SlideShare a Scribd company logo

Software audit strategies: how often is enough?

Protecode
Protecode

With the widespread use of open source software in proprietary software projects, organizations are looking for ways to mitigate licensing, security and quality vulnerabilities related to open source code. These organizations are increasing deploying software audits which involve scanning a software portfolio to uncover all software packages as well as their associated licensing and copyright obligations, security vulnerabilities and other code attribute information.

Technology
1 of 30
Download to read offline
Protecode Inc. 2015 Proprietary 1 Software Audit Strategies: How Often is Enough? February 25, 2015
Protecode Inc. 2015 Proprietary Agenda  Manageable challenges of OSS  Software audits – What it is – What it is not  One-time audit versus continuous audit – How often?  Typical software audit process  Q/A 2
Protecode Inc. 2015 Proprietary OSS Market Penetration  Unstoppable growth – 85% industry adoption (Gartner 2008) – 98% worldwide adoption (Accenture 2010) – 99% worldwide adoption (By 2016, Gartner)  Adoption at various levels – Organizational level – Personal level  Not a niche play – Automotive, healthcare, financial – Cloud, mobile, database, security – Gaming, tools, imaging, aerospace – Anything that includes any code! 3
Protecode Inc. 2015 Proprietary Manageable Challenges of OSS  Open Source software belongs to those who create it – License = blanket permission to use, generally under certain conditions – Licenses and license terms can be confusing to the development groups • Copy Left, Weak Copy Left, Permissive • Attribution, Internal use, distribution, SaaS use, modifications, binary distribution, static versus dynamic links, DRM measures, derivatives – Compliance Obligations  Security Vulnerabilities – Every software can be vulnerable – Commercial or OSS  Export Control Attributes 4
Protecode Inc. 2015 Proprietary What is a Software Code Audit?  It is a discovery process  Identifies third-party components in a software portfolio – Open source software (OSS) – Other 3rd party software  Highlights attributes such as – Licensing – Authorship and copyrights – Security vulnerabilities – export suitability – Software pedigree, versions, modifications  Reduces vulnerabilities – Intellectual Property (IP) uncertainties, Compliance & Security 5
Protecode Inc. 2015 Proprietary Value of Software Code Audits  Reduces IP uncertainties  Focuses licensing/legal teams on compliance – Audits accelerate, and improve accuracy of, the discovery stage  Helps technology organizations – Adopt open source software profitably • Lower effort for non-strategic components • Shorten time-to-market • Decrease development costs – Improve business competitiveness • Ensures adherence to IP policies • Improved quality • Eliminates cross-project IP Contamination  Assists open source community – Allows publication of code pedigree and communication of licenses – Frees OSS adopters from uncertainties 6
Protecode Inc. 2015 Proprietary Understanding Software Composition  Code complexity is growing  Good developers do not write code from scratch – Open source usage is growing • Benefits (variety of choice, access to source, reduced effort, lower development cost, faster time to market) • And challenges (IP ownership and license obligations)  Access to code is easy – OSS repositories, WWW, Previous life work  Outsourcing software is common  Detailed software BoM not available – Required during a transaction – Needed for internal compliance and vulnerability management (Do We Own Our Code?) 7
Protecode Inc. 2015 Proprietary Typical Issues Uncovered in an Audit  OSS content with ambiguous / no licenses – Software copyrights but no licenses – Software with authors but no copyrights/ licenses – Software with no pedigree information – Public domain software with proprietary licenses  Licenses   business model mismatch – i.e. modified restrictive copyleft licensed content in closed source commercial software – Cloud deployments and newer license models – Warranties and support models – Attribution obligations  OSS packages with reported vulnerabilities – Examples: Heartbleed, Shellschock/Bashdoor 8
Protecode Inc. 2015 Proprietary How Often is Good Enough?  Companies taking stock of the portfolio – When triggered by a transaction (M&A, shipping product, Technology Transfer, investment) – Regular time Intervals (daily, weekly, monthly, quarterly) – When code is acquired (from contractors, suppliers)  Effort increases as time elapses – Volume of code increases – Code gets dispersed in the product lines – Developers move around… – When information is fresh • Audits take less effort • Unknowns are resolved quickly • Remedies are less costly 9
