SlideShare uma empresa Scribd logo

Open Source Governance in Highly Regulated Companies

I
iasaglobal

The document discusses the importance and risks of open source governance for highly regulated companies. It outlines that open source now represents an average of 29% of code deployed by IT and is used by 60-80% of technology innovators. However, uncontrolled use of open source can expose companies to technical, regulatory, security, legal and brand risks. The document advocates for formal open source governance processes to maximize the benefits of open source while minimizing risks.

Tecnologia
1 de 6
Baixar para ler offline
Open Source Governance in Highly Regulated Companies © 2013 Black Duck®, Know Your Code®, Ohloh®, SpikeSource®, Spike® and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and/or other jurisdictions. Koders™ is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders. All Rights Reserved.
2 Open source software (0SS) can empower developers, increase innovation and improve competitiveness, and its popularity is growing tremendously. Open source now represents an average of 29 percent of the code deployed by IT, and technology innovators are using 60 to 80 percent of open source code, which can yield cost savings and free-up development resources to improve competitive differentiation. And as open source becomes more common, the need for governance increases dramatically. Without proper controls and processes to ensure compliance and reduce exposure, organizations will be at risk from technical and operational, regulatory, security, legal and brand factors. It is more important than ever to ensure developers use approved and supported code. Introduction In addition to internal use of open source, most outsource development organizations Open source governance is part of IT governance thrive on the use of open source code, which and focuses on the specific issues related to creates additional entry points and increases the the acquisition, use and management of OSS, complexity and exposure for Enterprises. and ensuring it is done in alignment with a company’s stated objectives, policies and Since open source has traditionally been risk profile. uncontrolled despite it wide use and deployment, the need for management, visibility and In many companies, the use of open source control has grown to the point where formal components in IT application development has governance processes are required. Mark Driver, historically been forbidden, largely uncontrolled Gartner’s lead analyst on open source, recently or both, but that has not prevented it from being reflected on this development: “Open source is widely used and deployed. Developers enjoy ubiquitous, it’s unavoidable…having a policy the freedom and creativity of leveraging the against open source is impractical and places abundance of open source code available on you at a competitive disadvantage.” In fact, the Internet, often without a formal acquisition Gartner predicts that “by 2014, 50 percent process. In fact, even with tepid management of Global 2000 organizations will experience support, open source has reached a tipping technology, cost and security challenges through point: in January 2011, Gartner surveyed 547 a lack of open source governance.” The urgency IT leaders and reported that software deployed is growing for management to catch up with the by IT organizations had an equal amount of reality of how software is built today. open source and internally developed code. Technology innovators are using 60 to 80 Open Source: percent open source in their code1, and as they realize significantly more benefit from the code, Maximize the Return while adoption increases. Minimizing the Risks The difference in open source use represents The benefits of using open source are well-known a large potential reduction of development and widely reported, and include reduced investment that could be realized as cost savings, but more typically, customers shift that potential – with flat or declining development budgets – to areas that create competitive value. cost, increased IT flexibility and innovation and faster time-to-solution. According to Jeff Hammond, principal analyst at Forrester Research, open source is a “silver bullet” that
allows simultaneous improvement along all three dimensions of the software “iron triangle” of cost, schedule and features. However, the uncontrolled use of open source and the lack of formal acquisition processes can expose an organization to material risks. Risks from the use of open source include: • Technical and operational • Regulatory • Security • Legal • Brand Technical and Operational risk The technical and operational risk from the uncontrolled use of open source manifest in a number of areas, including: • Code quality/integrity • Ability to obtain support • Viability of the community behind the open source project While a number of popular open source projects are reported to be of higher quality than commercial code, there are over half a million open source projects available on the Internet, and quality is not uniform. There are often multiple open source alternatives to choose from, which adds to the complexity of decision making and the need for tools and data to assist in the process. Open source code needs to be tested and vetted like other software. When open source is used in mission critical operations, a clear plan and path from the code to where it’s used, to how and where to obtain support and fixes are critical. The issue of where to and how to obtain support for open source projects is a topic of frequent discussion – for example, buying commercial