The presentation discusses the importance of compliance with the U.S. Department of Defense's Unified Capabilities Approved Products List (APL) for vendors like ScienceLogic. It highlights the challenges of managing open source components and vulnerabilities in software development, alongside best practices for utilizing tools like Black Duck for security audits. Scott Martin emphasizes the significance of timely updates and continuous investment in security measures to meet compliance standards.

1. Many Paths to
Compliance
The ScienceLogic / Black Duck story
Scott Martin
Director of Security and Compliance
ScienceLogic
Black Duck Customer Conference 1

2. About Scott
2Black Duck Customer Conference
• Over 20 years experience in
many areas of IT
• Government
• ISP
• Finance
• Nearly 10 years with ScienceLogic
• Director of Quality Assurance
• Director of Security and Compliance

3. 3Black Duck Customer Conference
• HQ in Washington DC
• MSP, Enterprise & Government Customers
• Sales offices in US, EMEA, APAC
About ScienceLogic

4. 4
Our Customers
Black Duck Customer Conference
Service Providers Enterprises Government

5. ScienceLogic Architecture Overview: Distributed
5Black Duck Customer Conference
Physical or virtual
appliance
Collectors
Collectors
Collectors
Cloud
Hosted / Colocation
Data center

6. Cognitive Reflection Test
Developed by Professor Shane Frederick, Massachusetts Institute of Technology
Questions
You have a total of 90 seconds, or 30 seconds per question:
1. A bat and a ball cost $1.10 in total. The bat costs $1 more than the ball. How much does the
ball cost?
2. If it takes five machines five minutes to make five widgets, how long does it take 100
machines to make 100 widgets?
3. In a lake, there is a patch of lily pads. Every day, the patch doubles in size. If it takes 48 days
for the patch to cover the entire lake, how long would it take for the patch to cover half of
the lake?
ANSWERS
1. 5 cents 2. 5 minutes 3. 47 days
6Black Duck Customer Conference

7. • Which are you?
• Impulsive?
• Thoughtful and reflective?
Cognitive Reflection Test
7Black Duck Customer Conference

8. Thoughtful is Better at ScienceLogic
• Over 1000 discrete open source or commercial components
across 3 products
• Across 4 operating system variants
• Over 2,000 new vulnerabilities each year
8Black Duck Customer Conference
0
1000
2000
3000
4000
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year
nvd vulndb-exclusive

9. Major Business Challenges
• The Department of Defense (DOD) Unified Capabilities (UC)
Approved Products List (APL) compliance
• Critical differentiator for public and private sector clients
• Dynamic Development
• Ensuring supportable, low-risk decisions while remaining agile
• Appliance-based application
• Deliver entire Operating System
• Demanding investors
• $80M+ from Goldman Sachs, Intel Capital, and others
9Black Duck Customer Conference

10. Role of U.S. DoD UC APL Certification
10Black Duck Customer Conference
What is it?
• Single consolidated list of products that
have completed Interoperability (IO) and
Information Assurance (IA) certification
Who is it for?
• U.S. Department of Defense (DoD)
networks
• Other Government Agencies use it as a
standard in which to judge suitability

11. Role of U.S. DoD UC APL Certification
11Black Duck Customer Conference
Why is it important?
• The APL is the only listing of equipment by
approved by DoD
• DoD entities are required to fulfill their system
needs by only purchasing APL listed products
• Provided one of the listed products meets their
needs
• The APL must be consulted prior to
purchasing a system or product
• Only then may DoD go off list apply for an
exception

12. DoD UC APL Certification Process
12Black Duck Customer Conference
Requires significant
investment
Continuous
process
Standard that
vendors
should target
ScienceLogic
has made the
investment for
our customers

13. DoD UC APL
13Black Duck Customer Conference

14. ScienceLogic addresses critical security issues within
24 hours, important issues within a week & all other
issues are updated quarterly or in next available
release.
From Black Duck Open Source Security Audit Report:
• On average, open source makes up over a third
of the code base in the average commercial
application.
14
Managing Customer Expectations on our Platform
Black Duck Customer Conference

15. • The applications Black Duck analyzed, on average, included over 100 unique
open source components
• ScienceLogic has over 1,000 components across three code bases
• Keeping track of vulnerabilities and updates is a challenge
• The component count was well above what ScienceLogic believed
they were using. Leading to questions about…
• Vulnerabilities in used components
• Compliance with all licenses in use
15
Managing Customer Expectations on our Platform
Black Duck Customer Conference

16. Legacy Code Base
DoD UC APL compliance
• Open Source in Used
• All source must be accounted for
• Original developers not with the company
• Source code must come from a verifiable source
• Minimal documentation
• Must update all packages as they come available
• GEN000120 – “System security patches and updates must be installed and up-to-
date.”
• This applies to all packages, not just ones that are part of the OS
• Without Black Duck this would not be possible
16Black Duck Customer Conference

17. Appliance-based Application
17Black Duck Customer Conference
• Managing internal use of OS
• Single platform for multiple
appliances
• Specialized builds of OS
• Red Hat
• CentOS
• Oracle Linux
• Handling of Red Hat’s versioning
scheme
• Multitude of package updates

18. Protex/Code Center/The Hub
• Protex
• Extremely powerful
• Highly Accurate
• Moderately Easy to Use (once you understand the layout)
• Could use a facelift
• Code Center
• Still our go to for approvals and vulnerabilities
• Manage component is bulk
• The Hub
• Clean layout
• Easy to use and understand
• Shows great potential
18Black Duck Customer Conference

19. Lessons Learned
Black Duck best practices and recommendations
• Get Training
• Mistakes are painful
• Use Black Duck for initial scans
• Don’t use temporary help
• Do your research
• Protex has multiple matches on same project
19Black Duck Customer Conference

20. 20Black Duck Customer Conference
Scott Martin
Director of Security and
Compliance
@pscottmartin
smartin@sciencelogic.com
www.sciencelogic.com
Questions?

21. Thank You
21Black Duck Customer Conference

22. Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNET 22Black Duck Customer Conference

23. Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNET 23Black Duck Customer Conference

24. Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNET 24Black Duck Customer Conference

25. Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNET 25Black Duck Customer Conference

26. Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNET
Use this for expressing
vulnerabilities
26Black Duck Customer Conference

27. 27
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference

28. 28
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference

29. 29
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference

30. 30
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference

31. 31
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one.
DO NOT PULL FROM THE INTERNET
Use this for expressing
vulnerabilities
Black Duck Customer Conference

32. For Additional Help
If you need assistance with graphics or have questions about the
deck please contact Rachel Felson at rfelson@blackducksoftware.com
32Black Duck Customer Conference