Protecode Inc. 2015 Proprietary Waiting for the “Trigger”  Unchecked, vulnerabilities scale with time and volume of software  Audits at transaction time take effort and fixing problems can be costly 10
Protecode Inc. 2015 Proprietary Regular Time Intervals 11  Audits at regular intervals, or as new code is acquired, can detect licensing and security vulnerabilities quickly  Reduces effort and remedial costs, and avoids propagation of “bad” code
Protecode Inc. 2015 Proprietary Anatomy of an Audit 1. NDA in place – May be 2 way, 3 way, 4 way or more! 2. Audit Questionnaire and discussion – Who is the sponsor? – Purpose of Audit • M&A? Tech transfer? A collaborative work? • Product delivery? Ongoing quality process? – Company information • What business? R&D practices • Contracting, outsourcing practices • Third party including OSS usage practices • Is there an open source adoption policy? • Composition and complexity of the code portfolio, – Structure, Languages, archives, Size- Mbytes or Files 3. Audit Agreement (SOW) 12
Protecode Inc. 2015 Proprietary Audit Steps: Software Scanning – Access to software, and scan set-up • Look for specific copyrights, authors, company names • Look for specific terms such as “modified” “copied from” “stolen from” – Scans software files • Software files (Source code, Binaries, archives) • Information files (README, COPYING, LICENSE, etc) – Automated Scan a. Local scrubbing of software files b. Similarity with public-domain OSS – Raw machine results • OSS projects, packages, versions, licenses, copyrights, vulnerabilities, encryption content, etc • Modified/unmodified software • Proprietary, unknowns, conflicting licenses, etc – Fast: ~ 4k files (100 – 200 Mbytes)/hour 13
Protecode Inc. 2015 Proprietary Audit Steps: Resolution and signoff 5. Manual Analysis and approval – Review every package, every file and all attributes reported by Automated analyzer • Resolve unknowns (eg proprietary software with no headers) • Flag inconsistencies (eg file license  package license) • Add missing information • Highlight areas requiring attention (eg copyright, but no license info) – May need consultation with the R&D team – Longest part of the process ~ days – Prepare the final Executive Report 14
Protecode Inc. 2015 Proprietary Audit Steps: Reports & Q/A  High level executive report – High level view of the findings – Highlight key findings, areas requiring attention – Reference material on licenses found, best practices  Machine reports – Overview – Detailed file-by-file – License incompatibilities – License obligations report – Security vulnerabilities – Encryption Package Report (including ECCN) – Text of all licenses applicable to software packages  Post-report consultation & Q/A 15
Protecode Inc. 2015 Proprietary Compliance and Vulnerability Management as a Quality Development Process 16 License and Vulnerabilities Management is most effective when applied early in development life cycle
Protecode Inc. 2015 Proprietary Crowdsourcing “Compliance” 17 # of issues created Issues are created here… …and resolved here Developers Effort Licensing Team
Protecode Inc. 2015 Proprietary Crowdsourcing “Compliance” 18 # of issues created Issues are created here… …and resolved here Developers Licensing Team Effort
Protecode Inc. 2015 Proprietary OSSAP Open Source Software Adoption Process 19 Define a Policy Establish a Baseline Package Pre-Approval Scan in Real-Time Scan at Regular Intervals Final Build Analysis
Protecode Inc. 2015 Proprietary About Protecode  Open source compliance and security vulnerability management solutions – Reduce IP uncertainties, manage security vulnerabilities and ensure compliance  Accurate, usable and reliable products and services for organizations worldwide 20
Protecode Inc. 2015 Proprietary 21
Protecode Inc. 2015 Proprietary Pitfalls of IP Uncertainties  Negatively impacts M&A activities  Lowers company valuations  Delays product shipments  Deters downstream users  Reduces ability to create partnerships  Introduces delays and threatens closures in financings  Creates litigation risks to the company and clients 22
Protecode Inc. 2015 Proprietary 23 Partial Matches (modified OSS code)
Protecode Inc. 2015 Proprietary Analyzer Raw Output 24
Protecode Inc. 2015 Proprietary Audit Questionnaire 25
Protecode Inc. 2015 Proprietary Audit Report 26
Protecode Inc. 2015 Proprietary Software Bill of Materials 27
Protecode Inc. 2015 Proprietary License Obligations Report 28
Protecode Inc. 2015 Proprietary Security Vulnerability Report 29
Protecode Inc. 2015 Proprietary License Text 30

Recommended

Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source ComplianceSamsung Open Source Group
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 

