SlideShare uma empresa Scribd logo

Webinar–You've Got Your Open Source Audit Report–Now What?

Synopsys Software Integrity Group
Synopsys Software Integrity Group

Companies’ use of open source software has surpassed the occasional and solidified itself as the mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether a company is acquiring another company, preparing for acquisition or simply wanting to manage their use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report? For more information, please visit our website at https://www.synopsys.com/open-source-audit

Mídias sociais
1 de 32
Baixar para ler offline
© 2019 Synopsys, Inc.1 You’ve Got Your Open Source Audit Report—Now What? Best Practices for Companies of All Sizes Tony Decicco, GTC Law Group & Affiliates Leon Schwartz, GTC Law Group & Affiliates
© 2019 Synopsys, Inc. 2 Speakers Leon Schwartz Associate, GTC Law Group & Affiliates Tony Decicco Shareholder, GTC Law Group & Affiliates
© 2019 Synopsys, Inc. 3 Agenda 1. Brief overview of review process 2. How do you select and prepare the code base? 3. How do you get the most out of your Black Duck code scan? 4. How do you implement a third party software policy? 5. How do you contribute to the open source community? 6. Q&A
© 2019 Synopsys, Inc. 4 Brief overview of the review process
© 2019 Synopsys, Inc. 5 Typical review process OVERALL GOAL: Identify, quantify, mitigate, and allocate risks related to third party software Bill of materials Notice and attribution files Reps and schedules OUTPUTS Identify Plan / Remediate Select code base Define goals INPUTS
© 2019 Synopsys, Inc. 6 Typical review process: The phases • Identify – Open source and commercial software – Embedded in or used to develop your products – Developer-identified and via code scan • Analyze – Review usage / compatibility analysis – Assess compliance and business impact – Consider: – Internal use, distribution, hosting, modification, linking, use as a code generator • Remediate – Create a remediation plan – Code remediation – Legal remediation – Notice and attribution files – Transactions: allocate risk through contract terms
© 2019 Synopsys, Inc. 7 Typical review process: Not as easy as you think
© 2019 Synopsys, Inc. 8 How do you select and prepare the code base?
© 2019 Synopsys, Inc. 9 Preparing for a code scan Initial steps for companies of all sizes: • Select a code base to scan – Importance – Size – Likely variety of components – Number of developers • Smaller companies focus items: – Biggest “bang” for the buck – Code base with most shared code – Likeliest to get done – Code base with less busy / nicest developers – Smaller code base – Code bases with fewer release cycles – Most important code base – Which code base are acquirers / investors likely to worry about most? – Which code bases are customers asking about? • Larger companies focus items: – Code base with most exposure – Management interest – Widest distribution / most customers – Highest revenue – Highest risk – Most established product, with fewest anticipated changes – Newest product – Next generation of existing product • Prepare code base for scan – Remove known-unused components – Exclude known third party components?
© 2019 Synopsys, Inc. 10 How do you get the most out of your Black Duck code scan?
© 2019 Synopsys, Inc. 11 Prioritize, prioritize, prioritize • Most of the time, it is difficult to review everything • The review process can be time consuming, labor intensive, and difficult • Very important to focus on likely riskiest areas first • Goal should be to run out of time / energy on the least risky items Never Later Tomorrow Today NOW
© 2019 Synopsys, Inc. 12 Strategies for prioritization • Identify / eliminate false positives – Components no longer in use / obsolete – Misidentified components / other explanation • License categories – Unknown license – Less commercially friendly licenses – Patent non-enforcement – Public domain
© 2019 Synopsys, Inc. 13 Strategies for prioritization • Components with dual-license models – Limited use or commercial license – amCharts – Restrictive open source license or commercial license – iText PDF – Qt for Application Development – RabbitMQ – CKEditor – JasperReports – Sencha Ext JS – TinyMCE – Noncommercial use or commercial license – Qt for Device Creation – Highcharts – MySQL
