Protecode Inc. 2014

Streamline Open Source Compliance with

Package Pre-Approval

April 30th 2014

1

Protecode Inc. 2014

Agenda

Challenges That OSS Pose

– Many benefits, but challenges as well

Strategies For Managing OSS Adoption

– The OSS adoption maturity curve

– Applying your policy proactively vs. reactively

OSS Package Pre-Approval

– Request Forms

– Workflows

– Integrated Solutions

Walkthrough and Q/A

2

Normand Glaude,

COO

nglaude@protecode.com

Tiberius Forrester,

Technical Sales

tforrester@protecode.com

Protecode Inc. 2014

Open Source Software

Enables rapid software development

– Easy access to code

– Hundreds of thousands of projects

– Enables new business models

– The original crowd sourcing model (and most successful)

The good:

– Faster, more functional

– Improves interoperability, adoption of standards

The challenge:

– Uncertain ownership structure

• Intellectual property - copyright, license

• Maintenance and support (esp. security vulnerability)

– Perceived uncertain quality

– Requires due diligence – and a managed adoption process

3

Why OSS?

Protecode Inc. 2014

The Goals of Managing OSS

Taking inventory of 3rd party components

Clarification of IP ownership and licensing

Ensuring license models meet business expectations

Minimizing Security Risks

Eligibility to export (encryption)

Compliance to license obligations

4

Protecode Inc. 2014

OSS Adoption Process (OSSAP)

Maturity Model

Voluntary policy compliance with

Legal Advice

Manual search and code review

In-house Tools

Automated Scanning with

Reference Database

Integrated tool suite within

Software Development Cycle

5

A clearly defined and well communicated policy is essential in

maturing your OSS adoption processes

Protecode Inc. 2014

How and When to Apply Your Policy

6

Reactively

– Scan and audit your code base once code is written

– Scanning and auditing triggered at opportune times, manually

– Issues to be fixed typically block release to market

• Security vulnerabilities

• License policy violations

Proactively

– Scan and audit OSS packages before they are integrated

• Choose packages and versions with no/fewer security vulnerabilities

• Ensure adherence to license policy

– Seed your inventory management tool with pre-approved

packages

• “Crowd-sourced” from your development community

• Identification of packages automated

– Scan and audit your code base continuously

• More effective when new content is already recognized and approved

Protecode Inc. 2014

Cost of Compliance At Different

Stages Of Development

7

License Management is most effective when applied early in

development life cycle

Development | Build/QA | In The Market

Real-Time

Preventative Measures

Periodic

Analysis

Build-Time & Pre-

Launch Analysis

Post-Launch

Correction

Software Package

Pre-Approval

C

O

S

T

Protecode Inc. 2014

Typical Pre-Approval Form

Project Information

– Project name, URL, license, author(s), type, exportability, etc.

Package Information

– Package name and version

– Source of package (from where was it procured?)

– Package itself (for scanning)

– Security Vulnerabilities

Usage Model

– Distribution model (binary, source, hosted, internal only, etc.)

– Types of derivatives (Modified? Linked? Loosely coupled?)

– Organization specific information

• Business unit

• Business justification

– Maintenance and support

8

Protecode Inc. 2014

Package Pre-Approval Workflow

9

Developer submits package

Package is scanned manually

or with automated tools

Administrator(s) and expert(s)

reviews the results

Package is approved

(or rejected)

Approved code

enters repository

Protecode Inc. 2014

Seed Your Inventory

Management Tool with

Pre-approved Packages

10

Code

Code

Metadata &

Signatures

Inventory

Labeling &

Confirmation

OSS Pre-

approval

workflow tool

Libraries

Builds Rejected

Content

PedigreeFiles, projects,

signatures, notes, etc.

Approved

Content1.

2.

Protecode Inc. 2014

Automate your Workflow

WriteCode

CommitCode

BuildLibraries

ReleaseSoftware

DefineSprint

11

Use CA to

Pre-approve Code Use DA to

Monitor in Real-time

Use CI tool to

Trigger EA Scan,

Consume CSV File

Use CI tool to

Trigger Artifact Scan

Use ES to

Produce Reports

Protecode Inc. 2014

Workflow Walkthrough

12

Protecode Inc. 2014

Q&A

Please type your questions into the chat box to the right

13

OSS adoption has increased development pace

– OSS is everywhere, and runs deep

– Organizations are moving away from manual methods or one time audits to move proactive measures

Package Pre-Approval

– Are effective in reducing risk and time spend on OSS management

• Fewer security vulnerabilities

• Fewer license policy issues

– Developers make wiser choices in OSS selection from the start

• Less issues to fix later on

– It is a cornerstone of an end-to-end open source adoption process

Summary

Protecode Inc. 2014 14

Protecode Corporate Summary

Overview

– Software Attributes Management

– Established in 2006

– World-wide partner network

Products & Services for software adoption

– Products:

• On-premises: Protecode System 4TM , Protecode CompactTM

• Hosted: ProtecodeCloud,

– Services:

• Software Audit Services,

• Code Portfolio Similarity Assessments Services

Value of Protecode Solutions

– Reduce IP uncertainties, highlight security vulnerabilities and ensure compliance

– Accelerate time to market and reduce development cost

Protecode Inc. 2014 15

info@protecode.com

www.protecode.com