Protecode Inc. 2014
Optimizing The Cost Of OSS Management
Leveraging OSS while managing your governance costs
February 26th 2014
1
Protecode Inc. 2014
Agenda
The Challenge
– The depth of OSS increases governance costs
OSS Management Effort & Cost
– Discovering what’s in your code
– Compliance to your policy
– Security Vulnerabilities and other attributes
– Complying to license obligations
Automating OSS Management
– Minimizing risks
– OSS Adoption process and the maturity model
– Automating OSS Adoption
Wrap up and Q/A
2
Normand Glaude,
COO
Protecode Inc. 2014
Open Source Software
Enables rapid software development
– Easy access to code
– Hundreds of thousands of projects
– Enables new business models
– The original crowd sourcing model (and most successful)
The good:
– Faster, more functional
– Improves interoperability, adoption of standards
The bad:
– Uncertain ownership structure
• Intellectual property - copyright, license
• Maintenance and support
– Perceived uncertain quality and security
– Requires due diligence – and a managed adoption process
3
Why OSS?
Protecode Inc. 2014
How much Open Source do I use?
4
Proprietary
Application
Common Data
Layer
Abstraction
Layers
GUI Toolkit
PluginsGUI
Framework
Artwork Widget
Library
ORM
Scheduler
Communications
Installer
Configurator
Script
Protocol &
MarshallingEncryption
Compression
Modeler
Database
Server
Cache DB Engine
DB
Management
Application
Server
Framework
Protecode Inc. 2014
OSS Procurement Involves…
Taking inventory of 3rd party components
Clarification of IP ownership and licensing
Ensuring license models meet business expectations
Minimizing Security Risks
Eligibility to export (encryption)
Compliance to license obligations
5
Protecode Inc. 2014
An example
A Hypothetical Organization
– Less than 200 people
– 3 releases per year
– 5 years of cumulative development
Other Assumptions:
– A open source policy is already in place
– No corrective actions are required
OSS Management Effort
– Discovery of 3rd party components
– Analysis
– Compliance to obligations
6
Protecode Inc. 2014
Discovery: Creating the BOM
Objective: Identify all 3rd party content and identify
licensing attributes
Tasks:
– Inspect all source code and build ingredients to create Bill of
Materials (BOM).
– Key files:
• Build files (makefile, POM files, etc.)
• Text files containing license text
• Text files that may make reference to licenses
• Any other documentation
– Determine the distribution method
• Source? Binary? Deployment?
Effort: between 2-5 days, depending on the portfolio size
7
Creating the BOM_
Protecode Inc. 2014
License Analysis
Objective: Identify licensing implications
Tasks:
– Interpret the license references and text to determine
• A list of all obligations associated with each license
• A list of license compatibility issues between licenses in the portfolio
– Cross-reference BOM components, distribution, licenses to
determine:
• The licensing options for each open source component
• Applicable obligations per 3rd party component
• Compatibility issues that need to be rectified
Effort: 1-3 days
8
License Analysis_
Protecode Inc. 2014
Security Vulnerabilities
Objective: use BOM to uncover published vulnerabilities
Tasks:
– Cross-reference 3rd party components (BOM) with NVD and
other databases
– Discover which ones apply to your product
– Available through web sites searches and in downloadable XML
formats.
Effort: 1-3 days
9
Security Vulnerabilities_
Protecode Inc. 2014
Export Restrictions (Encryption)
Objective: identify all encryption software content to file for
export permits
Tasks:
– Identify all proprietary and 3rd party components using or
implementing encryption algorithms
– Examples: password protection, security certificates, secure
communications (https), encoding, etc.
