Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Optimizing The Cost Of Open Source Software Management


Published on

Tips for streamlining the open source license management process and maximizing your return on investment.

Published in: Software
  • Be the first to comment

Optimizing The Cost Of Open Source Software Management

  1. 1. Protecode Inc. 2014 Optimizing The Cost Of OSS Management Leveraging OSS while managing your governance costs February 26th 2014 1
  2. 2. Protecode Inc. 2014 Agenda  The Challenge – The depth of OSS increases governance costs  OSS Management Effort & Cost – Discovering what’s in your code – Compliance to your policy – Security Vulnerabilities and other attributes – Complying to license obligations  Automating OSS Management – Minimizing risks – OSS Adoption process and the maturity model – Automating OSS Adoption  Wrap up and Q/A 2 Normand Glaude, COO
  3. 3. Protecode Inc. 2014 Open Source Software  Enables rapid software development – Easy access to code – Hundreds of thousands of projects – Enables new business models – The original crowd sourcing model (and most successful)  The good: – Faster, more functional – Improves interoperability, adoption of standards  The bad: – Uncertain ownership structure • Intellectual property - copyright, license • Maintenance and support – Perceived uncertain quality and security – Requires due diligence – and a managed adoption process 3 Why OSS?
  4. 4. Protecode Inc. 2014 How much Open Source do I use? 4 Proprietary Application Common Data Layer Abstraction Layers GUI Toolkit Plugins GUI Framework Artwork Widget Library ORM Scheduler Communications Installer Configurator Script Protocol & Marshalling Encryption Compression Modeler Database Server Cache DB Engine DB Management Application Server Framework
  5. 5. Protecode Inc. 2014 OSS Procurement Involves…  Taking inventory of 3rd party components  Clarification of IP ownership and licensing  Ensuring license models meet business expectations  Minimizing Security Risks  Eligibility to export (encryption)  Compliance to license obligations 5
  6. 6. Protecode Inc. 2014 An example  A Hypothetical Organization – Less than 200 people – 3 releases per year – 5 years of cumulative development  Other Assumptions: – A open source policy is already in place – No corrective actions are required  OSS Management Effort – Discovery of 3rd party components – Analysis – Compliance to obligations 6
  7. 7. Protecode Inc. 2014 Discovery: Creating the BOM  Objective: Identify all 3rd party content and identify licensing attributes  Tasks: – Inspect all source code and build ingredients to create Bill of Materials (BOM). – Key files: • Build files (makefile, POM files, etc.) • Text files containing license text • Text files that may make reference to licenses • Any other documentation – Determine the distribution method • Source? Binary? Deployment?  Effort: between 2-5 days, depending on the portfolio size 7 Creating the BOM _
  8. 8. Protecode Inc. 2014 License Analysis  Objective: Identify licensing implications  Tasks: – Interpret the license references and text to determine • A list of all obligations associated with each license • A list of license compatibility issues between licenses in the portfolio – Cross-reference BOM components, distribution, licenses to determine: • The licensing options for each open source component • Applicable obligations per 3rd party component • Compatibility issues that need to be rectified  Effort: 1-3 days 8 License Analysis _
  9. 9. Protecode Inc. 2014 Security Vulnerabilities  Objective: use BOM to uncover published vulnerabilities  Tasks: – Cross-reference 3rd party components (BOM) with NVD and other databases – Discover which ones apply to your product – Available through web sites searches and in downloadable XML formats.  Effort: 1-3 days 9 Security Vulnerabilities _
  10. 10. Protecode Inc. 2014 Export Restrictions (Encryption)  Objective: identify all encryption software content to file for export permits  Tasks: – Identify all proprietary and 3rd party components using or implementing encryption algorithms – Examples: password protection, security certificates, secure communications (https), encoding, etc. – Prepare a list to apply for export permits  Effort: 1-3 days 10 Export Restrictions _