support versus relying on the open source community versus providing self-support. Operational risk can also develop from too much reliance on a particular project. Many IT organizations rely on the community behind a project for support and enhancements, often becoming part of the community themselves. A development team may inadvertently create risk and exposure by choosing a project that becomes stagnant or dies. Questions that should be addressed when a component is chosen include: • If a problem arises with the code, who will fix it? • Is the community behind the project viable and robust? • Will the project continue to grow and thrive? • How will we support it? • Should we contribute back to the community? Regulatory risk Regulatory compliance is concerned with meeting the obligations of regulations that may be affected by the use of open source, which include, but are not limited to: Sarbanes-Oxley, Basel II and III, data privacy regulations and export regulations. Open source is often integral to how users and applications interact with critical business data. The lack of visibility on what the code is doing and how it works can represent a major control oversight of the data and create regulatory exposure. In addition, the way developers integrate open source with proprietary code can affect IP ownership. For example, in March 2011, a former Goldman Sachs programmer received an eight-year jail term for theft of intellectual property in the form of software. The programmer originally claimed he inadvertently mishandled open source code and Goldman’s proprietary code for one of its major trading platforms. Sarbanes-Oxley Act Sarbanes-Oxley requires verification of the ownership of material assets, and brings personal accountability directly to corporate managers. Section 302 “Disclosure Controls” requires 3
reporting of any material weakness of internal controls. Section 404 “Assessment of Internal Controls” requires a management assessment of the effectiveness of internal control structure and procedures. As open source has grown in popularity and awareness, knowledge of the lack of controls around its use and the commensurate implications are growing as well. Improper vetting of open source acquired by developers, lack of oversight to comply with the legal obligations and ignorance of vulnerabilities in open source code are all areas where automation tools and best practices are available to minimize and control the risks. Basel II and III In Europe, the Basel III framework specifies how much capital banks need to put aside to guard against the types of financial and operational risks that banks face. The Goldman Sachs example referenced above highlights how the lack of operational controls over code can directly create risk and exposure. Data Privacy Regulations There are a growing number of data privacy regulations that reinforce the need to manage potential exposure from the use of external code. The Payment Card Industry Data Security Standard (PCI) is an information security standard for organizations that handles cardholder information. It requires the protection of cardholder data and requires an annual validation of compliance, including the requirements that organizations maintain secure systems and applications, have strong access control, monitor and test access, as well as maintain a policy that addresses information security. Again, the lack of operational controls around the acquisition and use of open source can potentially expose such business critical data. The State of California Security Breach Information Act (SB-1386) regulates the privacy of personal information. The Act stipulates that if a security breach of a database containing personal data occurs, the responsible organization must notify each individual for whom it maintained information. Massachusetts has a similar law (Mass 201 CMR 17) that builds on SB-1386 with penalties up to $5,000 for each violation. Given the requirements for notification, the cost of violations and the fact that the US Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year, development organizations need to ensure personal information is safeguarded. Export Regulation Governments around the world also regulate the commercial export and transfer of software containing encryption algorithms. To remain in compliance, organizations need to be aware of the cryptographic content of software and comply with applicable regulations. In the United States, rules governing exports and re-exports of software containing encryption items are administered by the Bureau of Industry and Security (BIS) or are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. There are over 4,000 open source projects with encryption algorithms strong enough to require a filing with the U.S. Department of Commerce Bureau of Industry and Security (BIS) if the code is exported from the U.S. Other governments around the world have similar regulations that control the type of encryption allowed to be exported and to whom. Security risk Application security is an essential tool for managing risks in today’s complex IT environment. According to Forrester, third-party code is not tested for quality, safety or security with the same level of rigor as in-house developed code. Security Week recently reported on data from a Forrester study of over 300 software development influencers in the U.S. and Europe that found 40 percent of 4
