Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Related OSS Projects - Peter Rowe, Flexera Software

117 views

Published on

Audience Level
Intermediate

Synopsis
Today’s fast-paced development environment has changed the compliance landscape. Many software projects consist of more than 50% Open Source Software (OSS) components, but as much as 99% are undocumented, increasing the complexities of managing your company’s software compliance process.

Of particular concern is “Zombie software”, or software that is outdated and contains vulnerable versions of certain components. Zombies can live in your code forever if you’re not aware of them. The acceleration of modern development lifecycles and the breakdown of an undocumented software supply chain have opened up new pathways for zombies to enter your software – leaving you exposed to security threats.

This presentation discusses best practices for implementing an Open Source Software management strategy that covers common pitfalls and commercial licence issues as well as the optimal way to track and eliminate the risks associated with Zombies!

Speaker Bio:
Involved in and around IT development for over 20 years, starting as a web developer using NotePad in 1995 when the most exciting thing online was Sun’s animated Java coffee cup, through Numega Pre-Sales selling BoundsChecker and now into the brave, new World of Open Source and software composition analysis.

Published in: Technology
  • Be the first to comment

Related OSS Projects - Peter Rowe, Flexera Software

  1. 1. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential1 Attack of the Code Zombies II - The Lawyers’ Revenge Peter Rowe prowe@flexerasoftware.com @SLO_Djinn
  2. 2. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential2 Disclaimer! IANYL; // I am not _your_ lawyer; IANYP; // I am not _your_ programmer; Today’s session provides an introduction to managing Open Source Compliance and Vulnerabilities…. …But only your lawyers can tell you what you need to do!
  3. 3. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential3 Disclaimer! IANYL; // I am not _your_ lawyer; IANYP; // I am not _your_ programmer; Today’s session provides an introduction to managing Open Source Compliance and Vulnerabilities…. …But only your lawyers can tell you what you need to do!
  4. 4. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential4 Your Product Lives in a Deep Stack of OSS and Oh?$$ Web Services
  5. 5. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential5 A Typical Application is 50% Open Source OSS Code You DON’T Know About Code You Wrote OSS Code You DO Know About (2%)
  6. 6. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential6 Managing Vulnerabilities & Managing Compliance Code Zombies Lawyers?
  7. 7. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential7 Managing Vulnerabilities & Managing Compliance Code Zombies Lawyers?
  8. 8. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential8 What is a Code Zombie? A ‘Zombie’ is an Open Source Component that lives on long after it was declared dead! Other terms you will hear are: • Component with known vulnerabilities • Stale component Versions of components that have had security vulnerabilities reported against them, and patches or updated versions available that fix these problems!
  9. 9. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential9 We must be OK…. We’re using a static analysis tool.....? Static analysis is typically not used in a way to find these types of vulnerabilities. Licencing models for these tools often discourage scanning of large open source libraries. The number of hits and false positives is prohibitive even if used to scan everything. Vulnerabilities are not always caught via static analysis. Wasted effort for components with known vulnerabilities!
  10. 10. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential10 So what can you do? Review OSS components at lower levels to confirm compliance with the company’s OSS policies and detect Vulnerabilities Results from these reviews are used to: –Help make USE / DON’T USE decisions –Drive internal remediation activities to fix problems –Create bug reports for the upstream project
  11. 11. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential11 And What About the Lawyers?
  12. 12. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential12 Open Source – Your Obligations Open Source is commonly confused with “Free” as in no cost software! Open source may be Free of Cost, but is not Free of Obligations! “Free as in speech, NOT as in beer” Open Source licences have a list of obligations that users must follow in order to legally use the open source library under that licence Your Compliance actions depend on how you are using these OSS components and most licences have Multiple Obligations
  13. 13. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential13 Copyright law (in many places) means that all source is explicitly copyright EVEN if is not marked! You have no right to use someone else’s code without permission. Open Source (and commercial) licences are the way of giving permission to use source code. Lack of licence may indicate a lack of maturity for the OSS project? It is not Open Source if you don’t have a licence Why do you Need and Open Source Licence?
  14. 14. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential14 So What Does Compliance Look Like? • You provide copyright notices in your About Box, Documentation etc. • You pass along licence text to your users. • You provide the source code for GPL, LGPL modules etc. • You mark changes in source files. • You pay required Patent licensing. • You pay for commercial libraries as needed. • You respect web service SLAs. • You do this for every release.