Recommended

Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
IT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsIT due diligence and software quality for fintech startups
IT due diligence and software quality for fintech startupsSieuwert van Otterloo
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source ComplianceSamsung Open Source Group
 
Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Software Audit Strategies - How often is good enough for a software audit?
Software Audit Strategies - How often is good enough for a software audit? Tiberius Forrester
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalProtecode
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Black Duck by Synopsys
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Open source code
Open source codeOpen source code
Open source codeIntetics
 
Litigation and Compliance in the Open Source Ecosystem
Litigation and Compliance in the Open Source EcosystemLitigation and Compliance in the Open Source Ecosystem
Litigation and Compliance in the Open Source EcosystemBlack Duck by Synopsys
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software CodingNikhil Pandit
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?OSSCube
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys
 
Black duck Software's pitch
Black duck Software's pitchBlack duck Software's pitch
Black duck Software's pitchi7
 
Open Source License Compliance In The Cloud
Open Source License Compliance In The CloudOpen Source License Compliance In The Cloud
Open Source License Compliance In The CloudJason Haislmaier
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...Black Duck by Synopsys
 

More Related Content

What's hot

Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalProtecode
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Black Duck by Synopsys
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Open source code
Open source codeOpen source code
Open source codeIntetics
 
Litigation and Compliance in the Open Source Ecosystem
Litigation and Compliance in the Open Source EcosystemLitigation and Compliance in the Open Source Ecosystem
Litigation and Compliance in the Open Source EcosystemBlack Duck by Synopsys
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software CodingNikhil Pandit
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?OSSCube
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...Black Duck by Synopsys
 
Black duck Software's pitch
Black duck Software's pitchBlack duck Software's pitch
Black duck Software's pitchi7
 

What's hot (20)

Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Streamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-ApprovalStreamline Open Source Compliance with Package Pre-Approval
Streamline Open Source Compliance with Package Pre-Approval
 
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
Winning the Cage-Match: How to Successfully Navigate Open Source Software iss...
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network Communication
 
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubFLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck Hub
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Open source code
Open source codeOpen source code
Open source code
 
Litigation and Compliance in the Open Source Ecosystem
Litigation and Compliance in the Open Source EcosystemLitigation and Compliance in the Open Source Ecosystem
Litigation and Compliance in the Open Source Ecosystem
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software Coding
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...
 
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?
 
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
FLIGHT WEST 2018 - Presentation - SCA 101: How to Manage Open Source Security...
 
Black duck Software's pitch
Black duck Software's pitchBlack duck Software's pitch
Black duck Software's pitch
 

Viewers also liked

Open Source License Compliance In The Cloud
Open Source License Compliance In The CloudOpen Source License Compliance In The Cloud
Open Source License Compliance In The CloudJason Haislmaier
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...Black Duck by Synopsys
 
Software assessment and audit
Software assessment and auditSoftware assessment and audit
Software assessment and auditSpoorthi Sham
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Jason Haislmaier
 
Jabox presentation
Jabox presentationJabox presentation
Jabox presentationspiddy
 
Audit Efficiency and Effectiveness
Audit Efficiency and EffectivenessAudit Efficiency and Effectiveness
Audit Efficiency and EffectivenessManny Rosenfeld
 
Static analysis works for mission-critical systems, why not yours?
Static analysis works for mission-critical systems, why not yours? Static analysis works for mission-critical systems, why not yours?
Static analysis works for mission-critical systems, why not yours? Rogue Wave Software
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Rogue Wave Software
 
Aghreni Technologies, offshore provider of open source software solutions - C...
Aghreni Technologies, offshore provider of open source software solutions - C...Aghreni Technologies, offshore provider of open source software solutions - C...
Aghreni Technologies, offshore provider of open source software solutions - C...Manjunatha Kg
 
Improving Audit Effectiveness / Efficiency by Leveraging Data Analytics
Improving Audit Effectiveness / Efficiency by Leveraging Data AnalyticsImproving Audit Effectiveness / Efficiency by Leveraging Data Analytics
Improving Audit Effectiveness / Efficiency by Leveraging Data AnalyticsBrent Hutchings
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Standardizing +113 million Merchant Names in Financial Services with Greenplu...
Standardizing +113 million Merchant Names in Financial Services with Greenplu...Standardizing +113 million Merchant Names in Financial Services with Greenplu...
Standardizing +113 million Merchant Names in Financial Services with Greenplu...Data Science London
 