  11. 11. Protecode Inc. 2014 Attribution and Documentation  Objective: Compliance with License Obligations – Most open source licenses have an attribution clause  Task: – Produce a list of Open Source components in the product (BOM) – Prepare a list of licenses (complete text) for each license present in the product – Package with distribution and with printed documentation  Effort: 0.5-2 days 11 Attribution and Documentation _
  12. 12. Protecode Inc. 2014 Summary of the cost Cost for 1 release. Consider that subsequent releases will partially leverage existing information. 12 Activity Manual Create BOM License Analysis Security Vulnerabilities Encryption Content Attribution and Documentation TOTAL
  13. 13. Protecode Inc. 2014 Other Potential Costs and Risks 13 Discovery Corrective Action OSS License Against Policy • Seek commercial arrangement • Change distribution model • Replace component and refactor code Incompatible Licenses • Seek commercial arrangement • Change distribution model • Replace component and refactor code Ambiguous Licensing Terms • Seek clarification from IP owner • Seek commercial arrangement • Replace component and refactor code Security Vulnerabilities • Upgrade to latest version, fix problem • Replace component and refactor code Encryption Content • Update export control application
  14. 14. Protecode Inc. 2014 When to do an OSS checkup? 14  A transaction trigger  M&A event  Tech transfer or commercialization  Collaboration (establishing background IP)  Product shipment  Preferably, regularly as part of a Quality Development Process  Release checklist – at a minimum  Integrated into the development cycle - optimal License Management is most effective when applied early in development life cycle Development | Build/QA | In The Market Real-Time Preventative Measures Periodic Analysis Build-Time & Pre- Launch Analysis Post-Launch Correction Cost of Compliance At Different Stages Of Development
  15. 15. Protecode Inc. 2014 OSS Adoption Process (OSSAP) Maturity Model Voluntary policy compliance with Legal Advice Manual search and code review In-house Tools Automated Scanning with Reference Database Integrated tool suite within Software Development Cycle 15
  16. 16. Protecode Inc. 2014 Activity Manual Automated Create BOM License Analysis Security Vulnerabilities Encryption Content Attribution and Documentation TOTAL Introducing Automation Lowers Costs Actual cost varies with local labor rate. 16
  17. 17. Protecode Inc. 2014 Automate your Workflow Write Code Commit Code Build Libraries Release Software Define Sprint 17 Use CA to Pre-approve Code Use DA to Monitor in Real-time Use CI tool to Trigger EA Scan, Consume CSV File Use CI tool to Trigger Artifact Scan Use ES to Produce Reports
  18. 18. Protecode Inc. 2014 Reporting Options  Summary report – High level view of the findings – Highlight key findings, areas requiring attention – Reference material on licenses found, best practices  Detailed reports – Detailed file-by-file – CSV Export – License obligations – License incompatibilities – Text of all licenses applicable to software packages – Security vulnerabilities – Export Control Classification Numbers (ECCN) 18 The first scan and review becomes a baseline. Subsequent scans are much quicker since they leverage existing data.
  19. 19. Protecode Inc. 2014 Q&A Please type your questions into the chat box to the right 19  OSS adoption has increased development pace – OSS is everywhere, and runs deep  OSS Management – Big task, especially when portfolios are large and done manually  Automated OSS Management Tools – Are effective in reducing the time spend on OSS management – More thorough, especially when used continuously – Provide an opportunity to minimize licensing ambiguity earlier in the development cycle. Recap
  20. 20. Protecode Inc. 2014 20 Protecode Corporate Summary  Overview – Software Attributes Management – Established in 2006 – World-wide partner network  Products & Services for software adoption – Products: • On-premises: Protecode System 4TM , Protecode CompactTM • Hosted: ProtecodeCloud, – Services: • Software Audit Services, • Code Portfolio Similarity Assessments Services  Value of Protecode Solutions – Reduce IP uncertainties, highlight security vulnerabilities and ensure compliance – Accelerate time to market and reduce development cost
  21. 21. Protecode Inc. 2014 21