Protecode Inc. 2015 1

Leveraging Open Source Opportunity in the Public Sector

Without the Risk

February 27th 2015

Protecode Inc. 2015

Agenda

Open Source Software

– Open source is a huge opportunity for the public sector

– The Benefits of Using Open Source

– Potential challenges

Mitigating Risk

– Open source software adoption process (OSSAP)

– Establishing a baseline + a policy

Optimising OSSAP

– When should worry about licence compliance?

– Crowdsourcing OSSAP

Wrap up and Q/A

2

Tiberius Forrester,

Director, Solution

Architecture, Protecode

Martin Callinan,

Director,

Source Code Control

Protecode Inc. 2015

Opens Source Everywhere

These companies have dedicated OSS Teams

3

Protecode Inc. 2015

Even Apple

4

Protecode Inc. 2015

OSS Opportunity in the Public Sector

Create a market of Open Source Solutions

– Applications can be modified to suit individual requirement

Faster time to market of solutions

Efficiencies

– Pay for what is needed, use what you pay for

Create a library of assets for re-use

Ecosystem of communities

Avoid individual vendor “lock-in”

5

Protecode Inc. 2015

Open Source Software

Enables rapid software development

– Easy access to code

– Hundreds of thousands of projects

– Enables new business models

– The original crowd sourcing model (and most successful)

The good:

– Faster, more functional

– Improves interoperability, adoption of standards

The challenge:

– Uncertain ownership structure

• Intellectual property - copyright, license

• Maintenance and support

– Potential Security and quality vulnerabilities

– Requires due diligence – and a managed adoption process

6

Why OSS?

Protecode Inc. 2015

Copyright and Licences: It Matters!

Copyrights are automatic – even when code is made public

– The person/organisation who wrote the code automatically owns the copyright

Permission to use is contained in a license

– No Licence? Don’t use it

Open source licences give you the right to use, modify and

(re)distribute, some with conditions, e.g.

– Reveal that you are using it

– Reproduce the full text of the license

– Disclose your entire source code

– Conditions may limit the combinations of licenses you

can use

– Some have bizarre obligations

Choosing the right licences for the right types of use

– Distributed content and format, tools, etc.

7

Disclaimer: I am not a lawyer, and I don’t provide legal advice!

Protecode Inc. 2015

Security Vulnerabilities

8

What is a security vulnerability?

“Weakness in an information system, system security procedures,

internal controls, or implementation that could be exploited or

triggered by a threat source.”Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

Security Vulnerabilities are bound to occur

– In both OSS and proprietary software

Known security vulnerabilities are tracked in the National

Vulnerability Data Base (NVD)

Protecode Inc. 2015

OSS Procurement Involves…

Taking inventory of 3rd party components

Clarification of IP ownership and licensing

Ensuring licence models meet business expectations

Compliance to license obligations

Eligibility to export (encryption content)

Minimising Security Risks

9

Protecode Inc. 2015

OSS Adoption Process (OSSAP)

Maturity Model

Voluntary policy compliance with

Legal Advice

Manual search and code review

In-house Tools

Automated Scanning with

Reference Database

Integrated tool suite within

Software Development Cycle

10

A clearly defined and well communicated policy is essential in

maturing your OSS adoption processes

Protecode Inc. 2015

OSSAPOpen Source Software Adoption Process

11

Define a Policy

Establish a Baseline

Package

Pre-Approval

Scan in

Real-Time

Scan at Regular Intervals

Final Build Analysis

Protecode Inc. 2015

What is in the OSS Policy

What’s the Strategy

– Why do we need OSS, and why do we need a policy?

Who are the Stakeholders

– Legal, product management, R&D, Security

– Ownership and buy-in is essential to successfully implement

What’s the Scope

– Who’s covered, what’s covered

– Different rules for different groups or business units sometimes

necessary

How to Apply

– Guidelines, whitelists & blacklists, tools, checklists, etc.

How to Communicate

– Obligations, contributions, public forums

Protecode Inc. 2015

Establishing A Baseline

Objective: Identify all 3rd party content

and identify licensing attributes

Tasks:

– Inspect all source code and build

ingredients

to create Bill of Materials (BOM).

– Key files:

• Build files (makefile, POM files, etc.)

• Text files containing license text

• Text files that may make reference to

licenses

• Any other documentation

– Determine the distribution method

• Source? Binary? Deployment?

13

Protecode Inc. 2015

Package Pre-Approval

Request/Assess/Approve-Reject Process

Information required for pre-approval

– Project Information

• Project name, URL, license, author(s), type, exportability, etc.

– Package Information

• Package name and version

• Source of package

• Package itself (for scanning)

• Security Vulnerabilities

– Usage Model

• Distribution model

– (binary, source, hosted, internal only, etc.)

• Types of derivatives

– (Modified? Linked? Loosely coupled?)

• Organization specific information

– Business unit

– Business justification

• Maintenance and support

14

Protecode Inc. 2015

Cost of Compliance At Different

Stages Of Development

15

License Management is most effective when applied early in

development life cycle

Development | Build/QA | In The Market

Real-Time

Preventative Measures

Periodic

Analysis

Build-Time & Pre-

Launch Analysis

Post-Launch

Correction

Software Package

Pre-Approval

C

O

S

T

Protecode Inc. 2015

Effort involved in fixing licensing issues at different stages in development

16

# of issues created

E

F

F

O

R

T

Issues are

created here…

…and resolved here

Issues are resolved

as they arise

Developers

Licensing

Team

Protecode Inc. 2015

Reporting Options

Summary report

– High level view of the findings

– Highlight key findings, areas requiring attention

– Reference material on licenses found, best practices

Detailed reports

– Detailed file-by-file

– CSV Export

– License obligations

– License incompatibilities

– Text of all licenses applicable to software packages

– Security vulnerabilities

– Export Control Classification Numbers (ECCN)

17

The first scan and review becomes a baseline. Subsequent scans are much

quicker since they leverage existing data.

Protecode Inc. 2015

Analyzer Raw Output

18

Protecode Inc. 2015

Summary Report

19

Protecode Inc. 2015

Licence Obligations Report

20

Protecode Inc. 2015

Security Vulnerability Report

21

Protecode Inc. 2015

Q&A

Please type your questions into the chat box to the right

22

Protecode Inc. 2015

• Software source code audits• Legal risk/licence compliance

• OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks

• Security vulnerabilities• security vulnerabilities contained within components

• Operational risk• evaluates if components meet your technical and architectural standards

• Community support• Determines developer activity and resulting component viability based on commit history

• Ease the adoption of Open Source Software

• Create a structure to enable compliance with OSS licences requirements

• Enable greater use of OSS across the organisations • Quality code

• Secure code

• Compliant code

• DevOps services

About Source Code Control Limited

Protecode Inc. 2015

About Protecode

Open source compliance and security vulnerability management

solutions

– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance

Accurate, usable and reliable products and services for organizations

worldwide

24

Protecode Inc. 2015

• Book an individual discussion : source@opensourcecontrol.com

• Managing existing OSS projects

• Planning for future OSS adoption

• Code reviews

• Meet us at UK-e-Health Week

• http://ukehealthweek.com/

• Useful resources

• European Commission OSS program

• https://joinup.ec.europa.eu/community/osor/home

• Open Source Initiative

• http://opensource.org/

• BCS Open Source Specialist Group

• http://ossg.bcs.org/

• For more information about Source Code Control Limited

• http://www.opensourcecontrol.com/

• Form more information about Protecode

• http://www.protecode.com/

Next Steps

Protecode Inc. 2015 26

info@protecode.com

www.protecode.com