Tivoli Service Request Manager

Application Test Management and Quality Assurance

ROUTES TO VALUE. Business Service Management: How fast can you get there?

Capgemini BizLender 360 An Integrated Straight Through Processing Solution for Business Lending Origination

Cloud computing: Innovative solutions for test environments

DESIGNED FOR YOUR INDUSTRY. SCALED TO YOUR BUSINESS. READY FOR YOUR FUTURE. SAP INDUSTRY BRIEFING FOR HEATING, VENTILATION, AIR CONDITIONING, AND

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

Business Process Management in Manufacturing: From Process to Value

Clarity Infrastructure Management helps network operators to plan and document the change to their networks

I N D U S T R Y D E V E L O P M E N T S A N D M O D E L S. I D C M a t u r i t y M o d e l : P r i n t a n d D o c u m e n t M a n a g e m e n t

Product Lifecycle Sourcing enabled by Teamcenter s SRM solutions

Pragmatic Business Service Management

WHITE PAPER. Development Testing for Agile Enterprises Helping Teams Maximize Velocity

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

White Paper. Software Development Best Practices: Enterprise Code Portal

CA Vulnerability Manager r8.3

IBM Rational ClearCase, Version 8.0

Enhance visibility into and control over software projects IBM Rational change and release management software

Improving RoI by Using an SDL

Accenture Human Capital Management Solutions. Transforming people and process to achieve high performance

Realizing the Breakthrough Economics of Linux and Open Source through Hybrid Development. Tim Yeaton, President and CEO Black Duck Software

Optimize Application Performance and Enhance the Customer Experience

HP Fortify application security

Transcription:

Driving Quality, Security and Compliance in Third- Party Code Dave Gruber Director of Product Marketing, Black Duck Keri Sprinkle Sr Product Marketing Manager, Coverity Jon Jarboe Sr Technical Marketing Manager, Coverity

Software is at the heart of disruptive business models 2 Copyright Coverity, Inc. and Black Duck, 2013

The Global State of Open Source Software is Eating the World Marc Andreessen And Open Source is Driving the Software World Open Source Projects 1M Projects 100B LoC 10M personyears Source: Black Duck Software 3 Copyright Coverity, Inc. and Black Duck, 2013

81% of business leaders believe that technology is a fundamental element of their business model Over 60 million tablets and 175 million smartphones will be in the workplace by the end of 2012 Software By 2016, open source software will be included in mission-critical applications within 99% of Global 2000 enterprises 4 Copyright Coverity, Inc. and Black Duck, 2013

Software today is Multi-Source OSS Communities Internally Developed Code Outsourced Code Development Commercial 3 rd- Party Code Your Software Application THE ENTERPRISE TOOLS, PROCESSES Global 2000 organizations increasingly leverage code from a vast array of sources including internally built, open source, outsourced, commercially built, and customized applications. - Melinda Ballou, IDC 5 Copyright Coverity, Inc. and Black Duck, 2013

3 rd Party Code Software Supply Chain Out sourcing Commercial 3 rd -party OEM Open Source Multi-tier Supply Chain 3 rd Tier Supplier 2 nd Tier Supplier 1 st Tier Supplier 6 Copyright Coverity, Inc. and Black Duck, 2013

Defect/Issue Types Code Quality Defects 7 Copyright Coverity, Inc. and Black Duck, 2013

Defects, Quality and Cost Quality issues 85% Quality Costs Found Introduced Coding Unit test Function Field test stage test Capers Jones, applied software measurement: assuring productivity and quality. Post release 8 Copyright Coverity, Inc. and Black Duck, 2013

But what about supply chain? Near-finished SW arrives at your doorstep Cycles are Costly and Time-Consuming Discovering issues at this point requires a cycle back to one or more suppliers Supply Chain Supply Chain Supply Chain 9 Copyright Coverity, Inc. and Black Duck, 2013

60 million lines of code written by developers every day $60 billion annual U.S. cost due to poor software quality 80% software development budget spent fixing software defects 10 Copyright Coverity, Inc. and Black Duck, 2013

Development Testing Build Better Software Faster Analyze Accurately detect issues difficult to find through traditional testing Remediate Quickly and efficiently manage issues to resolution Govern Enforce a consistent standard for quality, security, licensing and testing 11 Copyright Coverity, Inc. and Black Duck, 2013

Coverity is the leader Company and Technology Innovation Founded in 2003 at Stanford Computer Science Laboratory 300 employees across 13 offices and 10 countries worldwide 16 patents and 4 pending for platform and analysis algorithms Customer and Market Leadership Over 1,100 world-class customers Over 5 billion lines of code under management #1 in Software Quality Analysis market IDC #1 in Automated Test and Verification market VDC Transformational company in testing market voke Best software development solution

Authoritative source on OSS quality Coverity Scan: free cloud-based service for open source 400 45,000 leading open source projects defects fixed by community The bottom line is that Coverity has an excellent product, and if you run or contribute to an open source project written in C/C++ you should be using Coverity Scan. It will likely find bugs that can certainly have security implications in your code. -Michael Rash, Security Researcher

Development Testing Transform software testing from reactive to proactive Fewer defects escape dev Design Development Quality Assurance Product Release & Management 5x cost 10x cost 30x cost 14 Copyright Coverity, Inc., 2013

Coverity Development Testing Platform Analyze Remediate Govern Analysis Packs Dynamic Analysis Policy Manager Coverity Connect SDLC Integrations Third Party Metrics IDE Architecture Analysis Analysis Integrations Quality Advisor Security Advisor Test Advisor Code Coverage Test Execution Build/ Continuous Integration Defect Tracking Analysis Integration Toolkit Coverity SAVE Static Analysis Verification Engine SCM ALM Proprietary Code Open Source Code 15 Copyright Coverity, Inc., 2013

