BlackDuck Suite

3,145 views

Published on

BlackDuck slide

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,145
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • In the very early days of computing, product offerings seeking to improve developer productivity focused on tools for code design that could be used by the individual developer. For example, the first version of Turbo Pascal appeared in 1983.
    As the industry matured, the focus of innovation grew to facilitate the collaboration of groups of developers. For example, the (then revolutionary) revision management tool ClearCase was released by Atria software in 1992.
    Today, it’s the rare application that’s developed and coded from the ground up exclusively by internal resources. In the world of component-based development, where “reuse” is the mantra, developers are looking at a variety of sources of code; both internal and external. External sources of code are suppliers, partners and the open source community. We term the blending of the internal and external sources of code “the development ecosystem.” This brings us to the most recent (rightmost) stage in the history of innovation aimed at developer productivity which takes place in the era of component-based development.
  • While Black Duck does not make open source software, we help our customers realize the promise it offers while minimizing or eliminating the challenges and risks associated with it.
  • The challenges arise from mixing code from different sources: partner code, open source, internal code and vendor sourced. Each of these sources could be managing its own separate version of a code component. They could be incorporating conflicting software licenses into the code base. The code could have unexpected dependencies. The software ‘integrator’ is on the hook for robust and timely support, but the support model for open source code is an area that people must think about explicitly. Code from the development ecosystem could have varying levels of quality – some of it is great, some of it, not so great.
    If an organization implements compliance, it may involve many approval boards. The danger of thorough compliance is that it can be time consuming, slow to react and bureaucratic. Yet, it is a necessary part of software development in today’s complex and changing landscape.
  • Many great companies have had bad things happen to them because they did not address the need for governance in their software supply chain.
    Loss of Intellectual Property: Cisco was forced to open source some code and ultimately lost control over a product line. Impact was probably millions in lost revenue. See the support slide on this.
    License rights and restrictions
    Contractual obligations
    Injunctions: When Monsoon Multimedia was sued by the software freedom law center, the suit requested an injunction (stop ship) on their product. This would be devastating for a business.
    Export regulations
    Security vulnerabilities
    Software defects
    Escalating support costs: Version proliferation
  • Continuously Expanded (sub-bullets):Updated 9/9/08
    Significant investment in automated tools
    Site mirrors for popular sites
    Open Source Licenses
    GPL
    LGPL
    Apache
    BSD
    CPL
    Creative Commons
    Eclipse
    Microsoft
    MIT
    Sun
    Open Source Sites
    Apache.org
    Eclipse.org
    Kernel.org
    Sun.com
    RubyForge.org
    Asterisk.com
    PlanetSourceCode.com
    Zope.org
    GNU.org
    CPAN.org
    MySQL.com
    SourceForge.net
  • BlackDuck Suite