© 2019 Synopsys, Inc. 14 Strategies for prioritization • Components with known enforcement or other potential issues – “Familiar names” – Continuent vs. Tekelec – XimpleWare vs. Versata – CoKinetic vs. Panasonic – Artifex vs. Hancom – Patrick McHardy (Netfilter and other projects) – Dual-licensed components – Increasing efforts to coerce commercial licenses • Components that follow recent trends – License changes for Confluent, MongoDB, Redis Labs, Cockroach DB, and others – Attempt to limit use “as a service” – Might be broader than intended
© 2019 Synopsys, Inc. 15 Additional “cheat codes” for prioritization • Companies of all sizes: – Well-run/long-standing projects – Projects that have completed review – Projects with subscription agreements STARTB AB A • Smaller companies focus items: – All the items to the left – License collection for “generic” licenses – Strategic usage information collection – Lower-risk usage scenarios – Lower-risk licenses • Larger companies focus items: – Review of “fourth party” components – Easy-to-remediate components – Industry practice / well-known components – Linux – Hibernate – Commercial components – How familiar is the list? – “Microsoft Content”
© 2019 Synopsys, Inc. 16 Security vulnerabilities • Rank vulnerabilities by order of: –Severity of risk –Complexity of exploiting the risk –Complexity of fixing the risk • Create a process for evaluating security fixes and applying them • The process does not have to be perfect (none are), but it should be reasonable –Following NIST guidelines –GDPR Article 32 –“Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including … (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
© 2019 Synopsys, Inc. 17 Web services • External services used by your applications – Usually through an API – Can be “free” – Can be hard to identify/quantify • Prioritization – Examine how used – Separate API agreement? – Not common; usually morass of terms (ToU, EULA, privacy policy, data policy) – Importance of external service to product – Who is the licensor? – Competitors, “frenemies” • How to review – Review is same as code: confirm you have rights and using within scope
© 2019 Synopsys, Inc. 18 Overall calibration Many of the details are in the eye of the beholder Important to keep in mind: • Your goals • Context of the review
© 2019 Synopsys, Inc. 19 How do you implement a third party software policy?
© 2019 Synopsys, Inc. 20 Third party software policy • What is it? – High-level guidelines for use of third party software – Processes for review of third party software – Consider privilege • How is it created? – Best when collaborative effort, not edict from mountaintop – Identify stakeholders and highly-opinionated influencers (key people) – Draft policy and solicit input – Listen to the stakeholders’ feedback • When should it be written? – Ideally after initial review, when you know your risk tolerance – As soon as possible, so less remediation will be required in the future • What does it cover? – Broad, but not so broad as to capture software present on fax machines • What makes a good one? – Brevity; avoid overly complicated policies and covering every “corner case” – Balancing act between strict compliance and practicality – Ironclad policies that don’t work in the real world won’t be followed – Living document
© 2019 Synopsys, Inc. 21 Third party software policy considerations • Smaller companies focus items: – More informal policy and review process – Train developers to use easier-to-approve components – Mandate use of package managers? – Update policy as new licenses are encountered • Larger companies focus items: – Diverse approval committee – Automatic approval / rejection? – Record-keeping – Available tracking tools – Black Duck Hub – Code Center – Auditing mechanism – Periodic code scans
© 2019 Synopsys, Inc. 22 Third party software policy substance • How is guidance on preferred licenses provided? – Broad-terms guidance in the policy itself – More detailed guidance, including “corner cases” through training • How will the policy be enforced? – Integrate review/enforcement tools with tools already in use – Consider having employees sign the policy – Perform future code scans – Perform spot checks – KGB-style encouragement of tattling on your neighbor • Final thoughts – Make sure policy matches practice – Do not treat policy as set in stone
