Your SlideShare is downloading. ×
nexB - Software audit for product release
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

nexB - Software audit for product release

473
views

Published on

As the use of open source software components grows across all industry supply chains, more customers are asking their suppliers to: …

As the use of open source software components grows across all industry supply chains, more customers are asking their suppliers to:
- Provide detailed information about the open source content of supplier products, and
- Proactively fulfill all attribution or software redistribution obligations associated with the open source components.

nexB offers a wide range of professional services to help software organizations identify and comply with software license obligations for open source and other third-party components. See http://www.nexb.com/services.html

Published in: Business, Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
473
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. nexB - Software Provenance Analysis and Code Audit © 2014 nexB Inc.
  • 2. Agenda • About nexB – What nexB does – Our experience • Software Provenance Analysis and Code Audit – Software Audit Process – Software Audit Tools – License Violation Risks & Recent Audit Issues • Additional Information – Why nexB? – Contact us – Lessons Learned © 2014 nexB Inc.
  • 3. About nexB What nexB does • Enable component-based software development – Software provenance analysis services – Software asset management tools © 2014 nexB Inc. • Software audit services – Acquisitions – Software product releases • Expertise in all software IP• Active OSS developers
  • 4. About nexB Our experience is our difference • nexB recognized by clients as: – experts in software origin analysis – a fair and trusted intermediary • nexB identifies issues along with practical remediation steps • 350+ software audit projects completed to-date © 2014 nexB Inc.
  • 5. Software Provenance Analysis and Code Audit Software Audit Process © 2014 nexB Inc.
  • 6. Software Provenance Analysis and Code Audit Software Analysis Scope © 2014 nexB Inc. Original Code Commercial Code Open Source Code
  • 7. Software Provenance Analysis and Code Audit Software Analysis Deliverables • Complete inventory of OSS and third-party components in Development codebase(s) • Bill of materials for Deployed product components • Specific Action items and recommended actions for resolution – Including possible exposure for older product versions – Detailed analysis for copyleft “contamination” • Checklist of commercial components as input for contract review © 2014 nexB Inc.
  • 8. Software Provenance Analysis and Code Audit Preparation – 1 week (1/2) • Establish NDA • Scope audit effort – Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code • Prepare/agree quote – always fixed fee, no surprises • Schedule project © 2014 nexB Inc.
  • 9. Software Provenance Analysis and Code Audit License & Origin Analysis – 2 weeks (1/2) Analysis Activities • Discovery: scan files for license, copyright and other origin clues • Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”) • Map Deployed code to Development code to: – Validate that we have a complete Development codebase – Filter issues based on the effective Deployed/Distributed code • Analyze software interaction and dependency patterns for copyleft-licensed © 2014 nexB Inc. components as needed • Additional domain-specific investigations typically for embedded devices and applications of media codecs
  • 10. Software Provenance Analysis and Code Audit License & Origin Analysis (2/2) Results • Software Inventory and Bill(s) of Materials • Draft Action items & recommendations © 2014 nexB Inc.
  • 11. Software Provenance Analysis and Code Audit Review & Report – 1 week (1/2) Activities • Review draft findings with product team – Ask product team to respond to each Action item © 2014 nexB Inc. • Accept recommended solution or propose another approach • Acknowledge & investigate • Not a request to fix anything during the audit – Incorporate feedback and answers from product team into the Software BOM and Report • Complete final report – Second review cycle with product team – Release the report – Conference call with you to present findings & answer questions
  • 12. Software Provenance Analysis and Code Audit Review & Report (2/2) Results • Final Software Inventory / BOM spreadsheets • Final Report - narrative with executive summary, project data and summary of the Action items and Responses © 2014 nexB Inc.
  • 13. Software Provenance Analysis and Code Audit Software Audit Tools • nexB typically uses a combination of tools for a software audit – Our own DejaCode™ toolkit is the primary tool – Other tools used as needed or as licensed by a customer (open source or commercial) • Multiple layers of analysis – Discovery: direct scan for license and copyright notices – Identification: component matching for open source and publicly available third-party components (freeware/proprietary) – Analysis of source code and pre-built libraries (binary) – Interaction and dependency analysis as needed • Review and validation by software experts • All require expert humans to interpret the results! © 2014 nexB Inc.
  • 14. Software Provenance Analysis and Code Audit License Violation Risks © 2014 nexB Inc. source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / Shareware many Java libraries Microsoft shared source Sun SCSL GNU GPL GNU LGPL MPL CDDL BSD MIT EPLApache Adobe Reader
  • 15. Software Provenance Analysis and Code Audit Recent Audit Issue Examples • Dependency Issue “Workarounds” • License violation © 2014 nexB Inc.
  • 16. Software Provenance Analysis and Code Audit Emerging Audit Issue Examples • Cloud computing and Dual Licensing • Personal Devices and Application store markets © 2014 nexB Inc.
  • 17. Additional Information Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach – Automated code analysis AND analysis by software experts – Direct consultation with engineering, management and legal teams – Concrete Action items with recommended nexB action resolution © 2014 nexB Inc.
  • 18. Additional Information Why nexB (2/2) • Trusted third party – Mitigates confidentiality concerns – Enables objective analysis with appropriate consideration of feedback from all parties © 2014 nexB Inc.
  • 19. Additional Information Contact us Contact person: Pierre Lapointe, Customer Care Manager plapointe@nexb.com + 1 415 287-7643 More information: http://www.nexb.com/ © 2014 nexB Inc.