OSS has taken over the enterprise: The top five OSS trends of 2015
-
Upload
rogue-wave-software -
Category
Software
-
view
353 -
download
1
Transcript of OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Richard Sherrarddirector of product management
Richard Sherrarddirector of product management
Presenters
Rogue Wave Software
2© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Top five open source trends of 2015
Open source trends we’ve seen in 2015
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
• Open source has taken over the enterprise • Open source discovery challenges• Open source risk management• Open source governance• Multi-tiered approach to open source
management
4
#1Open source has taken
over the enterprise
Growth of open source
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
6
Use of open source continues to grow at a fast pace!
90% of companies use OSS components
in commercial software (Gartner)
>80% of a typical Java application is
open-source components and
frameworks (TechCrunch)
11 million developers
worldwide make 13 billion open source requests each year
Innovation drives open source adoption
7
Open source components provide critical functionality Improves developer productivity
No license fees
“More eyes” improves quality & security
Leveraged development effort
Apache, Tomcat, Wildfly, Jakarta Commons, jQuery Communities continuously improve features
Mature, commoditized applications and libraries
Community peer review
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Open source in the enterprise
8
“By 2016, open source software will be in mission-critical software portfolios within 99% of all Global 1,000 enterprises.”
Innovate• Opens up code options• Deploy applications with
any combination of code source
• Optimize developer effort and time
• Quicker time to market
Identify and mitigate risk• Technical risk• Business risk• Security risk• Legal and compliance
risk
Balance risk and reward
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
How open source enters your codebase
9
“90% of code in modern applications is open source” and“31% of companies have had or suspect a breach in an open source component“
Open source community
Legacy code
Internally developed code
Reused code
Third party code
Supply chain code
Outsource code
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Delivered code
Mixed source risks
10© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Loss of intellectual
property
Defects and quality issues
License restrictions and
obligations
Support costs
Security vulnerabilitie
s
Injunctions
What organizations are looking to answer?
11
Dev VP & Mgr
OSS Compliance Mgr
CTO/ CIO/CISO
Security Mgr
Legal
What open source am I using
Where are we using open source across the organization
How can I increase the security of the open source
What are my legal obligations
Are we able to participate in the open source
communities
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Embrace OSS and automate the governance process
12
Create an automated organization-wide OSS policy and leverage the benefits
• Increase developer productivity• Educate and develop OSS policies for the developers to follow• Marshal the resources of the OSS community• Accelerate software development
Understand, manage, and govern OSS comprehensively
Inventory Support Govern
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
#2Open source discovery
Large codebases: Open source is everywhere
14
• Companies today have extremely large codebases made up of 1000’s of developed applications.
• Lots of different technologies in play – web, mobile, embedded
• Larger number of 3rd party software suppliers being used today
Over 100 million lines of code goes
into a average high end car
today!
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Into the “unknown”
15
• Once DISCOVERY of the open source is known you can then better understand it
– What license(s) is it distributed under – GPL, Apache, BSD…
– What version(s) are being used; are they outdated!
– Are there known security risks
– Do I have quality issues with it
– Is their a strong community behind it!
• A plan of action can then be worked on to resolve identified risks and issues
– There will be many!
Biggest open source challenge organizations face today is the “Not knowing” what they have and “Where they have it”
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
How are they doing discovery today?
16
• Companies find it extremely hard if not impossible to uncover where open source is being used across the organization
• It is a very ad hoc process across the organization
• Manual code reviews can take multiple man years to complete.
• Surveying or interviewing the development teams is slow and inaccurate as developers leave and move on
• Larger number of 3rd party software suppliers being used today
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Automate the discovery of open source
17
Automated OSS Scanning
SDLC Integrations
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Automate discovery of your open source
18
• Discovery by scanning your code• Conduct scan in-place – access code where it is
• Run baseline and delta scans on your code
• Identify the “right” project• Multiple matching techniques to find projects, files, snippets, modified code
• Patented noise reduction techniques to avoid false positives, pinpoint the “right” project
• Search for the “right” OSS for your needs• Large knowledgebase of OSS
• Rich information about the package
• Automated approval policy for OSS usage
• Integrate into the SDLC• Continuous Integration builds enable on-going automation of your code scanning
Get a comprehensive view of OSS across projects & teams
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
#3Open source risk
Assessing risk in open source
20
For all its benefits, risks exist
Legal risk
Using the wrong license can
compromise IP
Security risk
The OSS component can include
vulnerabilities
Support risk
Who do you call for help?