The CMMI: It’s So Much More Than Merely Improving Software Processes
The CMMI: It’s So Much More Than Merely Improving Software ProcessesThe CMMI: It’s So Much More Than Merely Improving Software Processes
The CMMI: It’s So Much More Than Merely Improving Software ProcessesHenry Schneider
 
Big Data [sorry] & Data Science: What Does a Data Scientist Do?
Big Data [sorry] & Data Science: What Does a Data Scientist Do?Big Data [sorry] & Data Science: What Does a Data Scientist Do?
Big Data [sorry] & Data Science: What Does a Data Scientist Do?Data Science London
 

Viewers also liked (18)

Open Source License Compliance In The Cloud
Open Source License Compliance In The CloudOpen Source License Compliance In The Cloud
Open Source License Compliance In The Cloud
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
 
Software assessment and audit
Software assessment and auditSoftware assessment and audit
Software assessment and audit
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
 
Jabox presentation
Jabox presentationJabox presentation
Jabox presentation
 
Find & fix the flaws in your code
Find & fix the flaws in your codeFind & fix the flaws in your code
Find & fix the flaws in your code
 
Open Source Lecture
Open Source LectureOpen Source Lecture
Open Source Lecture
 
Audit Efficiency and Effectiveness
Audit Efficiency and EffectivenessAudit Efficiency and Effectiveness
Audit Efficiency and Effectiveness
 
Therefore AIMS ( Ad Inventory Management System )
Therefore AIMS ( Ad Inventory Management System ) Therefore AIMS ( Ad Inventory Management System )
Therefore AIMS ( Ad Inventory Management System )
 
Static analysis works for mission-critical systems, why not yours?
Static analysis works for mission-critical systems, why not yours? Static analysis works for mission-critical systems, why not yours?
Static analysis works for mission-critical systems, why not yours?
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
 
Aghreni Technologies, offshore provider of open source software solutions - C...
Aghreni Technologies, offshore provider of open source software solutions - C...Aghreni Technologies, offshore provider of open source software solutions - C...
Aghreni Technologies, offshore provider of open source software solutions - C...
 
Improving Audit Effectiveness / Efficiency by Leveraging Data Analytics
Improving Audit Effectiveness / Efficiency by Leveraging Data AnalyticsImproving Audit Effectiveness / Efficiency by Leveraging Data Analytics
Improving Audit Effectiveness / Efficiency by Leveraging Data Analytics
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due Diligence
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
Standardizing +113 million Merchant Names in Financial Services with Greenplu...
Standardizing +113 million Merchant Names in Financial Services with Greenplu...Standardizing +113 million Merchant Names in Financial Services with Greenplu...
Standardizing +113 million Merchant Names in Financial Services with Greenplu...
 
The CMMI: It’s So Much More Than Merely Improving Software Processes
The CMMI: It’s So Much More Than Merely Improving Software ProcessesThe CMMI: It’s So Much More Than Merely Improving Software Processes
The CMMI: It’s So Much More Than Merely Improving Software Processes
 
Big Data [sorry] & Data Science: What Does a Data Scientist Do?
Big Data [sorry] & Data Science: What Does a Data Scientist Do?Big Data [sorry] & Data Science: What Does a Data Scientist Do?
Big Data [sorry] & Data Science: What Does a Data Scientist Do?
 

Similar to Software audit strategies: how often is enough?

Best practices for simplifying software audits
Best practices for simplifying software auditsBest practices for simplifying software audits
Best practices for simplifying software auditsTiberius Forrester
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsProtecode
 
Licensing in Composite Projects
Licensing in Composite ProjectsLicensing in Composite Projects
Licensing in Composite ProjectsTiberius Forrester
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Synopsys Software Integrity Group
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Mindtrek
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Where’s the license?
Where’s the license?Where’s the license?
Where’s the license?Protecode
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
 
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...ActiveState
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 

Similar to Software audit strategies: how often is enough? (20)

Best practices for simplifying software audits
Best practices for simplifying software auditsBest practices for simplifying software audits
Best practices for simplifying software audits
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
 
Licensing in Composite Projects
Licensing in Composite ProjectsLicensing in Composite Projects
Licensing in Composite Projects
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software Identification
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Where’s the license?
Where’s the license?Where’s the license?
Where’s the license?
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Owasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing master
 
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 

Recently uploaded

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Software audit strategies: how often is enough?