© 2019 Synopsys, Inc. 23 Shifting “left” and automation • Shifting “left” – Move assessment and compliance process earlier in the development process – Provide feedback earlier – Make corrections before they become costly – Changes culture of development team • How? – Integrations – Black Duck software composition analysis • Automation – Allows to auto-approve and auto-reject certain components – Use automated policy engines and rules – 80/20 rule: 80+ percent of components can be approved or denied based on bright-line rules – Permissive licenses can be approved for virtually any use, but beware the “hidden patent license” – Tempting to reject certain licenses, but almost every license can be approved under certain conditions (except maybe CCA-NonCommercial licenses)
© 2019 Synopsys, Inc. 24 Third party software policy mechanics • Who initiates review? – Developer – Tech lead – Automatic (via integrated tool) • Who is on the review committee? – Representatives from all areas of company – Legal, Business, Development, SecOps • Who reviews first? – Obtain technical “pre-review?” • How to kick off review? – Use the tools the developers already use – Jira, Slack, Black Duck, email – Use easy-to-follow forms for initial information • Where are records kept? – Use the tools the developers already use – Make sure to provide access of prior decisions to developers to avoid duplicate requests
© 2019 Synopsys, Inc. 25 Third party software approval sample flowchart START
© 2019 Synopsys, Inc. 26 How do you contribute to the open source community?
© 2019 Synopsys, Inc. 27 Contributing to the open source community • Define goals for contributing to existing projects – Publicity (reputation, goodwill, visibility) – “Good citizen” – believe in giving back to the community – Make it easier to maintain your code (contribute back patches / bug fixes) • Define goals for running your own projects – Recruiting tool – Develop relationships with open source developers – Attract talent – Crowdsource development – Non-core ideas implemented for “free” – Reduce development costs and time – Drive adoption of platform/ecosystem – Create a new line of business (support, apps/plug-ins) • Recognize risks – Competitors / competitive issues – Loss of control over contributed code (forking) – Contributor license agreements (CLAs) – Material changes – Unintended patent licenses – Overshare (accidental/malicious contribution of trade secrets) – Cost and resources to support open source contributions – Contributing to “ghost towns” (orphaned projects)
© 2019 Synopsys, Inc. 28 Contributor license agreement (CLA) • Typically based on the Apache Software Foundation form agreements – Two forms: individual and corporate • Usually slightly modified, but sometimes materially • Really broad license grants – Copyright – Covers the contribution and derivative works, sublicensable, perpetual – Granted to anyone who receives software from the Foundation that includes the contribution (not just the Work to which it was submitted) – Patent – Covers the contribution and the combination of the contribution and the Work to which it was submitted, irrevocable – No temporal restriction – Does contain defensive termination clause • Contributor has no control over direction of project
© 2019 Synopsys, Inc. 29 Contributing to open source projects considerations • Considerations for companies of all sizes: – Beware the corporate CLA – Individual submissions versus corporate submissions – Beware the rogue CLA – Not all CLAs are created equal – License vs. transfer of ownership – Know your competitors – Decide whether to contribute to their projects – Impact of GDPR • Smaller companies focus items: – Protect the “crown jewels” – Think about future investors / acquirers and what they would want – Beware of project scope creep – Keep in mind potential future markets – Revise policies to match company’s growth • Larger companies focus items: – Review all code prior to submission – Policy should match employment agreements – Even code written outside business hours / not using Company resources? – Consider sponsorship without code submission
© 2019 Synopsys, Inc. 30 Some takeaways • It’s not as hard as it looks, but need to start somewhere • Performing a code scan is an easy way to get started and allows a baseline – Always finds previously unknown components • It’s hard to undo the impact of poor practices • You don’t have to do everything we discussed • Start small, scale up as needed – Get initial list of third party components, licenses, usage
© 2019 Synopsys, Inc. 31 Q&A
Thank You This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising

Recomendados

Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 

Recomendados

Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
Synopsys Software Integrity Group
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
Synopsys Software Integrity Group
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Synopsys Software Integrity Group
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Synopsys Software Integrity Group
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Software Integrity Group
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
Synopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
Black Duck by Synopsys
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Black Duck by Synopsys
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
Synopsys Software Integrity Group
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
Source Code Control Limited
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 

Mais conteúdo relacionado

Mais procurados

Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Black Duck by Synopsys
 

Mais procurados (19)

Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
Synopsys Security Event Israel Presentation: Keynote: Securing Your Software,...
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
Open Source Insight: Black Duck Now Part of Synopsys, Tackling Container Secu...
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 

Semelhante a Webinar–You've Got Your Open Source Audit Report–Now What?

FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealFLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
Black Duck by Synopsys
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Source Code Control Limited
 

Semelhante a Webinar–You've Got Your Open Source Audit Report–Now What? (20)

Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
#OSSPARIS19 - Understanding Open Source Governance - Gilles Gravier, Wipro Li...
 
Journey to Establish an Open Source Policy in a Fortune 20 Health Care Company
Journey to Establish an Open Source Policy in a Fortune 20 Health Care CompanyJourney to Establish an Open Source Policy in a Fortune 20 Health Care Company
Journey to Establish an Open Source Policy in a Fortune 20 Health Care Company
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
 
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealFLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your Deal
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit?
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Breaking Free from Proprietary Gravitational Pull
Breaking Free from Proprietary Gravitational PullBreaking Free from Proprietary Gravitational Pull
Breaking Free from Proprietary Gravitational Pull
 
Software License Audit Preparation
Software License Audit PreparationSoftware License Audit Preparation
Software License Audit Preparation
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Software Asset Management I Best Practices I NuggetHub
Software Asset Management I Best Practices I NuggetHubSoftware Asset Management I Best Practices I NuggetHub
Software Asset Management I Best Practices I NuggetHub
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Chapter 07
Chapter 07Chapter 07
Chapter 07
 
Why Choose the Nalpeiron Licensing Service vs. Building Your Own
Why Choose the Nalpeiron Licensing Service vs. Building Your OwnWhy Choose the Nalpeiron Licensing Service vs. Building Your Own
Why Choose the Nalpeiron Licensing Service vs. Building Your Own
 
Four Steps to Creating an Effective Open Source Policy
Four Steps to Creating an Effective Open Source PolicyFour Steps to Creating an Effective Open Source Policy
Four Steps to Creating an Effective Open Source Policy
 

Mais de Synopsys Software Integrity Group

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 

Mais de Synopsys Software Integrity Group (11)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative Webinar – Using Metrics to Drive Your Software Security Initiative
Webinar – Using Metrics to Drive Your Software Security Initiative
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Infographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPRInfographic–A Look Back at the First Year of GDPR
Infographic–A Look Back at the First Year of GDPR
 
Webinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis ReportWebinar–2019 Open Source Risk Analysis Report
Webinar–2019 Open Source Risk Analysis Report
 
Webinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the NumbersWebinar–Open Source Risk in M&A by the Numbers
Webinar–Open Source Risk in M&A by the Numbers
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 

Último

Capstone slidedeck for my capstone project part 2.pdf
Capstone slidedeck for my capstone project part 2.pdfCapstone slidedeck for my capstone project part 2.pdf
Capstone slidedeck for my capstone project part 2.pdf
eliklein8
 
💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG
💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG
💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG
Cara Menggugurkan Kandungan 087776558899
 
Sociocosmos empowers you to go trendy on social media with a few clicks..pdf
Sociocosmos empowers you to go trendy on social media with a few clicks..pdfSociocosmos empowers you to go trendy on social media with a few clicks..pdf
Sociocosmos empowers you to go trendy on social media with a few clicks..pdf
SocioCosmos
 
Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...
Klinik kandungan
 
Best Call Girls In Calangute Beach North Goa👌9971646499👌Cash On Delivery
Best Call Girls In Calangute Beach North Goa👌9971646499👌Cash On DeliveryBest Call Girls In Calangute Beach North Goa👌9971646499👌Cash On Delivery
Best Call Girls In Calangute Beach North Goa👌9971646499👌Cash On Delivery
ritikaroy0888
 
Capstone slidedeck for my capstone final edition.pdf
Capstone slidedeck for my capstone final edition.pdfCapstone slidedeck for my capstone final edition.pdf
Capstone slidedeck for my capstone final edition.pdf
eliklein8
 
Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...
Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...
Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...
Heena Escort Service
 

Último (20)

Content strategy : Content empire and cash in
Content strategy : Content empire and cash inContent strategy : Content empire and cash in
Content strategy : Content empire and cash in
 
Capstone slidedeck for my capstone project part 2.pdf
Capstone slidedeck for my capstone project part 2.pdfCapstone slidedeck for my capstone project part 2.pdf
Capstone slidedeck for my capstone project part 2.pdf
 
BVG BEACH CLEANING PROJECTS- ORISSA , ANDAMAN, PORT BLAIR
BVG BEACH CLEANING PROJECTS- ORISSA , ANDAMAN, PORT BLAIRBVG BEACH CLEANING PROJECTS- ORISSA , ANDAMAN, PORT BLAIR
BVG BEACH CLEANING PROJECTS- ORISSA , ANDAMAN, PORT BLAIR
 
Capstone slide deck on the TikTok revolution
Capstone slide deck on the TikTok revolutionCapstone slide deck on the TikTok revolution
Capstone slide deck on the TikTok revolution
 
Sawai Madhopur Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Sawai Madhopur Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsSawai Madhopur Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Sawai Madhopur Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG
💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG
💊💊 OBAT PENGGUGUR KANDUNGAN SEMARANG 087776-558899 ABORSI KLINIK SEMARANG
 
Madikeri Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Madikeri Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsMadikeri Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Madikeri Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Sociocosmos empowers you to go trendy on social media with a few clicks..pdf
Sociocosmos empowers you to go trendy on social media with a few clicks..pdfSociocosmos empowers you to go trendy on social media with a few clicks..pdf
Sociocosmos empowers you to go trendy on social media with a few clicks..pdf
 
Sri Ganganagar Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Sri Ganganagar Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsSri Ganganagar Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Sri Ganganagar Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Sikar Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Sikar Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsSikar Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Sikar Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...
Jual obat aborsi Asli Taiwan ( 085657271886 ) Cytote pil telat bulan penggugu...
 
Kodaikanal Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Kodaikanal Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsKodaikanal Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Kodaikanal Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Mayiladuthurai Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mayiladuthurai Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsMayiladuthurai Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mayiladuthurai Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Best Call Girls In Calangute Beach North Goa👌9971646499👌Cash On Delivery
Best Call Girls In Calangute Beach North Goa👌9971646499👌Cash On DeliveryBest Call Girls In Calangute Beach North Goa👌9971646499👌Cash On Delivery
Best Call Girls In Calangute Beach North Goa👌9971646499👌Cash On Delivery
 
Jhunjhunu Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Jhunjhunu Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsJhunjhunu Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Jhunjhunu Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Rameswaram Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Rameswaram Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsRameswaram Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Rameswaram Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Coorg Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Coorg Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsCoorg Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Coorg Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
Capstone slidedeck for my capstone final edition.pdf
Capstone slidedeck for my capstone final edition.pdfCapstone slidedeck for my capstone final edition.pdf
Capstone slidedeck for my capstone final edition.pdf
 
Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...
Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...
Meet Incall & Out Escort Service in D -9634446618 | #escort Service in GTB Na...
 
Buku Prediksi Togel Sydney Malam ini 4d 100 perak MAGNUMTOGEL
Buku Prediksi Togel Sydney Malam ini 4d 100 perak MAGNUMTOGELBuku Prediksi Togel Sydney Malam ini 4d 100 perak MAGNUMTOGEL
Buku Prediksi Togel Sydney Malam ini 4d 100 perak MAGNUMTOGEL
 

Webinar–You've Got Your Open Source Audit Report–Now What?