5 respondents cited problems from third-party code resulting in product delays or recalls, security vulnerabilities, increase in development time and revenue impact, which has caused these influencers to seek greater visibility into code integrity. Development’s use of OSS can create blind spots that need to be addressed, and IT management needs to ensure security as new applications, products and services are created. Legal risk Legal risk and exposure with OSS is fairly well-known and widely reported. While open source is free, all open source comes with a license and obligations that must be met. Open source licenses range from simple/permissive licenses such as the MIT and BSD license, to the more restrictive, “copyleft” GPL family of licenses, including the AGPL that covers network access of open source over the Web. Improper use of open source code, especially code under the GPL-family of licenses, can impact an organization’s IP and their brand. There have been a number of highly publicized lawsuits and violations with Fortune 500 companies that proved both embarrassing and damaging to the organizations’ relationships with the open source community. Understanding legal requirements for software has not been a developers job, but today’s style of development increasingly relies on integrating external code, like open source, with the lack of formal acquisition processes. As such, governance needs to be put in place to both manage risk and empower developers to leverage open source for its significant advantages. Brand risk A company’s brand is one of its most valuable assets, representing the company’s ultimate promise to all of its customers. A company’s reputation reflects the management team’s ability to deliver on the promise associated with its brand, and can affect: • Stock valuation • Access to capital/credit ratings • Hiring, employee retention and engagement • Relationship with open source community While it can take years to develop a strong brand, it can take just one misstep to destroy it. The lawsuits in the open source world, for example, are highly visible examples of large enterprises – in many cases, Fortune 100 companies – being forced to comply with open source legal obligations, often at great cost to their brands and reputations. In addition, open source missteps impact an organization’s relationship with the open source community, an increasingly strategic relationship for large development organizations. Microsoft, for example, has made a concerted effort over the last few years to develop a positive relationship with the open source community. But even one of the best run software companies in the world ran afoul of the open source community and damaged its brand with the release of Windows 7. GPL- licensed open source code was integrated with part of the release by a third-party and was not discovered as part of Microsoft’s release process. To its credit, Microsoft discovered the problem, reported and fixed it. However, when viewed in the context of Microsoft working to improve their relationship with the open source community, it was a significant setback to their development efforts and relationship with the community. As Microsoft and others know, a company’s relationship with the open source community is critical if they are to rely on what is, essentially, a volunteer community for help and support with code. In addition, this relationship is key to hiring open source talent; companies now strategically seek developers who are both skilled in software development and open source community savvy.
Black Duck’s Role: Enabling Open Source Governance Effective governance of open source can empower developers, increase innovation and improve competitiveness. Black Duck enables organizations and developers to build better software faster by automating, managing and auditing their selection, use and governance of open source across the application lifecycle. Black Duck customers realize the following results: • IT controls to ensure developers use only approved, compliant third-party code • Minimize risk and avoid painful business consequences • Effectively monitor, audit and support applications that use open source • Gain unprecedented visibility and control into all third-party code • Increase developer productivity throughout the process • Meet regulatory compliance goals With nearly 1,000 customers around the world, Black Duck has the experience, scale and best practices to provide enterprise-scale governance that fully empowers developers with open source while virtually eliminating the operational, regulatory, security, legal and reputational risks. PLAN CODE BUILD TEST About Black Duck Offering award-winning software and consulting, Black Duck is the partner of choice for open source software adoption, governance and management. Enterprises of every size depend on Black Duck to harness the power of open source technologies and methods. As part of the greater OSS community, Black Duck connects developers to comprehensive OSS resources through Ohloh.net, and to the latest commentary from industry experts through the Open Source Delivers blog. Black Duck also hosts the Open Source Think Tank, an international event where thought leaders collaborate on the future of open source. Black Duck is headquartered near Boston and has offices in San Mateo, St. Louis, London, Paris, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information about how to leverage open source to deliver faster innovation, greater creativity and improved efficiency, visit www.blackducksoftware.com and follow us at @black_duck_sw. Contact To learn more, please contact: sales@blackducksoftware.com or 1.781.891.5100 Additional information is available at: www.blackducksoftware.com WP-GOV-UL-0413 KNOWLEDGEBASE APPLICATION DEVELOPMENT CYCLE RELEASE OPEN SOURCE GOVERNANCE LIFECYCLE ACQUIRE APPROVE CATALOG AUDIT MONITOR