– Prepare a list to apply for export permits
Effort: 1-3 days
10
Export Restrictions_
Protecode Inc. 2014
Attribution and Documentation
Objective: Compliance with License Obligations
– Most open source licenses have an attribution clause
Task:
– Produce a list of Open Source components in the product (BOM)
– Prepare a list of licenses (complete text) for each license
present in the product
– Package with distribution and with printed documentation
Effort: 0.5-2 days
11
Attribution and Documentation _
Protecode Inc. 2014
Summary of the cost
Cost for 1 release. Consider that subsequent releases will partially
leverage existing information.
12
Activity Manual
Create BOM
License Analysis
Security Vulnerabilities
Encryption Content
Attribution and Documentation
TOTAL
Protecode Inc. 2014
Other Potential Costs and Risks
13
Discovery Corrective Action
OSS License Against Policy
• Seek commercial arrangement
• Change distribution model
• Replace component and refactor code
Incompatible Licenses
• Seek commercial arrangement
• Change distribution model
• Replace component and refactor code
Ambiguous Licensing Terms
• Seek clarification from IP owner
• Seek commercial arrangement
• Replace component and refactor code
Security Vulnerabilities • Upgrade to latest version, fix problem
• Replace component and refactor code
Encryption Content• Update export control application
Protecode Inc. 2014
When to do an OSS checkup?
14
A transaction trigger
M&A event
Tech transfer or commercialization
Collaboration (establishing background IP)
Product shipment
Preferably, regularly as part of a Quality Development Process
Release checklist – at a minimum
Integrated into the development cycle - optimal
License Management is most effective when applied early in development life cycle
Development | Build/QA | In The Market
Real-Time
Preventative Measures
Periodic
Analysis
Build-Time & Pre-
Launch Analysis
Post-Launch
Correction
Cost of Compliance At Different Stages Of Development
Protecode Inc. 2014
OSS Adoption Process (OSSAP)
Maturity Model
Voluntary policy compliance with
Legal Advice
Manual search and code review
In-house Tools
Automated Scanning with
Reference Database
Integrated tool suite within
Software Development Cycle
15
Protecode Inc. 2014
Activity Manual Automated
Create BOM
License Analysis
Security Vulnerabilities
Encryption Content
Attribution and Documentation
TOTAL
Introducing Automation Lowers Costs
Actual cost varies with local labor rate.
16
Protecode Inc. 2014
Automate your Workflow
WriteCode
CommitCode
BuildLibraries
ReleaseSoftware
DefineSprint
17
Use CA to
Pre-approve Code Use DA to
Monitor in Real-time
Use CI tool to
Trigger EA Scan,
Consume CSV File
Use CI tool to
Trigger Artifact
Scan
Use ES to
Produce Reports
Protecode Inc. 2014
Reporting Options
Summary report
– High level view of the findings
– Highlight key findings, areas requiring attention
– Reference material on licenses found, best practices
Detailed reports
– Detailed file-by-file
– CSV Export
– License obligations
– License incompatibilities
– Text of all licenses applicable to software packages
– Security vulnerabilities
– Export Control Classification Numbers (ECCN)
18
The first scan and review becomes a baseline. Subsequent scans are much
quicker since they leverage existing data.
Protecode Inc. 2014
Q&A
Please type your questions into the chat box to the right
19
OSS adoption has increased development pace
– OSS is everywhere, and runs deep
OSS Management
– Big task, especially when portfolios are large and done manually
Automated OSS Management Tools
– Are effective in reducing the time spend on OSS management
– More thorough, especially when used continuously
– Provide an opportunity to minimize licensing ambiguity earlier in the development cycle.
Recap
Protecode Inc. 2014 20
Protecode Corporate Summary
Overview
– Software Attributes Management
– Established in 2006
– World-wide partner network
Products & Services for software adoption
– Products:
• On-premises: Protecode System 4TM , Protecode CompactTM
• Hosted: ProtecodeCloud,
– Services:
• Software Audit Services,
• Code Portfolio Similarity Assessments Services
Value of Protecode Solutions
– Reduce IP uncertainties, highlight security vulnerabilities and ensure compliance
– Accelerate time to market and reduce development cost