OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA Phil Granof EVP & Chief Marketing Officer Black Duck Software 2014 Black Duck Software, Inc. All Rights Reserved.

OVERVIEW Introduction Open Source Market Trends SITA Case study The OSS Logistics Framework Conclusions 2 2014 Black Duck Software, Inc. All Rights Reserved.

OSS TRENDS 3

OS CRITICAL ACROSS MANY NEW TECHNOLOGIES 63% 57% 53% 51% 49% 48% 46% 27% 26% 13% 12% 10% CLOUD/ VIRTUALIZATION CONTENT MGMT MOBILE SECURITY COLLABORATION NETWORK MGMT SOCIAL MEDIA 3D PRINTING ANALYTICS AND BUSINESS INTELLIGENCE DRONES GAMING ERP 4 2014 Black Duck Software, Inc. All Rights Reserved.

THE VIRTUOUS CYCLE Foundation Participation Proliferation Democratization 5 2014 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE WINS ON QUALITY 80% Choose based on quality 6 2014 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE WINS ON FEATURES 67% TCO 80% Choose based on features 7 2014 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE WINS ON FEATURES 8 2014 Black Duck Software, Inc. All Rights Reserved.

ACCESS TO TECHNICAL FEATURES #8 Reason for adoption #4 Reason for adoption 9 2014 Black Duck Software, Inc. All Rights Reserved.

CHOOSING BASED ON SECURITY 72% Choose based on Security 10 2014 Black Duck Software, Inc. All Rights Reserved.

CHOOSING BASED ON SECURITY? 11 2014 Black Duck Software, Inc. All Rights Reserved.

CORPORATE REACTION 12 2014 Black Duck Software, Inc. All Rights Reserved.

OPEN SOURCE ADOPTION IS RISING XX%??? 30% 5% 2007 2012 2017 Source: Black Duck audit results Source: IDC Survey of G2000 13 2014 Black Duck Software, Inc. All Rights Reserved.

SITA Case Study Open Source Compliance Alex Bigmore Open Source Governance Programme Manager

15

First Steps to Compliance SITA developed an Intellectual Property software asset registry with the objective of better understanding the composition of its software in terms of IP ownership, applicable licensing terms and code used to generate SITA s revenue streams Together with developer surveys this revealed that software is mixed IP, using internally developed, outsource developed, third party proprietary and Open Source software Two questions emerged How much Open Source Software (OSS) was used as part of the code base? What were the licensing details of each OSS component? The need to answer these questions was the first step toward establishing an Open Source Governance (OSG) programme 16 Open Source Compliance Confidential SITA 2014

Creating the Governance Programme IP Asset Registry created OSS usage revealed Establish Stakeholders Pilot how much OSS is really used? Do we need OSS? Governance Programme 17 Open Source Compliance Confidential SITA 2014

Governance Objectives Ensure compliance with OSS licenses and distribution requirements Enable greater use of OSS across the organization to improve software development efficiency and quality 18 Open Source Compliance Confidential SITA 2014

Achieving Governance Objectives Strategy, policy, process License review Communication & training Approval Discovery & remediation Compliance and OSS Enablement 19 Open Source Compliance Confidential SITA 2014

Compliance and OSS Enablement Approval before use Policy requires teams to request approval before OSS is used to minimise remediation Black Duck Code Center used to manage approval process Verification scanning Determines whether there is OSS present that has not been approved Reports on licence compliance Black Duck Protex used for OSS scanning Automation wherever possible Impact the development teams as little as possible Automate responses to approval requests where possible SITA licence guidance rules implemented, others addressed manually Enable teams to trigger verification scans OSG team involved as needed 20 Open Source Compliance Confidential SITA 2014

Summary OSG and supporting tools have enabled SITA to Ensure compliance with licences of OSS used Encourage and support greater use of open source in current and future projects Notify project teams of vulnerabilities in OSS used Automate to minimise impact Self service OSS approvals Self service OSS scanning 21 Open Source Compliance Confidential SITA 2014

Thank you Alex Bigmore, OSG Programme Manager Alex.bigmore@sita.aero www.sita.aero 22 Open Source Compliance Confidential SITA 2014

OSS LOGISTICS 23

OSS SHOULD BE MANAGED, NOT FEARED 50% of companies will face challenges due to lack of FOSS policy and management FOSS Survey 24 2014 Black Duck Software, Inc. All Rights Reserved.