  • 1. © 2019 Synopsys, Inc.1 You’ve Got Your Open Source Audit Report—Now What? Best Practices for Companies of All Sizes Tony Decicco, GTC Law Group & Affiliates Leon Schwartz, GTC Law Group & Affiliates
  • 2. © 2019 Synopsys, Inc. 2 Speakers Leon Schwartz Associate, GTC Law Group & Affiliates Tony Decicco Shareholder, GTC Law Group & Affiliates
  • 3. © 2019 Synopsys, Inc. 3 Agenda 1. Brief overview of review process 2. How do you select and prepare the code base? 3. How do you get the most out of your Black Duck code scan? 4. How do you implement a third party software policy? 5. How do you contribute to the open source community? 6. Q&A
  • 4. © 2019 Synopsys, Inc. 4 Brief overview of the review process
  • 5. © 2019 Synopsys, Inc. 5 Typical review process OVERALL GOAL: Identify, quantify, mitigate, and allocate risks related to third party software Bill of materials Notice and attribution files Reps and schedules OUTPUTS Identify Plan / Remediate Select code base Define goals INPUTS
  • 6. © 2019 Synopsys, Inc. 6 Typical review process: The phases • Identify – Open source and commercial software – Embedded in or used to develop your products – Developer-identified and via code scan • Analyze – Review usage / compatibility analysis – Assess compliance and business impact – Consider: – Internal use, distribution, hosting, modification, linking, use as a code generator • Remediate – Create a remediation plan – Code remediation – Legal remediation – Notice and attribution files – Transactions: allocate risk through contract terms
  • 7. © 2019 Synopsys, Inc. 7 Typical review process: Not as easy as you think
  • 8. © 2019 Synopsys, Inc. 8 How do you select and prepare the code base?
  • 9. © 2019 Synopsys, Inc. 9 Preparing for a code scan Initial steps for companies of all sizes: • Select a code base to scan – Importance – Size – Likely variety of components – Number of developers • Smaller companies focus items: – Biggest “bang” for the buck – Code base with most shared code – Likeliest to get done – Code base with less busy / nicest developers – Smaller code base – Code bases with fewer release cycles – Most important code base – Which code base are acquirers / investors likely to worry about most? – Which code bases are customers asking about? • Larger companies focus items: – Code base with most exposure – Management interest – Widest distribution / most customers – Highest revenue – Highest risk – Most established product, with fewest anticipated changes – Newest product – Next generation of existing product • Prepare code base for scan – Remove known-unused components – Exclude known third party components?
  • 10. © 2019 Synopsys, Inc. 10 How do you get the most out of your Black Duck code scan?
  • 11. © 2019 Synopsys, Inc. 11 Prioritize, prioritize, prioritize • Most of the time, it is difficult to review everything • The review process can be time consuming, labor intensive, and difficult • Very important to focus on likely riskiest areas first • Goal should be to run out of time / energy on the least risky items Never Later Tomorrow Today NOW
  • 12. © 2019 Synopsys, Inc. 12 Strategies for prioritization • Identify / eliminate false positives – Components no longer in use / obsolete – Misidentified components / other explanation • License categories – Unknown license – Less commercially friendly licenses – Patent non-enforcement – Public domain
  • 13. © 2019 Synopsys, Inc. 13 Strategies for prioritization • Components with dual-license models – Limited use or commercial license – amCharts – Restrictive open source license or commercial license – iText PDF – Qt for Application Development – RabbitMQ – CKEditor – JasperReports – Sencha Ext JS – TinyMCE – Noncommercial use or commercial license – Qt for Device Creation – Highcharts – MySQL
  • 14. © 2019 Synopsys, Inc. 14 Strategies for prioritization • Components with known enforcement or other potential issues – “Familiar names” – Continuent vs. Tekelec – XimpleWare vs. Versata – CoKinetic vs. Panasonic – Artifex vs. Hancom – Patrick McHardy (Netfilter and other projects) – Dual-licensed components – Increasing efforts to coerce commercial licenses • Components that follow recent trends – License changes for Confluent, MongoDB, Redis Labs, Cockroach DB, and others – Attempt to limit use “as a service” – Might be broader than intended
