nexB - Software audit for product release


Published on

As the use of open source software components grows across all industry supply chains, more customers are asking their suppliers to:
- Provide detailed information about the open source content of supplier products, and
- Proactively fulfill all attribution or software redistribution obligations associated with the open source components.

nexB offers a wide range of professional services to help software organizations identify and comply with software license obligations for open source and other third-party components. See

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

nexB - Software audit for product release

  1. 1. nexB - Software Provenance Analysis and Code Audit © 2014 nexB Inc.
  2. 2. Agenda • About nexB – What nexB does – Our experience • Software Provenance Analysis and Code Audit – Software Audit Process – Software Audit Tools – License Violation Risks & Recent Audit Issues • Additional Information – Why nexB? – Contact us – Lessons Learned © 2014 nexB Inc.
  3. 3. About nexB What nexB does • Enable component-based software development – Software provenance analysis services – Software asset management tools © 2014 nexB Inc. • Software audit services – Acquisitions – Software product releases • Expertise in all software IP• Active OSS developers
  4. 4. About nexB Our experience is our difference • nexB recognized by clients as: – experts in software origin analysis – a fair and trusted intermediary • nexB identifies issues along with practical remediation steps • 350+ software audit projects completed to-date © 2014 nexB Inc.
  5. 5. Software Provenance Analysis and Code Audit Software Audit Process © 2014 nexB Inc.
  6. 6. Software Provenance Analysis and Code Audit Software Analysis Scope © 2014 nexB Inc. Original Code Commercial Code Open Source Code
  7. 7. Software Provenance Analysis and Code Audit Software Analysis Deliverables • Complete inventory of OSS and third-party components in Development codebase(s) • Bill of materials for Deployed product components • Specific Action items and recommended actions for resolution – Including possible exposure for older product versions – Detailed analysis for copyleft “contamination” • Checklist of commercial components as input for contract review © 2014 nexB Inc.
  8. 8. Software Provenance Analysis and Code Audit Preparation – 1 week (1/2) • Establish NDA • Scope audit effort – Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code • Prepare/agree quote – always fixed fee, no surprises • Schedule project © 2014 nexB Inc.
  9. 9. Software Provenance Analysis and Code Audit License & Origin Analysis – 2 weeks (1/2) Analysis Activities • Discovery: scan files for license, copyright and other origin clues • Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”) • Map Deployed code to Development code to: – Validate that we have a complete Development codebase – Filter issues based on the effective Deployed/Distributed code • Analyze software interaction and dependency patterns for copyleft-licensed © 2014 nexB Inc. components as needed • Additional domain-specific investigations typically for embedded devices and applications of media codecs
  10. 10. Software Provenance Analysis and Code Audit License & Origin Analysis (2/2) Results • Software Inventory and Bill(s) of Materials • Draft Action items & recommendations © 2014 nexB Inc.
  11. 11. Software Provenance Analysis and Code Audit Review & Report – 1 week (1/2) Activities • Review draft findings with product team – Ask product team to respond to each Action item © 2014 nexB Inc. • Accept recommended solution or propose another approach • Acknowledge & investigate • Not a request to fix anything during the audit – Incorporate feedback and answers from product team into the Software BOM and Report • Complete final report – Second review cycle with product team – Release the report – Conference call with you to present findings & answer questions
  12. 12. Software Provenance Analysis and Code Audit Review & Report (2/2) Results • Final Software Inventory / BOM spreadsheets • Final Report - narrative with executive summary, project data and summary of the Action items and Responses © 2014 nexB Inc.
  13. 13. Software Provenance Analysis and Code Audit Software Audit Tools • nexB typically uses a combination of tools for a software audit – Our own DejaCode™ toolkit is the primary tool – Other tools used as needed or as licensed by a customer (open source or commercial) • Multiple layers of analysis – Discovery: direct scan for license and copyright notices – Identification: component matching for open source and publicly available third-party components (freeware/proprietary) – Analysis of source code and pre-built libraries (binary) – Interaction and dependency analysis as needed • Review and validation by software experts • All require expert humans to interpret the results! © 2014 nexB Inc.
  14. 14. Software Provenance Analysis and Code Audit License Violation Risks © 2014 nexB Inc. source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / Shareware many Java libraries Microsoft shared source Sun SCSL GNU GPL GNU LGPL MPL CDDL BSD MIT EPLApache Adobe Reader
  15. 15. Software Provenance Analysis and Code Audit Recent Audit Issue Examples • Dependency Issue “Workarounds” • License violation © 2014 nexB Inc.
  16. 16. Software Provenance Analysis and Code Audit Emerging Audit Issue Examples • Cloud computing and Dual Licensing • Personal Devices and Application store markets © 2014 nexB Inc.
  17. 17. Additional Information Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach – Automated code analysis AND analysis by software experts – Direct consultation with engineering, management and legal teams – Concrete Action items with recommended nexB action resolution © 2014 nexB Inc.
  18. 18. Additional Information Why nexB (2/2) • Trusted third party – Mitigates confidentiality concerns – Enables objective analysis with appropriate consideration of feedback from all parties © 2014 nexB Inc.
  19. 19. Additional Information Contact us Contact person: Pierre Lapointe, Customer Care Manager + 1 415 287-7643 More information: © 2014 nexB Inc.