Recomendados

Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaEMC
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 
INSECURE Magazine - 42
INSECURE Magazine - 42INSECURE Magazine - 42
INSECURE Magazine - 42Felipe Prado
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
UK Cyber Vulnerability Index 2013
UK Cyber Vulnerability Index 2013UK Cyber Vulnerability Index 2013
UK Cyber Vulnerability Index 2013Martin Jordan
 

Recomendados

Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaEMC
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
India Legal 17 June 2019
India Legal 17 June 2019India Legal 17 June 2019
India Legal 17 June 2019ENC
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...PortalGuard
 
INSECURE Magazine - 42
INSECURE Magazine - 42INSECURE Magazine - 42
INSECURE Magazine - 42Felipe Prado
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
UK Cyber Vulnerability Index 2013
UK Cyber Vulnerability Index 2013UK Cyber Vulnerability Index 2013
UK Cyber Vulnerability Index 2013Martin Jordan
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]Assespro Nacional
 
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012Charmaine Servado
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Taking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeTaking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeEMC
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
The growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLThe growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLRajni Baliyan
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Reining in outsourcing risk
Reining in outsourcing riskReining in outsourcing risk
Reining in outsourcing riskTang Tan Dung
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
Ccs16
Ccs16Ccs16
Ccs16Andrey Apuhtin
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...South Tyrol Free Software Conference
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governancePrabir Kr Sarkar
 

Mais conteúdo relacionado

Mais procurados

Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]Assespro Nacional
 
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012Charmaine Servado
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Taking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeTaking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeEMC
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloudUlf Mattsson
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sDr Lendy Spires
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss PreventionSeqrite
 
The growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLThe growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLRajni Baliyan
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Reining in outsourcing risk
Reining in outsourcing riskReining in outsourcing risk
Reining in outsourcing riskTang Tan Dung
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowTechSoup
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksConstantin Cocioaba
 

Mais procurados (20)

Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In Technology
 
CompTIA Security Study [Report]
CompTIA Security Study [Report]CompTIA Security Study [Report]
CompTIA Security Study [Report]
 
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012KPMG Publish and Be Damned Cyber Vulnerability Index 2012
KPMG Publish and Be Damned Cyber Vulnerability Index 2012
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Taking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication ChallengeTaking Control of the Digital and Mobile User Authentication Challenge
Taking Control of the Digital and Mobile User Authentication Challenge
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
PGConf APAC 2018: Sponsored Talk by Fujitsu - The growing mandatory requireme...
 
Emerging application and data protection for cloud
Emerging application and data protection for cloudEmerging application and data protection for cloud
Emerging application and data protection for cloud
 
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT'sWSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
WSIS10 Action Line C5 Building Confidence and Security in the use of ICT's
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention[Infographic] Data Loss Prevention
[Infographic] Data Loss Prevention
 
The growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQLThe growing mandatory requirements to protect data- secure PostgreSQL
The growing mandatory requirements to protect data- secure PostgreSQL
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
Reining in outsourcing risk
Reining in outsourcing riskReining in outsourcing risk
Reining in outsourcing risk
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
Ccs16
Ccs16Ccs16
Ccs16
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to Know
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Kaspersky: Global IT Security Risks
Kaspersky: Global IT Security RisksKaspersky: Global IT Security Risks
Kaspersky: Global IT Security Risks
 

Semelhante a Open Source Governance in Highly Regulated Companies

SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...South Tyrol Free Software Conference
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governancePrabir Kr Sarkar
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps.com
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Black Duck by Synopsys
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous DeliveryMainstay
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Executive Leaders Network
 
How to build effective and cheaper m-payments with Open Source
How to build effective and cheaper m-payments with Open SourceHow to build effective and cheaper m-payments with Open Source
How to build effective and cheaper m-payments with Open SourceBMI Healthcare
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...hani727151
 
Rise of the Open Source Program Office for LinuxCon 2016
Rise of the Open Source Program Office for LinuxCon 2016Rise of the Open Source Program Office for LinuxCon 2016
Rise of the Open Source Program Office for LinuxCon 2016Gil Yehuda
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeSean Varga
 
Exploring new mobile and cloud platforms without a governance .docx
Exploring new mobile and cloud platforms without a governance .docxExploring new mobile and cloud platforms without a governance .docx
Exploring new mobile and cloud platforms without a governance .docxssuser454af01
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Renub Research
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecJessica Lavery Pozerski
 
Open Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked
Open Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info LeakedOpen Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked
Open Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info LeakedBlack Duck by Synopsys
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfjiricejka
 

Semelhante a Open Source Governance in Highly Regulated Companies (20)

SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
SFScon 2020 - Luisa Romano - Cybersecurity Managers Liability and Use of Open...
 
OSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governanceOSS - enterprise adoption strategy and governance
OSS - enterprise adoption strategy and governance
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
e-HealthWhitepaper
e-HealthWhitepapere-HealthWhitepaper
e-HealthWhitepaper
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
Open Source Insight: Samba Vulnerability, Connected Car Risks, and Are You R...
 