CHALLENGES OF THE ARCHITECT I want to know what open source I use. I want to know where I use open source. I want to eliminate the security risks associated with open source. I want more control over the open source my developers use. I want help choosing open source. I want to decrease the amount of code we need to maintain. I want to reuse code. I want to participate in the open source ecosystem. 25 2014 Black Duck Software, Inc. All Rights Reserved.

KNOWLEDGE BASE 26 2014 Black Duck Software, Inc. All Rights Reserved.

OUR VALUE We help companies manage their use of open source code in order to see enormous gains across fundamental competitive dimensions. Speed Cost Security Innovation 27 2014 Black Duck Software, Inc. All Rights Reserved.

THINK LIKE LINUX, ACT LIKE UPS, SMILE LIKE AMAZON 28 2014 Black Duck Software, Inc. All Rights Reserved.

WHAT IS OSS LOGISTICS? Choose Scan Approve Inventory Secure Deliver 29 2014 Black Duck Software, Inc. All Rights Reserved.

CHOOSE OSS Choice begins with data. The Black Duck Knowledgebase is the world s most comprehensive database of open source project information. License Version Vulnerability Maturity Cryptography Black Duck KnowledgeBase Description 30 2014 Black Duck Software, Inc. All Rights Reserved.

CHOOSE OSS The Black Duck Knowledgebase is at the heart of OSS Logistics, continually gathering data throughout the open source community: Over one million projects From 6,000 sites For over 2,200 unique software licenses. Secure Black Duck Open Hub Approve Scan Inventory Black Duck Open Source KnowledgeBase Community 31 2014 Black Duck Software, Inc. All Rights Reserved.

CHOOSE OSS The Black Duck Open Hub provides a window into the world of open source. Find reports about the composition and activity of project code bases Track the changing demographics of the FOSS world Follow developers and their contributions Search for code with Code Sight Secure Black Duck Open Hub Approve Scan Inventory Black Duck Open Source KnowledgeBase Community 32 2014 Black Duck Software, Inc. All Rights Reserved.

CHOOSE OSS 33 2014 Black Duck Software, Inc. All Rights Reserved.

APPROVE OSS Empower developers with automated approval processes built on the right policies for governing the use of open source. Eliminate uncertainty and re-work Speed identification of software components Mitigate risk without slowing developers down Collaborate seamlessly Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community 34 2014 Black Duck Software, Inc. All Rights Reserved.

SCAN OSS Automatically scan, discover and identify what open source code is used within specific applications. Understand code origin Identify licenses and support compliance Eliminate manual effort Increase reliability and visibility Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community 35 2014 Black Duck Software, Inc. All Rights Reserved.

INVENTORY OSS Create a company-wide intelligent catalog of approved software that grows smarter over time. Track where components are used in other applications. Encourage standardization and re-use. Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community 36 2014 Black Duck Software, Inc. All Rights Reserved.

SECURE OSS Continuous monitoring ensures that future security vulnerabilities associated with a specific component are quickly flagged for resolution. Receive daily alerts Alter workflows in response to severity Quickly locate and remediate Secure Black Duck Open Hub Approve Scan Inventory Black Duck KnowledgeBase Open Source Community 37 2014 Black Duck Software, Inc. All Rights Reserved.

DELIVER We provide a license obligation report and an easily consumable bill of materials (BOM) that you can deliver to your customers or internal stakeholders. Incoming Code Automated Scanning and Built-In Approval Policies Outgoing Code 38 2014 Black Duck Software, Inc. All Rights Reserved.

DELIVER Automatically discover encryption algorithms within a code base and identify applicable export rules: Cryptography export compliance Government reporting Licensing requirements Policy management challenges Outgoing Code Approve Scan 39 2014 Black Duck Software, Inc. All Rights Reserved.

CONCLUSIONS The open source debate is over. Mostly. Complexity and quality are colliding. Reaping the benefits requires management. Logistics provides the best conceptual model for see reaping the benefits of open source. 40 2014 Black Duck Software, Inc. All Rights Reserved.

QUESTIONS? www.blackducksoftware.com 41