Leveraging Open Source Opportunity in the Public Sector Without the Risk
-
Upload
protecode -
Category
Technology
-
view
91 -
download
0
Transcript of Leveraging Open Source Opportunity in the Public Sector Without the Risk
Protecode Inc. 2015 1
Leveraging Open Source Opportunity in the Public Sector
Without the Risk
February 27th 2015
Protecode Inc. 2015
Agenda
Open Source Software
– Open source is a huge opportunity for the public sector
– The Benefits of Using Open Source
– Potential challenges
Mitigating Risk
– Open source software adoption process (OSSAP)
– Establishing a baseline + a policy
Optimising OSSAP
– When should worry about licence compliance?
– Crowdsourcing OSSAP
Wrap up and Q/A
2
Tiberius Forrester,
Director, Solution
Architecture, Protecode
Martin Callinan,
Director,
Source Code Control
Protecode Inc. 2015
OSS Opportunity in the Public Sector
Create a market of Open Source Solutions
– Applications can be modified to suit individual requirement
Faster time to market of solutions
Efficiencies
– Pay for what is needed, use what you pay for
Create a library of assets for re-use
Ecosystem of communities
Avoid individual vendor “lock-in”
5
Protecode Inc. 2015
Open Source Software
Enables rapid software development
– Easy access to code
– Hundreds of thousands of projects
– Enables new business models
– The original crowd sourcing model (and most successful)
The good:
– Faster, more functional
– Improves interoperability, adoption of standards
The challenge:
– Uncertain ownership structure
• Intellectual property - copyright, license
• Maintenance and support
– Potential Security and quality vulnerabilities
– Requires due diligence – and a managed adoption process
6
Why OSS?
Protecode Inc. 2015
Copyright and Licences: It Matters!
Copyrights are automatic – even when code is made public
– The person/organisation who wrote the code automatically owns the copyright
Permission to use is contained in a license
– No Licence? Don’t use it
Open source licences give you the right to use, modify and
(re)distribute, some with conditions, e.g.
– Reveal that you are using it
– Reproduce the full text of the license
– Disclose your entire source code
– Conditions may limit the combinations of licenses you
can use
– Some have bizarre obligations
Choosing the right licences for the right types of use
– Distributed content and format, tools, etc.
7
Disclaimer: I am not a lawyer, and I don’t provide legal advice!
Protecode Inc. 2015
Security Vulnerabilities
8
What is a security vulnerability?
“Weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited or
triggered by a threat source.” Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
Security Vulnerabilities are bound to occur
– In both OSS and proprietary software
Known security vulnerabilities are tracked in the National
Vulnerability Data Base (NVD)
Protecode Inc. 2015
OSS Procurement Involves…
Taking inventory of 3rd party components
Clarification of IP ownership and licensing
Ensuring licence models meet business expectations
Compliance to license obligations
Eligibility to export (encryption content)
Minimising Security Risks
9
Protecode Inc. 2015
OSS Adoption Process (OSSAP)
Maturity Model
Voluntary policy compliance with
Legal Advice
Manual search and code review
In-house Tools
Automated Scanning with
Reference Database
Integrated tool suite within
Software Development Cycle
10
A clearly defined and well communicated policy is essential in
maturing your OSS adoption processes
Protecode Inc. 2015
OSSAP Open Source Software Adoption Process
11
Define a Policy
Establish a Baseline
Package
Pre-Approval
Scan in
Real-Time
Scan at Regular Intervals
Final Build Analysis
Protecode Inc. 2015
What is in the OSS Policy
What’s the Strategy
– Why do we need OSS, and why do we need a policy?
Who are the Stakeholders
– Legal, product management, R&D, Security
– Ownership and buy-in is essential to successfully implement
What’s the Scope
– Who’s covered, what’s covered
– Different rules for different groups or business units sometimes
necessary
How to Apply
– Guidelines, whitelists & blacklists, tools, checklists, etc.
How to Communicate
– Obligations, contributions, public forums
Protecode Inc. 2015
Establishing A Baseline
Objective: Identify all 3rd party content
and identify licensing attributes
Tasks:
– Inspect all source code and build
ingredients
to create Bill of Materials (BOM).
– Key files:
• Build files (makefile, POM files, etc.)
• Text files containing license text
• Text files that may make reference to
licenses
• Any other documentation
– Determine the distribution method
• Source? Binary? Deployment?
13
Protecode Inc. 2015
Package Pre-Approval
Request/Assess/Approve-Reject Process
Information required for pre-approval
– Project Information
• Project name, URL, license, author(s), type, exportability, etc.
– Package Information
• Package name and version
• Source of package
• Package itself (for scanning)
• Security Vulnerabilities
– Usage Model
• Distribution model
– (binary, source, hosted, internal only, etc.)
• Types of derivatives
– (Modified? Linked? Loosely coupled?)
• Organization specific information
– Business unit
– Business justification
• Maintenance and support
14
Protecode Inc. 2015
Cost of Compliance At Different
Stages Of Development
15
License Management is most effective when applied early in
development life cycle
Development | Build/QA | In The Market
Real-Time
Preventative Measures
Periodic
Analysis
Build-Time & Pre-
Launch Analysis
Post-Launch
Correction
Software Package
Pre-Approval
C
O
S
T
Protecode Inc. 2015
Effort involved in fixing licensing issues at different stages in development
16
# of issues created
E
F
F
O
R
T
Issues are
created here…
…and resolved here
Issues are resolved
as they arise
Developers
Licensing
Team
Protecode Inc. 2015
Reporting Options
Summary report
– High level view of the findings
– Highlight key findings, areas requiring attention
– Reference material on licenses found, best practices
Detailed reports
– Detailed file-by-file
– CSV Export
– License obligations
– License incompatibilities
– Text of all licenses applicable to software packages
– Security vulnerabilities
– Export Control Classification Numbers (ECCN)
17
The first scan and review becomes a baseline. Subsequent scans are much
quicker since they leverage existing data.
Protecode Inc. 2015
• Software source code audits • Legal risk/licence compliance
• OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks
• Security vulnerabilities • security vulnerabilities contained within components
• Operational risk • evaluates if components meet your technical and architectural standards
• Community support • Determines developer activity and resulting component viability based on commit history
• Ease the adoption of Open Source Software
• Create a structure to enable compliance with OSS licences requirements
• Enable greater use of OSS across the organisations • Quality code
• Secure code
• Compliant code
• DevOps services
About Source Code Control Limited
Protecode Inc. 2015
About Protecode
Open source compliance and security vulnerability management
solutions
– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
Accurate, usable and reliable products and services for organizations
worldwide
24
Protecode Inc. 2015
• Book an individual discussion :[email protected]
• Managing existing OSS projects
• Planning for future OSS adoption
• Code reviews
• Meet us at UK-e-Health Week
• http://ukehealthweek.com/
• Useful resources
• European Commission OSS program
• https://joinup.ec.europa.eu/community/osor/home
• Open Source Initiative
• http://opensource.org/
• BCS Open Source Specialist Group
• http://ossg.bcs.org/
• For more information about Source Code Control Limited
• http://www.sourcecodecontrol.co
• Form more information about Protecode
• http://www.protecode.com/
Next Steps