  • 15. © 2019 Synopsys, Inc. 15 Additional “cheat codes” for prioritization • Companies of all sizes: – Well-run/long-standing projects – Projects that have completed review – Projects with subscription agreements STARTB AB A • Smaller companies focus items: – All the items to the left – License collection for “generic” licenses – Strategic usage information collection – Lower-risk usage scenarios – Lower-risk licenses • Larger companies focus items: – Review of “fourth party” components – Easy-to-remediate components – Industry practice / well-known components – Linux – Hibernate – Commercial components – How familiar is the list? – “Microsoft Content”
  • 16. © 2019 Synopsys, Inc. 16 Security vulnerabilities • Rank vulnerabilities by order of: –Severity of risk –Complexity of exploiting the risk –Complexity of fixing the risk • Create a process for evaluating security fixes and applying them • The process does not have to be perfect (none are), but it should be reasonable –Following NIST guidelines –GDPR Article 32 –“Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including … (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
  • 17. © 2019 Synopsys, Inc. 17 Web services • External services used by your applications – Usually through an API – Can be “free” – Can be hard to identify/quantify • Prioritization – Examine how used – Separate API agreement? – Not common; usually morass of terms (ToU, EULA, privacy policy, data policy) – Importance of external service to product – Who is the licensor? – Competitors, “frenemies” • How to review – Review is same as code: confirm you have rights and using within scope
  • 18. © 2019 Synopsys, Inc. 18 Overall calibration Many of the details are in the eye of the beholder Important to keep in mind: • Your goals • Context of the review
  • 19. © 2019 Synopsys, Inc. 19 How do you implement a third party software policy?
  • 20. © 2019 Synopsys, Inc. 20 Third party software policy • What is it? – High-level guidelines for use of third party software – Processes for review of third party software – Consider privilege • How is it created? – Best when collaborative effort, not edict from mountaintop – Identify stakeholders and highly-opinionated influencers (key people) – Draft policy and solicit input – Listen to the stakeholders’ feedback • When should it be written? – Ideally after initial review, when you know your risk tolerance – As soon as possible, so less remediation will be required in the future • What does it cover? – Broad, but not so broad as to capture software present on fax machines • What makes a good one? – Brevity; avoid overly complicated policies and covering every “corner case” – Balancing act between strict compliance and practicality – Ironclad policies that don’t work in the real world won’t be followed – Living document
  • 21. © 2019 Synopsys, Inc. 21 Third party software policy considerations • Smaller companies focus items: – More informal policy and review process – Train developers to use easier-to-approve components – Mandate use of package managers? – Update policy as new licenses are encountered • Larger companies focus items: – Diverse approval committee – Automatic approval / rejection? – Record-keeping – Available tracking tools – Black Duck Hub – Code Center – Auditing mechanism – Periodic code scans
  • 22. © 2019 Synopsys, Inc. 22 Third party software policy substance • How is guidance on preferred licenses provided? – Broad-terms guidance in the policy itself – More detailed guidance, including “corner cases” through training • How will the policy be enforced? – Integrate review/enforcement tools with tools already in use – Consider having employees sign the policy – Perform future code scans – Perform spot checks – KGB-style encouragement of tattling on your neighbor • Final thoughts – Make sure policy matches practice – Do not treat policy as set in stone
  • 23. © 2019 Synopsys, Inc. 23 Shifting “left” and automation • Shifting “left” – Move assessment and compliance process earlier in the development process – Provide feedback earlier – Make corrections before they become costly – Changes culture of development team • How? – Integrations – Black Duck software composition analysis • Automation – Allows to auto-approve and auto-reject certain components – Use automated policy engines and rules – 80/20 rule: 80+ percent of components can be approved or denied based on bright-line rules – Permissive licenses can be approved for virtually any use, but beware the “hidden patent license” – Tempting to reject certain licenses, but almost every license can be approved under certain conditions (except maybe CCA-NonCommercial licenses)