    1. 1. The Black Duck Suite: Enabling Faster, Lower Cost Innovation with Open Source Software Black Duck Software
    2. 2. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Agenda  Market Dynamics and Challenges  Meeting the Challenges  Overview of the Black Duck Suite  Summary
    3. 3. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Evolution of Software Development Component-Based Development 1980’s 1990’s 2000’s Focus Code Design Individual Software Developer Scope Development Ecosystem Application Life Cycle Management Single Enterprise Project Team Collaboration
    4. 4. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Promise of Open Source The Promise The Challenges Significantly reduce development costs – up to 90% – and accelerate time to market Billions of lines of available code  Management  Compliance  Security Realize the promise while eliminating the challenges The Black Duck Solution...
    5. 5. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Enables Multi-Source Development YOUR COMPANY Software Application Open Source Software Internally Developed Code Outsourced Code Development Commercial 3rd - Party Code  Individuals  Universities  Corporate Developers Code Obligations
    6. 6. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Development Challenges Using Open Source at Scale Management  Leverage the right software from many sources  Increase productivity using component software  Encourage standardization of components & versions  Deliver timely support Compliance & Security  Comply with open source policies  Manage licensing and associated obligations  Complying with export regulations  Track security vulnerabilities Formal control of open source software lags adoption:  58% of companies surveyed do not have formal polices or guidelines for OSS Source: 451 Group, December 2009
    7. 7. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Risks of Unmanaged Code Loss of Intellectual Property Export Regulations Injunctions Security Vulnerabilities Software Defects License Rights and Restrictions Contractual Obligations Escalating Support Costs
    8. 8. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.Copyright © 2007 Black Duck Software, Inc. All Rights Reserved. Confidential and Proprietary. The Story of Cisco’s Software Supply-Chain Developers modified firmware turning a low-end ($60) device into a high-function router The story continues... embedded the code in one of its chipsets used GPL code to customize Broadcom’s standard Linux distribution bought for $500M in 2003 adopted this technology into its WRT54G wireless broadband router Source code made available by FSF accused Cisco of a license violation
    9. 9. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Infringement  Valuation  Negative publicity  New revenue  Support costs  Vulnerability Risks of Open Source and Other Cases (VOIP Phone) (Wireless Router) (GPS Navigation) (Network Attached Storage) (WiMax, other ) (iPhone WIP300) (Home Hub Router)
    10. 10. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Even Large, Well Run Software Companies Have Challenges : Microsoft Windows 7 GPL Violation The Windows 7 USB/DVD Tool Violated GPLv2 License • Code was “multi-source,” including code from an external supplier with OSS • Microsoft pulled the product from the Microsoft Store, then announced it is making the source code and binaries available Takeaways: • Even big companies make mistakes • OSS can enter from many sources • It’s difficult to manage OSS without both process and technology
    11. 11. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Google Security Flaws  These vulnerabilities discovered within 24 hours of release  Easily avoided with the right solution
    12. 12. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Pro-Active and Controlled Use of Open Source  Cost of defects – Minimal when issues are detected early in lifecycle – Grows 100-1,000X late in the lifecycle  Invest time and process to choose good code up front vs fixing problems later Capers Jones, Applied software measurement: assuring productivity and quality, 1999.
    13. 13. Meeting the Challenges
    14. 14. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Meeting the Challenges of Using Open Source  You could automate manual approval processes and empower team members to collaborate? – Bring together legal, development, executive staff, others  You could automate discovery and validation to manage risk and ensure compliance? – Know what’s in your code base – Validate software bill of materials (BoM) before shipping – Know origins of external code  Development had a catalog of pre-approved components? – Eliminate unnecessary, redundant requests and approvals – Know and track where components are used  Finding the right open source was fast and easy? – Quality, maturity – Version – Understanding license obligations – Dependencies What if...
    15. 15. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Helps Unleash the Potential of Open Source Software  Workflow and approval for multi-user team collaboration with role-based access control – Eliminate approval delays, enhance group productivity  Automatically scan code base to identify open source and uncover hidden license obligations – Ensure compliance and confidently manage software origins and obligations  Catalog of pre-approved components – Saves time and effort – Encourages standardization and re-use  Industry’s most comprehensive open source KnowledgeBase – Enables fast, easy, search and selection of open source software
    16. 16. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Case Study: InfoPrint Solutions “We chose Black Duck automation to improve productivity by supporting our software license approval processes, code validation and security alert processes. And more importantly, it gives us the highest confidence that we are in compliance with the licenses for the open source software embedded in our products.” – Mike Munger, Senior Technical Staff Manager InfoPrint Solutions Company Why InfoPrint chose Black Duck  Identify open source software  Automate approval process  Monitor security vulnerabilities on open source components Black Duck Code Center for approval automation Black Duck Protex servers validating BOM’s and performing license discovery  Manages legal risk  Enables collaboration around open source approvals  Streamlines processes Problem Solution Benefits
    17. 17. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Case Study: Intel Corporation “We selected Black Duck because its knowledge base of open source software and the maintenance of that knowledge base were more robust than other solutions—and the more robust the knowledge base, the lower the risk that licensed software will be used inappropriately.” Why Intel chose Black Duck  Identify open source software  Automate verification and compliance  Improve collaboration between functions (development, legal, management, etc.) Black Duck Protex servers deployed globally, integrated with development tools  Identifies software conflicts early  Reduces rework  Lowers risk of legal issues Problem Solution Benefits