The industry s first developer-friendly software testing platform Integration into development workflow IDE Defect tracking SCM Build/CI ALM Analysis Accuracy Proven false positive rate of less than 10% on codebases over 1M lines of code Remediation Guidance Show path to defect and fix guidance in context of developer s code patent-pending security remediation engine Performance and Scale Proven scale on codebases up to 100M Analysis runs in minutes to hours vs. days to weeks Coverity enables developers to produce secure code and gives developers a more positive attitude about addressing security, while ultimately leads to fixing defects. -Gerold Hubner, Chief Product Security Officer at SAP

Automate testing within the inner loop of development 01 01001011 0101101011001 01101011000011 010100101101 01011001 Writes code Centralized Source Control build Fixes New Management Prioritized Assigned critical Creates issues generated back issues unit are defects System found to test appropriate Prioritized developer tests Analyzes code Interprocedural quality and security defects New tests required because of change impact

Build a stage gate across the SDLC Planning Deployment Requirements Security Audit No Uninspected No New Quality Defects or Security Defects No Critical Security Quality Defects All Critical Code Tested All Critical Code Tested Analysis and Design Quality Assurance Development

Gain executive level visibility into risk Across teams, projects and components

The Golden Rule for Proper Software Supply Chain Management Treat the management of open source software as an integrated, cross functional business process, and not simply as a development process.

Best Practices for Managing Open Source Policy Process Technology 1. Adopt and enforce an open source and third-party code policy 2. Identify and track all external code that is used 3. Automate validation at the point of acquisition and development 4. Automate monitoring and tracking open source components 5. Control the use of components and promote standardization 6. Use automation tools to produce complete Bills of Material and reports for supply chain partners

License Management License Policy Know what licenses apply to what use cases Informed Choices Helping developers have up-front insight into licenses and policy Approvals Streamlined, automated approval process Auditing OSS still sneaks in, so auditing is required throughout the process

Visibility and Monitoring of Security Vulnerabilities Are there known security vulnerabilities in components that I want to use? Is anyone paying attention to vulnerability reports postdeployment? Are version updates available that resolve security vulnerabilities?

Automating the Process Application development cycle Plan Code Build Test Release Open source governance lifecycle Acquire Approve Catalog Audit Monitor Description Version Vulnerabilities Cryptography License Maturity Deep License Data Black Duck KnowledgeBase

Starting Point Baselining your codebase Bill-of-Materials Open Source Components Licenses Versions Auditing all inbound SW from suppliers BOMs Licenses and obligations Cataloging OSS for fast access when issues/defects are reported Using SPDX to communicate with your supply chain

Software Package Data Exchange (SPDX ) The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included. The specification defines a common file format to communicate this information. Working group of FOSSBazaar (governance best practices group under Linux Foundation) Charter: Create data exchange standards to enable license and component information sharing (metadata) Participation from software, systems and tool vendors, consultants and foundations

Working with Suppliers Setting expectations with suppliers at the beginning of your relationship Share your open source policy Require a Bill of Materials for all OSS used Audit/Scan results for quality, security and license You must be able to audit their contributions For Code Quality For Licenses For Security Vulnerabilities Automated tools are critical with supply-chain, inbound SW

No licenses means no permission 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 7% 93% Non GitHub 77% 23% GitHub No Declared Declared 42% have Embedded Licenses These embedded licenses contain specific obligations that govern the use of the overall project. The lack of a declared license for an open source project can cause an enterprise to steer clear of it, limiting the projects organizations can use. The ability to access embedded license information and obligations up-front during the code selection process opens a sizeable opportunity for enterprises and could have significant impact on their bottom line. - Mark Driver, Vice President and Research Director, Gartner.

Strategic Use of Open Source 80% 30% Average* Best in class *Source: IDC 2012

Black Duck Coverity Integration Solution demo

Simplified Architecture Combining Coverity and Black Duck Policy Manager Coverity Connect Unified Database Coverity Analysis Commit Results Issue Repository Black Duck Analysis IDE (Eclipse, Visual Studio, etc.)

Remediate Critical Quality Defects Leveraging a Robust Issue Management Repository Prioritize and filter based on impact CWE compatible mapping and knowledge base Automatically assign defects to owners Identify the exact path to the defect Automatically identify every occurrence of a defect across branches

Example Licensing Issue from Black Duck

Coverity Policy Manager

Coverity Policy Manager

Coverity Policy Manager

Coverity Policy Manager

Coverity Policy Manager

Coverity Policy Manager 2 1

Development Testing Maturity Model Level 5 Integration into SDLC High Level 1 Detection of critical quality and security defects as part of SW build process. No new defects introduced. Level 2 Identification of areas of risk caused by insufficient automated testing. Ensure critical code is prioritized and tested. Level 3 Integration into the existing SDLC using a common workflow for all defects and test effectiveness issues. Level 4 Establish and enforce consistent source code quality and security policies. Establish source code acceptance criteria. All legacy defects eliminated, build fails if new defects are introduced. All critical code and code impacted by change is tested. Development Testing Adoption High 41 Copyright Coverity, Inc. and Black Duck, 2013

Black Duck and Coverity Build Better Software Faster Analyze Accurately detect issues difficult to find through traditional testing Remediate Quickly and efficiently manage issues to resolution Govern Enforce a consistent standard for quality, security, licensing and testing 42 Copyright Coverity, Inc. and Black Duck, 2013

Questions? www.blackducksoftware.com www.coverity.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information