  • 24. © 2019 Synopsys, Inc. 24 Third party software policy mechanics • Who initiates review? – Developer – Tech lead – Automatic (via integrated tool) • Who is on the review committee? – Representatives from all areas of company – Legal, Business, Development, SecOps • Who reviews first? – Obtain technical “pre-review?” • How to kick off review? – Use the tools the developers already use – Jira, Slack, Black Duck, email – Use easy-to-follow forms for initial information • Where are records kept? – Use the tools the developers already use – Make sure to provide access of prior decisions to developers to avoid duplicate requests
  • 25. © 2019 Synopsys, Inc. 25 Third party software approval sample flowchart START
  • 26. © 2019 Synopsys, Inc. 26 How do you contribute to the open source community?
  • 27. © 2019 Synopsys, Inc. 27 Contributing to the open source community • Define goals for contributing to existing projects – Publicity (reputation, goodwill, visibility) – “Good citizen” – believe in giving back to the community – Make it easier to maintain your code (contribute back patches / bug fixes) • Define goals for running your own projects – Recruiting tool – Develop relationships with open source developers – Attract talent – Crowdsource development – Non-core ideas implemented for “free” – Reduce development costs and time – Drive adoption of platform/ecosystem – Create a new line of business (support, apps/plug-ins) • Recognize risks – Competitors / competitive issues – Loss of control over contributed code (forking) – Contributor license agreements (CLAs) – Material changes – Unintended patent licenses – Overshare (accidental/malicious contribution of trade secrets) – Cost and resources to support open source contributions – Contributing to “ghost towns” (orphaned projects)
  • 28. © 2019 Synopsys, Inc. 28 Contributor license agreement (CLA) • Typically based on the Apache Software Foundation form agreements – Two forms: individual and corporate • Usually slightly modified, but sometimes materially • Really broad license grants – Copyright – Covers the contribution and derivative works, sublicensable, perpetual – Granted to anyone who receives software from the Foundation that includes the contribution (not just the Work to which it was submitted) – Patent – Covers the contribution and the combination of the contribution and the Work to which it was submitted, irrevocable – No temporal restriction – Does contain defensive termination clause • Contributor has no control over direction of project
  • 29. © 2019 Synopsys, Inc. 29 Contributing to open source projects considerations • Considerations for companies of all sizes: – Beware the corporate CLA – Individual submissions versus corporate submissions – Beware the rogue CLA – Not all CLAs are created equal – License vs. transfer of ownership – Know your competitors – Decide whether to contribute to their projects – Impact of GDPR • Smaller companies focus items: – Protect the “crown jewels” – Think about future investors / acquirers and what they would want – Beware of project scope creep – Keep in mind potential future markets – Revise policies to match company’s growth • Larger companies focus items: – Review all code prior to submission – Policy should match employment agreements – Even code written outside business hours / not using Company resources? – Consider sponsorship without code submission
  • 30. © 2019 Synopsys, Inc. 30 Some takeaways • It’s not as hard as it looks, but need to start somewhere • Performing a code scan is an easy way to get started and allows a baseline – Always finds previously unknown components • It’s hard to undo the impact of poor practices • You don’t have to do everything we discussed • Start small, scale up as needed – Get initial list of third party components, licenses, usage
  • 31. © 2019 Synopsys, Inc. 31 Q&A
  • 32. Thank You This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising