Palamida Open Source Compliance Solution


Published on

Open Source Software:
The Intersection of IP and Security

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Here’s a typical example from an audit we did in 2007. This is from a well known enterprise software company. They were very diligent about keeping track of what was going into their software and had catalogued 303 open source components they were using. But as you can see here they were way off base and the actual number was 838. We discovered 535 components—big moving parts critical to their product—that they had no idea were there. And there is nothing unique about their situation. We have seen something similar in every audit we’ve ever done. Based on our experience it is a virtual certainty that your company’s software is similar. This means that you are using components that probably have known security exploits that are listed in the NVD, and that your undocumented code is also unpatched and un-upgraded.
  • Palamida Open Source Compliance Solution

    1. 1. Open Source Software:The Intersection of IP and SecurityApril 2012 Copyright © 2012 Palamida, Inc.
    2. 2. 1995 F22 software (avionics only) ~1.7M LOC Copyright © 2012 Palamida, Inc.
    3. 3. 2012 “It takes dozens of microprocessors F22 software (avionics only) running 100 million lines of code to get ~1.7M LOC a premium car out of the driveway” (IEEE Spectrum February 2009 Image: General Motors) Copyright © 2012 Palamida, Inc.
    4. 4. New Ways of Composing Services Cloud Computing … a style of computing in which massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers. Definition: Gartner Group Copyright © 2012 Palamida, Inc.
    5. 5. Smarter Devices Copyright © 2012 Palamida, Inc.
    6. 6. The point is… Copyright © 2012 Palamida, Inc.
    7. 7. More and Better… Software Copyright © 2012 Palamida, Inc.
    8. 8. Less TimeIn… Copyright © 2012 Palamida, Inc.
    9. 9. And with… Smaller Budgets Copyright © 2012 Palamida, Inc.
    10. 10. Today’s Reality…A software developmentorganization cannot becompetitive without widespreaduse of open source Copyright © 2012 Palamida, Inc.
    11. 11. Gartner OSS Predictions • By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. • By 2014, 50% of Global 2000 organizations will experience technology, cost and security challenges through lack of open-source governance. • By 2015, OSS will be used and adopted to help enable over 60% of platform-as-a-service (PaaS) services. • By 2014, 30% of applications running on proprietary versions of Unix will be migrated to OSS-based Linux on x86. • By 2014, those organizations with effective, open-source community participation will consistently deliver high returns from their open- source investments. • By 2013, up to 50% of Global 2000 non-IT enterprises will contribute to at least one OSS project. • By 2016, 50% of leading non-IT organizations will use OSS as a business strategy to gain competitive advantage. Predicts 2011: Open-Source Software, the Power Behind the Throne 23 November 2010 ID:G00209180 Copyright © 2012 Palamida, Inc.
    12. 12. Typical Software Project Metrics • 2.9 GB • 87,863 Files • 8,535,345 LOC • Copyright holders – ~350 • Binaries/Archives/JARS – 1207What is This Software Project Trying To Tell You? Copyright © 2012 Palamida, Inc.
    13. 13. There is probably a lot of content that you don’t know about Audit Example 15.9GB Size 59.1M LOC Documented OS 303 components Undocumented OS 535 components Total # 838 % LOC from Open 60-65% Source Copyright © 2012 Palamida, Inc.
    14. 14. It’s Likely Your Disclosure of 3rd Party Content is Incomplete… 350 Open Source Components Disclosed In Advance of Audit vs. Undisclosed 300 250 200 Undisclosed 150 Disclosed 100 50 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Source: Palamida Audit Projects Copyright © 2012 Palamida, Inc.
    15. 15. …With License Terms that May Be Problematic Audit Breakdown by License 30% 25% 20% 15% TOTAL % 10% 5% 0% Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional Services Copyright © 2012 Palamida, Inc.
    16. 16. Open Source is not somehow “different”Plaintiffs would be happy to settle this matter with PLAINTIFFSBest Buy and Phoebe Micro if they either (i) ceasedall distribution of BusyBox or (ii) committed to MEMORANDUM OF LAWdistribute BusyBox in compliance with the free and IN SUPPORT OF THEIRopen source license terms under which Plaintiffs offer MOTION FORBusyBox to the world. Plaintiffs have patiently workedwith Best Buy and Phoebe Micro to bring their PRELIMINARY INJUNCTIONproducts into compliance with the license, but AGAINST DEFENDANTSunfortunately have now concluded that those efforts BEST BUY, CO., INC. ANDare destined to fail because neither Best Buy norPhoebe Micro has the capacity and desire to meet PHOEBE MICRO, INC.either of Plaintiffs demands for settlement. As such,Plaintiffs are forced to protect their interests inBusyBox by now respectfully moving for a preliminary SOFTWAREinjunction, pursuant to Rule 65, enjoining andrestraining defendants Best Buy and Phoebe Micro FREEDOM CONSERVANCY, INC. andfrom any further copying, distribution, or use of their ERIK ANDERSEN,copyrighted software BusyBox. Filed 1/31/11 Copyright © 2012 Palamida, Inc.
    17. 17. Software IP is a potent competitive weapon Love, Larry: Here Is the Oracle Statement and Final Complaint Versus Google by Kara Swisher Posted on August 12, 2010 at 6:46 PM PT This afternoon, the database software giant said it was suing Google (GOOG), alleging patent and copyright infringement of Java-related intellectual property in the development of Android mobile operating system software. Copyright © 2012 Palamida, Inc.
    18. 18. And Open Source Is Not Immune to Vulnerabilities 90 80 70 60 50 89 40 30 61 60 20 41 27 31 10 11 1 5 5 0 Apache jQuery GNU C libpng LibTIFF OpenSSL Zlib Libcurl Libxml2 OpenSSH Tomcat Library Vulnerabilities in Popular Open Source Projects Source: National Vulnerability Database Copyright © 2012 Palamida, Inc.
    19. 19. Oh No, was Hackedby Susan Linton - Aug. 31, 2011 A notice appeared on today informing visitors that the servers housing the Linux kernel source code had been hacked earlier this month. The breach was discovered yesterday and maintainers believe the source code itself is unaffected.Source: Copyright © 2012 Palamida, Inc.
    20. 20. August 2011‘Devastating’ Apache bug leaves serversexposedDevs race to fix weakness disclosed in 2007Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apachehandles HTTP-based range requests was published Friday on the Full-disclosuremailing list. By sending servers running versions 1.3 and 2 of Apache multiple GETrequests containing overlapping byte ranges, an attacker can consume all memory on atarget system.August 14, 2011 Copyright © 2012 Palamida, Inc.
    21. 21. Mango OSS DWR OSS Components Scriptaculous Components Apache Spring Framework ComponentsQuartz Enterprise Job Scheduler Apache Struts PrototypeJS 1.5.0Apache Commons Logging HibernateApache Jakarta Taglibs NVD Reported Scriptaculous Vulnerabilities: 1Spring Framework BeehiveJfreeChart WebWorkApache Jakarta Commons Backport Util ConcurrentFreemarker Google Injection FrameworkJcommon Utility ClassesApache-db-derbyApache Log4J NVD ReportedJavaMail API Vulnerabilities: 4MySQLSAX: Simple API for XMLJ2EE Java2 SDK ActivationAQP AllianceDWR Direct Web Remotingpngencoder NVD Reportedgit-MM JDBC driver Vulnerabilities: 0Apache Xerces Copyright © 2012 Palamida, Inc.
    22. 22. Risk is RiskAnd you can’t mitigate risk you don’t know you have Copyright © 2012 Palamida, Inc.
    23. 23. Copyright © 2012 Palamida, Inc.