Fortify Continuous Delivery
Fortify Continuous DeliveryFortify Continuous Delivery
Fortify Continuous Delivery
 
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
Streaming Processes: Creating a Start-up Within a Big Corporate (Mohammad Sha...
 
How to build effective and cheaper m-payments with Open Source
How to build effective and cheaper m-payments with Open SourceHow to build effective and cheaper m-payments with Open Source
How to build effective and cheaper m-payments with Open Source
 
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
A_Statistical_Study_and_Analysis_to_Identify_the_Importance_of_Open-source_So...
 
Rise of the Open Source Program Office for LinuxCon 2016
Rise of the Open Source Program Office for LinuxCon 2016Rise of the Open Source Program Office for LinuxCon 2016
Rise of the Open Source Program Office for LinuxCon 2016
 
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...
 
ultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracodeultimate-guide-to-getting-started-with-appsec-veracode
ultimate-guide-to-getting-started-with-appsec-veracode
 
Exploring new mobile and cloud platforms without a governance .docx
Exploring new mobile and cloud platforms without a governance .docxExploring new mobile and cloud platforms without a governance .docx
Exploring new mobile and cloud platforms without a governance .docx
 
Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028Digital Forensics Market, Size, Global Forecast 2023-2028
Digital Forensics Market, Size, Global Forecast 2023-2028
 
Anajli_Synopsis
Anajli_SynopsisAnajli_Synopsis
Anajli_Synopsis
 
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsOpen Source Insight: Security Breaches and Cryptocurrency Dominating News
Open Source Insight: Security Breaches and Cryptocurrency Dominating News
 
Ultimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSecUltimate_Guide_to_getting_started_with_AppSec
Ultimate_Guide_to_getting_started_with_AppSec
 
Open Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked
Open Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info LeakedOpen Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked
Open Source Insight: Hub Detect & DevOps, OSS for Cars & 1.8 M Voter Info Leaked
 
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdfWritten-Blog_Ethic_AI_08Aug23_pub_jce.pdf
Written-Blog_Ethic_AI_08Aug23_pub_jce.pdf
 

Mais de iasaglobal

Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0iasaglobal
 
Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0iasaglobal
 
Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3iasaglobal
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture toolsiasaglobal
 
Understanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmUnderstanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmiasaglobal
 
Information and data relevance to business
Information and data relevance to businessInformation and data relevance to business
Information and data relevance to businessiasaglobal
 
Case study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryCase study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryiasaglobal
 
Max Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product ArchitectureMax Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product Architectureiasaglobal
 
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the WholeMichael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the Wholeiasaglobal
 
Michael Jay Freer - Information Obfuscation
Michael Jay Freer - Information ObfuscationMichael Jay Freer - Information Obfuscation
Michael Jay Freer - Information Obfuscationiasaglobal
 
Creating Enterprise Value from Business Architecture
Creating Enterprise Value from Business ArchitectureCreating Enterprise Value from Business Architecture
Creating Enterprise Value from Business Architectureiasaglobal
 
Scott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture AnywayScott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture Anywayiasaglobal
 
Board of Education Vision 2013-2014
Board of Education Vision 2013-2014Board of Education Vision 2013-2014
Board of Education Vision 2013-2014iasaglobal
 
Sean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with PatternsSean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with Patternsiasaglobal
 
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of PrinciplesSheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principlesiasaglobal
 
Stephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the ArchitectStephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the Architectiasaglobal
 
William Martinez - Evolution Game
William Martinez - Evolution GameWilliam Martinez - Evolution Game
William Martinez - Evolution Gameiasaglobal
 
Paul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in TransformationPaul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in Transformationiasaglobal
 
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design PatternsNina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design Patternsiasaglobal
 
Roger Sessions - The Snowman Architecture
Roger Sessions - The Snowman ArchitectureRoger Sessions - The Snowman Architecture
Roger Sessions - The Snowman Architectureiasaglobal
 

Mais de iasaglobal (20)

Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0
 
Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0
 
Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
 
Understanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmUnderstanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigm
 
Information and data relevance to business
Information and data relevance to businessInformation and data relevance to business
Information and data relevance to business
 
Case study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryCase study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industry
 
Max Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product ArchitectureMax Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product Architecture
 
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the WholeMichael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
 
Michael Jay Freer - Information Obfuscation
Michael Jay Freer - Information ObfuscationMichael Jay Freer - Information Obfuscation
Michael Jay Freer - Information Obfuscation
 