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Cisco’s loss of IP
21
•Used GPL code to customize Broadcom's Linux distribution
CyberTan
• Embedded the code in chipset
Broadcom
• Adopted this into its WRT54G router
Linksys
•Bought Linksys for $500m
•FSF Accused Cisco of license violation
•Source code made available
CISCO
Developers modified firmware turning a low-end ($60) device into a high functioning router
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Unknown OSS and security issues
22© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Code vulnerabilities
23© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Lack of open source support
24
• Open source software does not come with commercial support; you are dependent upon the OSS communities to provide you help and fixes
• Who do you call when your “Mission Critical” open source application has an issue?...“No throat to choke”!
• Developers have to negotiate wasted cycles and downtime while waiting for fixes from the community
• Developers do not have anyone to help with risks and development pitfalls
• No formal training provided on the OSS package
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Managing OSS risk
25
20%
of organizations lack meaningful controls over OSS selection and use
of developers need not prove security of OSS they are using
of the organizations claim to track vulnerabilities in OSS over time
76%
80%
Increased use + few controls = unmanaged risk
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Open source support
26
• With the ubiquity of open source, enterprises need commercial-grade support.
• We are the only vendor offering 24x7 support across hundreds of OSS packages.
• Our “Tier 4” support gives you one call access to enterprise architects, tackling a range of challenging and critical issues.
• We are thought leaders in the industry, and can provide enormous value to any business that utilizes open source software.
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Value of open source support
27
Support offerings range across hundreds of open source products. We help customers:
Avoid downtime and wasted cycles Navigate complex OSS packages requiring broad and deep expertise Mitigate risks and development pitfalls Receive formal, instructor-led training across several OSS packages Gain the peace of mind that comes with 24X7 support coverage
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
We support the best of open source
28© 2015 Rogue Wave Software, Inc. All Rights Reserved.
#4Open source governance
OSS best practices
30
Acquisition & Approval
Support & Maintenanc
e
Tracking
Audit & GovernanceTraining
Legal Compliance
Community Interaction
Acquisition & Approval
Support & Maintenanc
e
Tracking
Audit & GovernanceTraining
Legal Compliance
Community Interaction
Consulting
Certified library request & approval process
SLA supportOpenUpdate
Project tracking
Auditing services
License obligation audit
Certification services
Technical and OSS training
OSS Policy
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Manual OSS process
31
Web search Ask around Check the spreadsheet
Answer questions
Security review
Update spreadsheet
Contact legal
Fill out form Advocate
Monitor security alerts
Where Used?
Code Review Rewrite
Wait Wait Arch. review
Other approval boards
Monitorupdates to
components
Select
Approve
Monitor
Discover
Inventory
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
OSS management process
32
Select
Discover
ApproveInventory
Monitor
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Approve your OSS
33
Requirement: Workflows reflect policiesRequest and approval workflow
–Fully customizable, flexible workflow engine
•Create workflows that match the way teams work
•Forms that ask the questions you need to approve requests
•Support complex workflows with serial or parallel reviewers
•Track OSS by use, what, where, when, how and who
Flexible OSS policy management–Effectively communicate policies to all employees
•Easily create policies based on combination of OSS package, version and license
•Auto approve or deny requests based on usage model
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Inventory and monitor your OSS
34
Requirement: Understand what you have, learn about it and where you have itSee OSS inventory by project
– Policy violations
– Combined lists of both approved, known OSS, and newly discovered OSS via scanning
– Comprehensive OSS Bill of Materials
Continuously monitor OSS for security vulnerabilities and updates– Automatic: Daily updates via link to National Vulnerability Database
(NVD) to list all know CVEs by OSS package
– Manual: Daily updates on new security vulnerabilities from OSS experts after reviewing of hundreds of packages
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
#5Multi tiered approach to
open source management
Multiple approaches to managing open source
36
• Finding issues late and maybe in production are very expensive to resolve
• Not able to dig deeper into your code to find potential problems
• Not able to fix issues on open source in use
• Continuous architecture and package reviews to stay on top of the latest technology
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Static code analysis
37
Significantly reduces the cost of reliable, secure software• Complements existing testing approaches• Automated and repeatable analysis
Enforces key industry standards• DISA STIG, CWE, MISRA• CERT, SAMATE• OWASP, DO-178B, FDA validation• ...and more
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Dynamic code analysis
38
• Interactive debugging
• Interactive memory debugging
• Reverse debugging
• Unattended debugging
• Serial and parallel applications
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
To wrap up
Open source is everywhere!
40
Open source can no longer be avoided in your application development
Learn to embrace the usage of open source
Need to understand what you have and where you have it
Open source is not “FREE” and comes with it own risks and rewards
With out checks & balances in place, open source chaos will arise
Take a multi pronged approach to managing open source
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
Rogue Wave capabilities
41© 2015 Rogue Wave Software, Inc. All Rights Reserved.
What we do
42
Rogue Wave helps organizations simplify complex software
development, improve code quality, and shorten cycle times
© 2015 Rogue Wave Software, Inc. All Rights Reserved.