    24. 24. What to Do Tomorrow • Set up an OSRB or equivalent • Establish your policy for use of externally sourced software • Don’t stop at IP, include security • Audit any software acquired via M&A • Evaluate compliance alternatives, and get started Copyright © 2012 Palamida, Inc.
    25. 25. • Comprised of Legal,Open Source Development and Security • Review and Approve Policy forReview Board externally sourced software • Establish the scope of information required and retained (the request form) • Case-by-case use decisions • Review and approve the policy for compliance with obligations • Reports to CFO, GC, VP engineering or others periodically on compliance status Copyright © 2012 Palamida, Inc.
    26. 26. PolicyWhat is the name and version of thissoftware component? Where is it used? What is the license? Is this component in a software product that ships to customers?Does this component containknown vulnerabilities? Have we modified this component?When was the last time we checked thissoftware for version and vulnerability? Does this component contain encryption? Have we added this component to the notices file? Copyright © 2012 Palamida, Inc.
    27. 27. Mergers and Acquisitions (and outsourced development) • Make code audit a contract item • Don’t rely on reps regarding code content – typically 3-5x more found than disclosed • Use outside firms to maintain an “arms-length” relationship • Factor in remediation costs • Don’t integrate the code with yours until you are confident of origin Copyright © 2012 Palamida, Inc.
    28. 28. What Acquiring Firms Are Concerned About Today • GPL and other Viral Licenses (esp v3.0) • Affero GPL • Commercial Content and Libraries • Restrictions on commercial use or field of use (e.g. no Military use) • Cryptography • Code with Unknown Licenses • % of undisclosed content Copyright © 2012 Palamida, Inc.
    29. 29. Evaluate Compliance Alternatives, and Get Started • In-house process • External Professional Services – periodic reports • In-house system • Owned by development • Used by development, legal and security • System of record for policy and content • The first pass is the most time-consuming – consider a outside audit to populate the internal system Copyright © 2012 Palamida, Inc.
    30. 30. Key Questions to Ask… • How High is the Bar? • What is “Good Enough”? • Have You Scanned Everything? [Probably Not!] • What’s Out There That’s Hard, But Important? Copyright © 2012 Palamida, Inc.
    31. 31. How High Is the Bar? • More Linux kernel and related materials “in scope” • More interest in historical versions / installed base • Open Source projects requiring more internal deep reviews • Management signing off on Bill of Materials or equivalent • More divestitures, concern about internal process exposure Copyright © 2012 Palamida, Inc.
    32. 32. What Is “Good Enough”? • The Community is getting more savvy and vocal • The “Community” includes commercial vendors $$$$$ • More internal emphasis on tracking down source for LGPL binaries – compliance and disaster recovery • Customers are demanding more; at delivery and at contract signing • Scanning is occurring at internal and external touch points • More historical versions being reviewed at M&A time • A supplier to my supplier is MY supplier! Copyright © 2012 Palamida, Inc.
    33. 33. Have You Scanned Everything [Probably Not]? • Java: Maven becoming more prevalent • C/C++/etc…: Github remote repositories • Commercial Source compiled on laptop • Binary analysis bar is being raised • Where did all these binaries come from? 1000 to 10,000+ • More naïve companies requiring scans / Bad Advice • Web services • Post acquisition discovery of missing code Copyright © 2012 Palamida, Inc.
    34. 34. What’s Out There That Is Hard, But Important? • Object Oriented Design Issues (esp. C++/Java/C#) • Header files cut and pastes (The Google Bionic Issue) • Binaries and subcomponents • Code with Unknown licenses – more every day • Popular projects w/ Bad Licenses (Code Project CPOL or Stack Overflow CC BY-SA) • Employees that travel w/ “Toolkits” “Wall St. Programmer Guilty of Code Theft” Copyright © 2012 Palamida, Inc.
    35. 35. What’s In Your Code? Copyright © 2012 Palamida, Inc.
    36. 36. Open Source Software:The Intersection of IP and SecurityApril 2012 Copyright © 2012 Palamida, Inc.