Creating Enterprise Value from Business Architecture
Creating Enterprise Value from Business ArchitectureCreating Enterprise Value from Business Architecture
Creating Enterprise Value from Business Architecture
 
Scott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture AnywayScott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture Anyway
 
Board of Education Vision 2013-2014
Board of Education Vision 2013-2014Board of Education Vision 2013-2014
Board of Education Vision 2013-2014
 
Sean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with PatternsSean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with Patterns
 
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of PrinciplesSheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
 
Stephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the ArchitectStephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the Architect
 
William Martinez - Evolution Game
William Martinez - Evolution GameWilliam Martinez - Evolution Game
William Martinez - Evolution Game
 
Paul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in TransformationPaul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in Transformation
 
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design PatternsNina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
 
Roger Sessions - The Snowman Architecture
Roger Sessions - The Snowman ArchitectureRoger Sessions - The Snowman Architecture
Roger Sessions - The Snowman Architecture
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Open Source Governance in Highly Regulated Companies

  • 1. Open Source Governance in Highly Regulated Companies © 2013 Black Duck®, Know Your Code®, Ohloh®, SpikeSource®, Spike® and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and/or other jurisdictions. Koders™ is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders. All Rights Reserved.
  • 2. 2 Open source software (0SS) can empower developers, increase innovation and improve competitiveness, and its popularity is growing tremendously. Open source now represents an average of 29 percent of the code deployed by IT, and technology innovators are using 60 to 80 percent of open source code, which can yield cost savings and free-up development resources to improve competitive differentiation. And as open source becomes more common, the need for governance increases dramatically. Without proper controls and processes to ensure compliance and reduce exposure, organizations will be at risk from technical and operational, regulatory, security, legal and brand factors. It is more important than ever to ensure developers use approved and supported code. Introduction In addition to internal use of open source, most outsource development organizations Open source governance is part of IT governance thrive on the use of open source code, which and focuses on the specific issues related to creates additional entry points and increases the the acquisition, use and management of OSS, complexity and exposure for Enterprises. and ensuring it is done in alignment with a company’s stated objectives, policies and Since open source has traditionally been risk profile. uncontrolled despite it wide use and deployment, the need for management, visibility and In many companies, the use of open source control has grown to the point where formal components in IT application development has governance processes are required. Mark Driver, historically been forbidden, largely uncontrolled Gartner’s lead analyst on open source, recently or both, but that has not prevented it from being reflected on this development: “Open source is widely used and deployed. Developers enjoy ubiquitous, it’s unavoidable…having a policy the freedom and creativity of leveraging the against open source is impractical and places abundance of open source code available on you at a competitive disadvantage.” In fact, the Internet, often without a formal acquisition Gartner predicts that “by 2014, 50 percent process. In fact, even with tepid management of Global 2000 organizations will experience support, open source has reached a tipping technology, cost and security challenges through point: in January 2011, Gartner surveyed 547 a lack of open source governance.” The urgency IT leaders and reported that software deployed is growing for management to catch up with the by IT organizations had an equal amount of reality of how software is built today. open source and internally developed code. Technology innovators are using 60 to 80 Open Source: percent open source in their code1, and as they realize significantly more benefit from the code, Maximize the Return while adoption increases. Minimizing the Risks The difference in open source use represents The benefits of using open source are well-known a large potential reduction of development and widely reported, and include reduced investment that could be realized as cost savings, but more typically, customers shift that potential – with flat or declining development budgets – to areas that create competitive value. cost, increased IT flexibility and innovation and faster time-to-solution. According to Jeff Hammond, principal analyst at Forrester Research, open source is a “silver bullet” that
