Leveraging Open Source Opportunity in the Public Sector Without the Risk

Download Leveraging Open Source Opportunity in the Public Sector Without the Risk

Post on 07-Aug-2015

89 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

  1. 1. Protecode Inc. 2015 1 Leveraging Open Source Opportunity in the Public Sector Without the Risk February 27th 2015
  2. 2. Protecode Inc. 2015 Agenda Open Source Software Open source is a huge opportunity for the public sector The Benefits of Using Open Source Potential challenges Mitigating Risk Open source software adoption process (OSSAP) Establishing a baseline + a policy Optimising OSSAP When should worry about licence compliance? Crowdsourcing OSSAP Wrap up and Q/A 2 Tiberius Forrester, Director, Solution Architecture, Protecode Martin Callinan, Director, Source Code Control
  3. 3. Protecode Inc. 2015 Opens Source Everywhere These companies have dedicated OSS Teams 3
  4. 4. Protecode Inc. 2015 Even Apple 4
  5. 5. Protecode Inc. 2015 OSS Opportunity in the Public Sector Create a market of Open Source Solutions Applications can be modified to suit individual requirement Faster time to market of solutions Efficiencies Pay for what is needed, use what you pay for Create a library of assets for re-use Ecosystem of communities Avoid individual vendor lock-in 5
  6. 6. Protecode Inc. 2015 Open Source Software Enables rapid software development Easy access to code Hundreds of thousands of projects Enables new business models The original crowd sourcing model (and most successful) The good: Faster, more functional Improves interoperability, adoption of standards The challenge: Uncertain ownership structure Intellectual property - copyright, license Maintenance and support Potential Security and quality vulnerabilities Requires due diligence and a managed adoption process 6 Why OSS?
  7. 7. Protecode Inc. 2015 Copyright and Licences: It Matters! Copyrights are automatic even when code is made public The person/organisation who wrote the code automatically owns the copyright Permission to use is contained in a license No Licence? Dont use it Open source licences give you the right to use, modify and (re)distribute, some with conditions, e.g. Reveal that you are using it Reproduce the full text of the license Disclose your entire source code Conditions may limit the combinations of licenses you can use Some have bizarre obligations Choosing the right licences for the right types of use Distributed content and format, tools, etc. 7 Disclaimer: I am not a lawyer, and I dont provide legal advice!
  8. 8. Protecode Inc. 2015 Security Vulnerabilities 8 What is a security vulnerability? Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Security Vulnerabilities are bound to occur In both OSS and proprietary software Known security vulnerabilities are tracked in the National Vulnerability Data Base (NVD)
  9. 9. Protecode Inc. 2015 OSS Procurement Involves Taking inventory of 3rd party components Clarification of IP ownership and licensing Ensuring licence models meet business expectations Compliance to license obligations Eligibility to export (encryption content) Minimising Security Risks 9
  10. 10. Protecode Inc. 2015 OSS Adoption Process (OSSAP) Maturity Model Voluntary policy compliance with Legal Advice Manual search and code review In-house Tools Automated Scanning with Reference Database Integrated tool suite within Software Development Cycle 10 A clearly defined and well communicated policy is essential in maturing your OSS adoption processes
  11. 11. Protecode Inc. 2015 OSSAP Open Source Software Adoption Process 11 Define a Policy Establish a Baseline Package Pre-Approval Scan in Real-Time Scan at Regular Intervals Final Build Analysis
  12. 12. Protecode Inc. 2015 What is in the OSS Policy Whats the Strategy Why do we need OSS, and why do we need a policy? Who are the Stakeholders Legal, product management, R&D, Security Ownership and buy-in is essential to successfully implement Whats the Scope Whos covered, whats covered Different rules for different groups or business units sometimes necessary How to Apply Guidelines, whitelists & blacklists, tools, checklists, etc. How to Communicate Obligations, contributions, public forums
  13. 13. Protecode Inc. 2015 Establishing A Baseline Objective: Identify all 3rd party content and identify licensing attributes Tasks: Inspect all source code and build ingredients to create Bill of Materials (BOM). Key files: Build files (makefile, POM files, etc.) Text files containing license text Text files that may make reference to licenses Any other documentation Determine the distribution method Source? Binary? Deployment? 13
  14. 14. Protecode Inc. 2015 Package Pre-Approval Request/Assess/Approve-Reject Process Information required for pre-approval Project Information Project name, URL, license, author(s), type, exportability, etc. Package Information Package name and version Source of package Package itself (for scanning) Security Vulnerabilities Usage Model Distribution model (binary, source, hosted, internal only, etc.) Types of derivatives (Modified? Linked? Loosely coupled?) Organization specific information Business unit Business justification Maintenance and support 14
  15. 15. Protecode Inc. 2015 Cost of Compliance At Different Stages Of Development 15 License Management is most effective when applied early in development life cycle Development | Build/QA | In The Market Real-Time Preventative Measures Periodic Analysis Build-Time & Pre- Launch Analysis Post-Launch Correction Software Package Pre-Approval C O S T
  16. 16. Protecode Inc. 2015 Effort involved in fixing licensing issues at different stages in development 16 # of issues created E F F O R T Issues are created here and resolved here Issues are resolved as they arise Developers Licensing Team
  17. 17. Protecode Inc. 2015 Reporting Options Summary report High level view of the findings Highlight key findings, areas requiring attention Reference material on licenses found, best practices Detailed reports Detailed file-by-file CSV Export License obligations License incompatibilities Text of all licenses applicable to software packages Security vulnerabilities Export Control Classification Numbers (ECCN) 17 The first scan and review becomes a baseline. Subsequent scans are much quicker since they leverage existing data.
  18. 18. Protecode Inc. 2015 Analyzer Raw Output 18
  19. 19. Protecode Inc. 2015 Summary Report 19
  20. 20. Protecode Inc. 2015 Licence Obligations Report 20
  21. 21. Protecode Inc. 2015 Security Vulnerability Report 21
  22. 22. Protecode Inc. 2015 Q&A Please type your questions into the chat box to the right 22
  23. 23. Protecode Inc. 2015 Software source code audits Legal risk/licence compliance OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks Security vulnerabilities security vulnerabilities contained within components Operational risk evaluates if components meet your technical and architectural standards Community support Determines developer activity and resulting component viability based on commit history Ease the adoption of Open Source Software Create a structure to enable compliance with OSS licences requirements Enable greater use of OSS across the organisations Quality code Secure code Compliant code DevOps services About Source Code Control Limited
  24. 24. Protecode Inc. 2015 About Protecode Open source compliance and security vulnerability management solutions Reduce IP uncertainties, manage security vulnerabilities and ensure compliance Accurate, usable and reliable products and services for organizations worldwide 24
  25. 25. Protecode Inc. 2015 Book an individual discussion :source@sourcecodecontrol.co Managing existing OSS projects Planning for future OSS adoption Code reviews Meet us at UK-e-Health Week http://ukehealthweek.com/ Useful resources European Commission OSS program https://joinup.ec.europa.eu/community/osor/home Open Source Initiative http://opensource.org/ BCS Open Source Specialist Group http://ossg.bcs.org/ For more information about Source Code Control Limited http://www.sourcecodecontrol.co Form more information about Protecode http://www.protecode.com/ Next Steps
  26. 26. Protecode Inc. 2015 26 info@protecode.com www.protecode.com