    18. 18. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Manage the risks and maximize the compelling benefits of multi-source development  Integrates with existing development tools and processes  Solves the three main challenges associated with multi-source development: Enabling Multi-Source Development Across the Application Lifecycle Management Compliance Security
    19. 19. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Management  Create and share a catalog of approved components  Configurable, role-based approval workflow  Authentication and role-based access control for individual enterprise users  Comprehensive code and component search and selection Compliance  Automate code discovery, validation, audit  Ensure compliance with regulations and company policies  Manage and control software versions, origins & obligations (open source and other code)  Monitor known security vulnerabilities  Automatic updates to catalog with real- time alerts; track “where used”  Ensure selection of most secure open source components Security
    20. 20. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Application Lifecycle Conceptualize Define Design Develop Build Test Deploy Search & Select Approve Validate Compliance Audit & Maintain Scan/Analyze Management, Compliance, Security
    21. 21. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  IT  Security  Legal  Management  Quality Approval Company Policies Build, Test Systems Software Bill of Materials Scan & Validate Production Systems Development Catalog Component Requests Audit & Maintain SCM Search &Select Approved Components  Open source  Code prints  Vulnerabilities  Binaries KnowledgeBase Automated Workflow
    22. 22. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Comprehensive Code Search Black Duck KnowledgeBase Internal Internal CatalogSCM Files Koders.com External Code Search  Find and re-use OSS and existing code across multiple repositories  Improve quality by more easily tracking down bugs/defects across the enterprise Source code Component Attributes
    23. 23. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Black Duck Suite - Architecture  Scalable enterprise architecture  Modular design  Customizable  Extensible  Browser-based for anywhere, any time access  Integrates with existing ALM infrastructure KnowledgeBase SDK Core Framework UI Framework 23
    24. 24. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Supporting Enterprise Collaboration
    25. 25. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Typical Deployment of the Black Duck Suite Code Code Code Code Code Code Code Code Approval Validation Approval Scanning Source CodeCode Centralized approval with decentralized scanning & validation Validation ValidationValidation
    26. 26. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Black Duck KnowledgeBase The Foundation of the Black Duck Suite The industry’s most comprehensive open source database Extensive metadata  Tens of billions of lines of code  From over 4,500 sites  Released under 1,800+ unique licenses  39,000+ security vulnerabilities  450+ cryptographic algorithms  Name, description, versions, URL  License, programming language, OS  National Vulnerability Database  Cryptography  Code Prints of source/binary  Other information Open Source Software  Uniquely addresses the “long tail” of OSS projects  Patented search & pattern-matching technologies  Continuously expanded  Custom Code Printing to add proprietary code  Daily security vulnerability alerts  Automated Metadata Updates issued ~2x month
    27. 27. Black Duck Suite - Management - Compliance - Security - Code Search Koders.com
    28. 28. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Developer Catalog  Faster and lower cost application development  Make better choices on the front-end of development process (100X less costly than fixing a defect later)  Increased reuse of good code – open source, licensed from 3rd parties  Authentication and access control for individual enterprise users  Avoidance of… – License problems – Version uncertainties – Security vulnerabilities KnowledgeBase  Developers  Security  IT  Legal  Management  Quality Approval Boards SourceForge RubyForge Eclipse.org Apache.org etc… Open Source Approval Flow Alerts OSS & Code Management
    29. 29. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Confidently manage software origins & obligations  Audit code base against approved components  Simplify code reviews and 3rd party licensing  Reduce costs while improving accuracy Application Server Projects Licenses Open Source Third Party Code Internal Code Compliance KnowledgeBase Review Board License Conflict Bill of Materials Developers Automated Workflow
    30. 30. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Find cryptographic code embedded in complex software  Automate compliance with encryption export policy and regulations  Simplify BIS/NSA notification and licensing  Generate audit and document compliance reports CryptoBase Developers Compliance Report Compliance: Encryption & Export Regulations
    31. 31. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Security Vulnerability Management  Make informed choices early in the process to ensure selection and use of most secure open source components  Catalog of approved components is automatically updated  Monitor security vulnerabilities – Daily security alerts routed to customers – Automatic alerts are sent to appropriate owner for all components based on “where used” e.g., Apache Tomcat, Struts, MySql Where Used KnowledgeBase Alerts Developer Catalog Approved Components Approval Flow Management Alerts
    32. 32. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Fast search and increased visibility  Integration with development tools / SCM’s  Proven scalability to billions of lines of code Enterprise Code Search for Software Developers Developers SCM Internal Code Index CVS File System Subversion Code Search
    33. 33. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Suite Summary Features Benefits Completeness  Covers key processes– search, select, approve, validate and monitor  Provides the industry’s most comprehensive knowledge base of OSS Automation  Improves efficiency and speed in development  Development and approval processes  Ensures compliance with company policies Collaboration  Enables stakeholders -- development, legal, security, IT, trade compliance and others -- to work together to achieve shared objectives Scalability  “Enterprise-class” scalability, configurability, extensibility, and access-controlled security  Meets the needs of the largest software development organizations Integration  SDK with web services API  Integrates with existing developer tools  Certified “Ready for Rational”
    34. 34. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Why Black Duck Pioneered open source code analysis market in 2002 Leadership products and services for managing open source throughout the application life-cycle Most comprehensive KnowledgeBase of open source software in the industry Most experienced vendor with largest customer base Responsive 24X7 support, global presence

    ×