  • 3. allows simultaneous improvement along all three dimensions of the software “iron triangle” of cost, schedule and features. However, the uncontrolled use of open source and the lack of formal acquisition processes can expose an organization to material risks. Risks from the use of open source include: • Technical and operational • Regulatory • Security • Legal • Brand Technical and Operational risk The technical and operational risk from the uncontrolled use of open source manifest in a number of areas, including: • Code quality/integrity • Ability to obtain support • Viability of the community behind the open source project While a number of popular open source projects are reported to be of higher quality than commercial code, there are over half a million open source projects available on the Internet, and quality is not uniform. There are often multiple open source alternatives to choose from, which adds to the complexity of decision making and the need for tools and data to assist in the process. Open source code needs to be tested and vetted like other software. When open source is used in mission critical operations, a clear plan and path from the code to where it’s used, to how and where to obtain support and fixes are critical. The issue of where to and how to obtain support for open source projects is a topic of frequent discussion – for example, buying commercial support versus relying on the open source community versus providing self-support. Operational risk can also develop from too much reliance on a particular project. Many IT organizations rely on the community behind a project for support and enhancements, often becoming part of the community themselves. A development team may inadvertently create risk and exposure by choosing a project that becomes stagnant or dies. Questions that should be addressed when a component is chosen include: • If a problem arises with the code, who will fix it? • Is the community behind the project viable and robust? • Will the project continue to grow and thrive? • How will we support it? • Should we contribute back to the community? Regulatory risk Regulatory compliance is concerned with meeting the obligations of regulations that may be affected by the use of open source, which include, but are not limited to: Sarbanes-Oxley, Basel II and III, data privacy regulations and export regulations. Open source is often integral to how users and applications interact with critical business data. The lack of visibility on what the code is doing and how it works can represent a major control oversight of the data and create regulatory exposure. In addition, the way developers integrate open source with proprietary code can affect IP ownership. For example, in March 2011, a former Goldman Sachs programmer received an eight-year jail term for theft of intellectual property in the form of software. The programmer originally claimed he inadvertently mishandled open source code and Goldman’s proprietary code for one of its major trading platforms. Sarbanes-Oxley Act Sarbanes-Oxley requires verification of the ownership of material assets, and brings personal accountability directly to corporate managers. Section 302 “Disclosure Controls” requires 3
  • 4. reporting of any material weakness of internal controls. Section 404 “Assessment of Internal Controls” requires a management assessment of the effectiveness of internal control structure and procedures. As open source has grown in popularity and awareness, knowledge of the lack of controls around its use and the commensurate implications are growing as well. Improper vetting of open source acquired by developers, lack of oversight to comply with the legal obligations and ignorance of vulnerabilities in open source code are all areas where automation tools and best practices are available to minimize and control the risks. Basel II and III In Europe, the Basel III framework specifies how much capital banks need to put aside to guard against the types of financial and operational risks that banks face. The Goldman Sachs example referenced above highlights how the lack of operational controls over code can directly create risk and exposure. Data Privacy Regulations There are a growing number of data privacy regulations that reinforce the need to manage potential exposure from the use of external code. The Payment Card Industry Data Security Standard (PCI) is an information security standard for organizations that handles cardholder information. It requires the protection of cardholder data and requires an annual validation of compliance, including the requirements that organizations maintain secure systems and applications, have strong access control, monitor and test access, as well as maintain a policy that addresses information security. Again, the lack of operational controls around the acquisition and use of open source can potentially expose such business critical data. The State of California Security Breach Information Act (SB-1386) regulates the privacy of personal information. The Act stipulates that if a security breach of a database containing personal data occurs, the responsible organization must notify each individual for whom it maintained information. Massachusetts has a similar law (Mass 201 CMR 17) that builds on SB-1386 with penalties up to $5,000 for each violation. Given the requirements for notification, the cost of violations and the fact that the US Federal Trade Commission estimates that as many as 9 million Americans have their identities stolen each year, development organizations need to ensure personal information is safeguarded. Export Regulation Governments around the world also regulate the commercial export and transfer of software containing encryption algorithms. To remain in compliance, organizations need to be aware of the cryptographic content of software and comply with applicable regulations. In the United States, rules governing exports and re-exports of software containing encryption items are administered by the Bureau of Industry and Security (BIS) or are found in the Export Administration Regulations (EAR), 15 C.F.R. Parts 730-774. There are over 4,000 open source projects with encryption algorithms strong enough to require a filing with the U.S. Department of Commerce Bureau of Industry and Security (BIS) if the code is exported from the U.S. Other governments around the world have similar regulations that control the type of encryption allowed to be exported and to whom. Security risk Application security is an essential tool for managing risks in today’s complex IT environment. According to Forrester, third-party code is not tested for quality, safety or security with the same level of rigor as in-house developed code. Security Week recently reported on data from a Forrester study of over 300 software development influencers in the U.S. and Europe that found 40 percent of 4