  15. 15. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential15 And Your Compliance Depends on the Delivery Method Embedded Linux vs Application running on Linux – Are you shipping Linux or are your users bringing their own Client / Server – Some parts hosted, some parts distributed Mobile applications – Classic distribution with some possible Appstore implications Web / JavaScript front ends – JavaScript, HTML, CSS sent to users’ browsers xaaS vs shipping product (e.g. a distribution) – Most OSS licences only come into effect upon Distribution!
  16. 16. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential16 What’s different about xaaS? Traditionally software was distributed to end users through physical means – Classic open source and commercial licences were written with this in mind. Many open source licences only come into effect with classic distribution – Concerns about the GPL and the “ASP loophole” xaaS projects are not distributed in the classic way but instead run on a network server – Users come to the software instead of the software coming to the users.
  17. 17. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential17 So just what is the Affero GPL (AGPL) The AGPL was designed to close the ASP loophole by treating network access as similar to a distribution. The basic intent is to require source code for the entire application to be offered to the end users!
  18. 18. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential18 Common AGPL-Style Libraries The most common AGPL style libraries we see are: • iText PDF generation library (dual licenced AGPL or commercial) • MongoDB (Dual licence AGPL w/ exception or Commercial) • Berkeley DB/Sleepycat (now AGPL or Commercial) • Funambol (AGPL or Commercial) • Ghostscript (now AGPL or Commercial) • Noe4J (GPLv3/AGPL or commercial) • Magento (OSL – similar to the AGPL) Many of these are dual licenced with commercial options!
  19. 19. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential19 xAAS Compliance – Top Concerns The AGPL is the classic concern for xaaS vendors…. … but there are other “AGPL like” licences that include: • Common Public Attribution licence http://en.wikipedia.org/wiki/Common_Public_Attribution_licence • Open Software licence http://en.wikipedia.org/wiki/Open_Software_licence Plus, ALL the other licences the require review and compliance!
  20. 20. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential20 Other xAAS Compliance Issues Images, Icons, Fonts and Sounds JavaScript and CSS Patent licences Private Installations And…
  21. 21. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential21 Images, Icons, Fonts and Sounds JavaScript and CSS Patent licences Private Installations Untracked Libraries with Vulnerabilities – Old versions of OSS libraries Other xAAS Compliance Issues
  22. 22. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential22 So what can you do? Review OSS components at lower levels to confirm compliance with the company’s OSS policies and detect Vulnerabilities. Important components are looked at from a declared licence and discovered subcomponent analysis perspective. The declared licence may be compliant but the component may have unacceptable subcomponent licences. Results from these reviews are used to: –Help make USE / DON’T USE decisions. –Drive internal remediation activities to fix problems. –Create bug reports for the upstream project.
  23. 23. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential23 But…..How to get Developers to “Buy-In”? Developers want to ship and often route around processes…. …. Especially if it’s not clear why the process exists? • Attribution - “We should give credit where credit is due” • Legal / Audit / Good Practice – “We are required to!” • Quality / Security – “War stories” • The Open Source Ethos – “Help those who help us”
  24. 24. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential24 Create a Process That Works for Your Organisation… Steps for Implementing an Open Source Management System Audit Existing Code Against Policy Develop New Code Comply Use OSS Fix Issues Create Policy Review OSS Request Request Use of OSS
  25. 25. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential25 … And make it EASY, EFFICIENT and AUTOMATED! Steps for Implementing an Open Source Management System Audit Existing Code Against Policy Develop New Code Comply Use OSS Fix Issues Create Policy Review OSS Request Request Use of OSS
  26. 26. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential26 And Specifically for If you use Openstack, protect against vulnerabilities and IP concerns as you build your products. Analyse open source materials you may are submitting to Openstack. Analyse modules you get from Openstack and Openstack partners to validate IP and security checkpoints.
  27. 27. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential27 And if You Find Things You Should Not be Using….? Remove and Re-Write. Get new OSS components. Contact the author and ask for a licence. Wait and see!
  28. 28. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential28 Disclaimer! IANYL; // I am not _your_ lawyer; IANYP; // I am not _your_ programmer; Today’s session provides an introduction to managing Open Source Compliance and Vulnerabilities…. …But only your lawyers can tell you what you need to do!
  29. 29. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential29 But here are a few suggestions…. Come and talk to us….. …. And possibly win a prize. Email: prowe@flexerasoftware.com Twitter: @SLO_Djinn Flexera Website: https://goo.gl/ZA2ecI

×