  • 1. Protecode Inc. 2015 Proprietary 1 Software Audit Strategies: How Often is Enough? February 25, 2015
  • 2. Protecode Inc. 2015 Proprietary Agenda  Manageable challenges of OSS  Software audits – What it is – What it is not  One-time audit versus continuous audit – How often?  Typical software audit process  Q/A 2
  • 3. Protecode Inc. 2015 Proprietary OSS Market Penetration  Unstoppable growth – 85% industry adoption (Gartner 2008) – 98% worldwide adoption (Accenture 2010) – 99% worldwide adoption (By 2016, Gartner)  Adoption at various levels – Organizational level – Personal level  Not a niche play – Automotive, healthcare, financial – Cloud, mobile, database, security – Gaming, tools, imaging, aerospace – Anything that includes any code! 3
  • 4. Protecode Inc. 2015 Proprietary Manageable Challenges of OSS  Open Source software belongs to those who create it – License = blanket permission to use, generally under certain conditions – Licenses and license terms can be confusing to the development groups • Copy Left, Weak Copy Left, Permissive • Attribution, Internal use, distribution, SaaS use, modifications, binary distribution, static versus dynamic links, DRM measures, derivatives – Compliance Obligations  Security Vulnerabilities – Every software can be vulnerable – Commercial or OSS  Export Control Attributes 4
  • 5. Protecode Inc. 2015 Proprietary What is a Software Code Audit?  It is a discovery process  Identifies third-party components in a software portfolio – Open source software (OSS) – Other 3rd party software  Highlights attributes such as – Licensing – Authorship and copyrights – Security vulnerabilities – export suitability – Software pedigree, versions, modifications  Reduces vulnerabilities – Intellectual Property (IP) uncertainties, Compliance & Security 5
  • 6. Protecode Inc. 2015 Proprietary Value of Software Code Audits  Reduces IP uncertainties  Focuses licensing/legal teams on compliance – Audits accelerate, and improve accuracy of, the discovery stage  Helps technology organizations – Adopt open source software profitably • Lower effort for non-strategic components • Shorten time-to-market • Decrease development costs – Improve business competitiveness • Ensures adherence to IP policies • Improved quality • Eliminates cross-project IP Contamination  Assists open source community – Allows publication of code pedigree and communication of licenses – Frees OSS adopters from uncertainties 6
  • 7. Protecode Inc. 2015 Proprietary Understanding Software Composition  Code complexity is growing  Good developers do not write code from scratch – Open source usage is growing • Benefits (variety of choice, access to source, reduced effort, lower development cost, faster time to market) • And challenges (IP ownership and license obligations)  Access to code is easy – OSS repositories, WWW, Previous life work  Outsourcing software is common  Detailed software BoM not available – Required during a transaction – Needed for internal compliance and vulnerability management (Do We Own Our Code?) 7
  • 8. Protecode Inc. 2015 Proprietary Typical Issues Uncovered in an Audit  OSS content with ambiguous / no licenses – Software copyrights but no licenses – Software with authors but no copyrights/ licenses – Software with no pedigree information – Public domain software with proprietary licenses  Licenses   business model mismatch – i.e. modified restrictive copyleft licensed content in closed source commercial software – Cloud deployments and newer license models – Warranties and support models – Attribution obligations  OSS packages with reported vulnerabilities – Examples: Heartbleed, Shellschock/Bashdoor 8
  • 9. Protecode Inc. 2015 Proprietary How Often is Good Enough?  Companies taking stock of the portfolio – When triggered by a transaction (M&A, shipping product, Technology Transfer, investment) – Regular time Intervals (daily, weekly, monthly, quarterly) – When code is acquired (from contractors, suppliers)  Effort increases as time elapses – Volume of code increases – Code gets dispersed in the product lines – Developers move around… – When information is fresh • Audits take less effort • Unknowns are resolved quickly • Remedies are less costly 9
  • 10. Protecode Inc. 2015 Proprietary Waiting for the “Trigger”  Unchecked, vulnerabilities scale with time and volume of software  Audits at transaction time take effort and fixing problems can be costly 10
