Streamline Open Source Compliance with Package Pre-Approval
Transcript of Streamline Open Source Compliance with Package Pre-Approval
Protecode Inc. 2014
Agenda
Challenges That OSS Pose
– Many benefits, but challenges as well
Strategies For Managing OSS Adoption
– The OSS adoption maturity curve
– Applying your policy proactively vs. reactively
OSS Package Pre-Approval
– Request Forms
– Workflows
– Integrated Solutions
Walkthrough and Q/A
2
Normand Glaude,
COO
Tiberius Forrester,
Technical Sales
Protecode Inc. 2014
Open Source Software
Enables rapid software development
– Easy access to code
– Hundreds of thousands of projects
– Enables new business models
– The original crowd sourcing model (and most successful)
The good:
– Faster, more functional
– Improves interoperability, adoption of standards
The challenge:
– Uncertain ownership structure
• Intellectual property - copyright, license
• Maintenance and support (esp. security vulnerability)
– Perceived uncertain quality
– Requires due diligence – and a managed adoption process
3
Why OSS?
Protecode Inc. 2014
The Goals of Managing OSS
Taking inventory of 3rd party components
Clarification of IP ownership and licensing
Ensuring license models meet business expectations
Minimizing Security Risks
Eligibility to export (encryption)
Compliance to license obligations
4
Protecode Inc. 2014
OSS Adoption Process (OSSAP)
Maturity Model
Voluntary policy compliance with
Legal Advice
Manual search and code review
In-house Tools
Automated Scanning with
Reference Database
Integrated tool suite within
Software Development Cycle
5
A clearly defined and well communicated policy is essential in
maturing your OSS adoption processes
Protecode Inc. 2014
How and When to Apply Your Policy
6
Reactively
– Scan and audit your code base once code is written
– Scanning and auditing triggered at opportune times, manually
– Issues to be fixed typically block release to market
• Security vulnerabilities
• License policy violations
Proactively
– Scan and audit OSS packages before they are integrated
• Choose packages and versions with no/fewer security vulnerabilities
• Ensure adherence to license policy
– Seed your inventory management tool with pre-approved
packages
• “Crowd-sourced” from your development community
• Identification of packages automated
– Scan and audit your code base continuously
• More effective when new content is already recognized and approved
Protecode Inc. 2014
Cost of Compliance At Different
Stages Of Development
7
License Management is most effective when applied early in
development life cycle
Development | Build/QA | In The Market
Real-Time
Preventative Measures
Periodic
Analysis
Build-Time & Pre-
Launch Analysis
Post-Launch
Correction
Software Package
Pre-Approval
C
O
S
T
Protecode Inc. 2014
Typical Pre-Approval Form
Project Information
– Project name, URL, license, author(s), type, exportability, etc.
Package Information
– Package name and version
– Source of package (from where was it procured?)
– Package itself (for scanning)
– Security Vulnerabilities
Usage Model
– Distribution model (binary, source, hosted, internal only, etc.)
– Types of derivatives (Modified? Linked? Loosely coupled?)
– Organization specific information
• Business unit
• Business justification
– Maintenance and support
8
Protecode Inc. 2014
Package Pre-Approval Workflow
9
Developer submits package
Package is scanned manually
or with automated tools
Administrator(s) and expert(s)
reviews the results
Package is approved
(or rejected)
Approved code
enters repository
Protecode Inc. 2014
Seed Your Inventory
Management Tool with
Pre-approved Packages
10
Code
Code
Metadata &
Signatures
Inventory
Labeling &
Confirmation
OSS Pre-
approval
workflow tool
Libraries
Builds Rejected
Content
PedigreeFiles, projects,
signatures, notes, etc.
Approved
Content1.
2.
Protecode Inc. 2014
Automate your Workflow
WriteCode
CommitCode
BuildLibraries
ReleaseSoftware
DefineSprint
11
Use CA to
Pre-approve Code Use DA to
Monitor in Real-time
Use CI tool to
Trigger EA Scan,
Consume CSV File
Use CI tool to
Trigger Artifact Scan
Use ES to
Produce Reports
Protecode Inc. 2014
Q&A
Please type your questions into the chat box to the right
13
OSS adoption has increased development pace
– OSS is everywhere, and runs deep
– Organizations are moving away from manual methods or one time audits to move proactive measures
Package Pre-Approval
– Are effective in reducing risk and time spend on OSS management
• Fewer security vulnerabilities
• Fewer license policy issues
– Developers make wiser choices in OSS selection from the start
• Less issues to fix later on
– It is a cornerstone of an end-to-end open source adoption process
Summary
Protecode Inc. 2014 14
Protecode Corporate Summary
Overview
– Software Attributes Management
– Established in 2006
– World-wide partner network
Products & Services for software adoption
– Products:
• On-premises: Protecode System 4TM , Protecode CompactTM
• Hosted: ProtecodeCloud,
– Services:
• Software Audit Services,
• Code Portfolio Similarity Assessments Services
Value of Protecode Solutions
– Reduce IP uncertainties, highlight security vulnerabilities and ensure compliance
– Accelerate time to market and reduce development cost