  • 5. 5 respondents cited problems from third-party code resulting in product delays or recalls, security vulnerabilities, increase in development time and revenue impact, which has caused these influencers to seek greater visibility into code integrity. Development’s use of OSS can create blind spots that need to be addressed, and IT management needs to ensure security as new applications, products and services are created. Legal risk Legal risk and exposure with OSS is fairly well-known and widely reported. While open source is free, all open source comes with a license and obligations that must be met. Open source licenses range from simple/permissive licenses such as the MIT and BSD license, to the more restrictive, “copyleft” GPL family of licenses, including the AGPL that covers network access of open source over the Web. Improper use of open source code, especially code under the GPL-family of licenses, can impact an organization’s IP and their brand. There have been a number of highly publicized lawsuits and violations with Fortune 500 companies that proved both embarrassing and damaging to the organizations’ relationships with the open source community. Understanding legal requirements for software has not been a developers job, but today’s style of development increasingly relies on integrating external code, like open source, with the lack of formal acquisition processes. As such, governance needs to be put in place to both manage risk and empower developers to leverage open source for its significant advantages. Brand risk A company’s brand is one of its most valuable assets, representing the company’s ultimate promise to all of its customers. A company’s reputation reflects the management team’s ability to deliver on the promise associated with its brand, and can affect: • Stock valuation • Access to capital/credit ratings • Hiring, employee retention and engagement • Relationship with open source community While it can take years to develop a strong brand, it can take just one misstep to destroy it. The lawsuits in the open source world, for example, are highly visible examples of large enterprises – in many cases, Fortune 100 companies – being forced to comply with open source legal obligations, often at great cost to their brands and reputations. In addition, open source missteps impact an organization’s relationship with the open source community, an increasingly strategic relationship for large development organizations. Microsoft, for example, has made a concerted effort over the last few years to develop a positive relationship with the open source community. But even one of the best run software companies in the world ran afoul of the open source community and damaged its brand with the release of Windows 7. GPL- licensed open source code was integrated with part of the release by a third-party and was not discovered as part of Microsoft’s release process. To its credit, Microsoft discovered the problem, reported and fixed it. However, when viewed in the context of Microsoft working to improve their relationship with the open source community, it was a significant setback to their development efforts and relationship with the community. As Microsoft and others know, a company’s relationship with the open source community is critical if they are to rely on what is, essentially, a volunteer community for help and support with code. In addition, this relationship is key to hiring open source talent; companies now strategically seek developers who are both skilled in software development and open source community savvy.
  • 6. Black Duck’s Role: Enabling Open Source Governance Effective governance of open source can empower developers, increase innovation and improve competitiveness. Black Duck enables organizations and developers to build better software faster by automating, managing and auditing their selection, use and governance of open source across the application lifecycle. Black Duck customers realize the following results: • IT controls to ensure developers use only approved, compliant third-party code • Minimize risk and avoid painful business consequences • Effectively monitor, audit and support applications that use open source • Gain unprecedented visibility and control into all third-party code • Increase developer productivity throughout the process • Meet regulatory compliance goals With nearly 1,000 customers around the world, Black Duck has the experience, scale and best practices to provide enterprise-scale governance that fully empowers developers with open source while virtually eliminating the operational, regulatory, security, legal and reputational risks. PLAN CODE BUILD TEST About Black Duck Offering award-winning software and consulting, Black Duck is the partner of choice for open source software adoption, governance and management. Enterprises of every size depend on Black Duck to harness the power of open source technologies and methods. As part of the greater OSS community, Black Duck connects developers to comprehensive OSS resources through Ohloh.net, and to the latest commentary from industry experts through the Open Source Delivers blog. Black Duck also hosts the Open Source Think Tank, an international event where thought leaders collaborate on the future of open source. Black Duck is headquartered near Boston and has offices in San Mateo, St. Louis, London, Paris, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information about how to leverage open source to deliver faster innovation, greater creativity and improved efficiency, visit www.blackducksoftware.com and follow us at @black_duck_sw. Contact To learn more, please contact: sales@blackducksoftware.com or 1.781.891.5100 Additional information is available at: www.blackducksoftware.com WP-GOV-UL-0413 KNOWLEDGEBASE APPLICATION DEVELOPMENT CYCLE RELEASE OPEN SOURCE GOVERNANCE LIFECYCLE ACQUIRE APPROVE CATALOG AUDIT MONITOR