  • 11. Protecode Inc. 2015 Proprietary Regular Time Intervals 11  Audits at regular intervals, or as new code is acquired, can detect licensing and security vulnerabilities quickly  Reduces effort and remedial costs, and avoids propagation of “bad” code
  • 12. Protecode Inc. 2015 Proprietary Anatomy of an Audit 1. NDA in place – May be 2 way, 3 way, 4 way or more! 2. Audit Questionnaire and discussion – Who is the sponsor? – Purpose of Audit • M&A? Tech transfer? A collaborative work? • Product delivery? Ongoing quality process? – Company information • What business? R&D practices • Contracting, outsourcing practices • Third party including OSS usage practices • Is there an open source adoption policy? • Composition and complexity of the code portfolio, – Structure, Languages, archives, Size- Mbytes or Files 3. Audit Agreement (SOW) 12
  • 13. Protecode Inc. 2015 Proprietary Audit Steps: Software Scanning – Access to software, and scan set-up • Look for specific copyrights, authors, company names • Look for specific terms such as “modified” “copied from” “stolen from” – Scans software files • Software files (Source code, Binaries, archives) • Information files (README, COPYING, LICENSE, etc) – Automated Scan a. Local scrubbing of software files b. Similarity with public-domain OSS – Raw machine results • OSS projects, packages, versions, licenses, copyrights, vulnerabilities, encryption content, etc • Modified/unmodified software • Proprietary, unknowns, conflicting licenses, etc – Fast: ~ 4k files (100 – 200 Mbytes)/hour 13
  • 14. Protecode Inc. 2015 Proprietary Audit Steps: Resolution and signoff 5. Manual Analysis and approval – Review every package, every file and all attributes reported by Automated analyzer • Resolve unknowns (eg proprietary software with no headers) • Flag inconsistencies (eg file license  package license) • Add missing information • Highlight areas requiring attention (eg copyright, but no license info) – May need consultation with the R&D team – Longest part of the process ~ days – Prepare the final Executive Report 14
  • 15. Protecode Inc. 2015 Proprietary Audit Steps: Reports & Q/A  High level executive report – High level view of the findings – Highlight key findings, areas requiring attention – Reference material on licenses found, best practices  Machine reports – Overview – Detailed file-by-file – License incompatibilities – License obligations report – Security vulnerabilities – Encryption Package Report (including ECCN) – Text of all licenses applicable to software packages  Post-report consultation & Q/A 15
  • 16. Protecode Inc. 2015 Proprietary Compliance and Vulnerability Management as a Quality Development Process 16 License and Vulnerabilities Management is most effective when applied early in development life cycle
  • 17. Protecode Inc. 2015 Proprietary Crowdsourcing “Compliance” 17 # of issues created Issues are created here… …and resolved here Developers Effort Licensing Team
  • 18. Protecode Inc. 2015 Proprietary Crowdsourcing “Compliance” 18 # of issues created Issues are created here… …and resolved here Developers Licensing Team Effort
  • 19. Protecode Inc. 2015 Proprietary OSSAP Open Source Software Adoption Process 19 Define a Policy Establish a Baseline Package Pre-Approval Scan in Real-Time Scan at Regular Intervals Final Build Analysis
  • 20. Protecode Inc. 2015 Proprietary About Protecode  Open source compliance and security vulnerability management solutions – Reduce IP uncertainties, manage security vulnerabilities and ensure compliance  Accurate, usable and reliable products and services for organizations worldwide 20
  • 21. Protecode Inc. 2015 Proprietary 21
  • 22. Protecode Inc. 2015 Proprietary Pitfalls of IP Uncertainties  Negatively impacts M&A activities  Lowers company valuations  Delays product shipments  Deters downstream users  Reduces ability to create partnerships  Introduces delays and threatens closures in financings  Creates litigation risks to the company and clients 22
  • 23. Protecode Inc. 2015 Proprietary 23 Partial Matches (modified OSS code)
  • 24. Protecode Inc. 2015 Proprietary Analyzer Raw Output 24
  • 25. Protecode Inc. 2015 Proprietary Audit Questionnaire 25
  • 26. Protecode Inc. 2015 Proprietary Audit Report 26
  • 27. Protecode Inc. 2015 Proprietary Software Bill of Materials 27
  • 28. Protecode Inc. 2015 Proprietary License Obligations Report 28
  • 29. Protecode Inc. 2015 Proprietary Security Vulnerability Report 29
  • 30. Protecode Inc. 2015 Proprietary License Text 30