Downloaded 11 times
Uploaded byBlack Duck by Synopsys
FLIGHT Amsterdam Presentation - From Protex to Hub
The document outlines the evolution of Dynatrace from using Protex for yearly scans to adopting Black Duck Hub for daily scans, reflecting significant advancements in product development and user experience over the years. It describes various challenges faced, including GPL license issues, and the transition to more efficient scanning methods that integrate well into continuous integration systems. The ultimate goal was to achieve a zero high license risks environment, while maintaining consistent software security and compliance as part of a secure development lifecycle.
More Related Content
Similar to FLIGHT Amsterdam Presentation - From Protex to Hub
More from Black Duck by Synopsys
FLIGHT Amsterdam Presentation - From Protex to Hub
- 1. From Protex toHub from yearly to daily scans a true story @Michael_Plank Dynatrace
- 2. A true storyabout the transition from ... Protex Hub yearly daily scans hate love
- 3. Dynatrace AppMon 10years ago 1 release per year
- 4. Dynatrace today 1 releaseper day Major new features every 2 weeks
- 5. 10 years ago: •FEATURES •FEATURES •FEATURES •Majorupdates every year Product development has changed Today: •User experience •Ease of use •Major updates every day Tools that didn’t grow up, fail in todays fast development processes
- 6.
- 7. Me (Michael) Little me(Julian) Wife (Manuela) Little her (Samuel)
- 8. Experience 2003 2008 20112014 2017
- 9. Product Security Team(Linz Austria)
- 10. Dynatrace • 1700 employeesWW • APM, DPM • Cloud monitoring • Automate everything • NoOps
- 11.
- 12.
- 13. once upon atime... � Protex and Dynatrace AppMon
- 14. • Eclipse richclient • Millions of features • 1-2 releases per year • Parent company Compuware owned Protex license • Part of release was to run Protex scan • ~20.000 problems detected! Dynatrace AppMon
- 15. • Start ofdevelopment ~ 6 years ago • Ship every sprint (2 weeks) to production • No Protex scans Dynatrace next generation product
- 16. Everybody was livinga happy developers live � until...
- 17. • GPL licensedpython library found in installer!!! • Found by accident � • GPL == bad • GPL === very bad GPL license detected
- 18. Tool for detectingOS licenses ... � Wait a second...
- 19. Bl*****ck � OK, let’stry it, we will get it working, for sure �
- 20. First approach •Entire codebase •5 hours scan duration •12.000 findings � Scanning Dynatrace with Protex Second approach •Scan third party libraries only •2 hours scan duration •300 findings �
- 22. We need tofind an alternative � Black Duck Hub to the rescue...
- 23. • Live demolooked very promising • POC started • 8 minutes scan duration • 50 findings • Awesome! Black Duck Hub online demo
- 24. Legal department gotinterested... Approval process for new libraries? NO* Manually approve specific licenses? NO* Code level scans? NO*
- 25. ... 3 monthslater � After fighting many (verbal) battles... Finally decision to purchase Hub
- 26. Protex vs. Hubsystem requirements Protex Hub CPU 4-8 cores 4 cores Ram 32-64 GB 12 GB HD 2-4 TB !!! 100 GB Installation Proprietary Installer Docker Setup
- 27. • Integration intoCI Systems: • Quickbuild • Jenkins • Build Automation • Gradle • Dynatrace Hub-Gradle-plugin (using hub-common-api Github project) • Daily scans Continuous Integration
- 28. • Built bydevelopers for developers • Easy to integrate in every build system • APIs • Active Github projects Integrating Hub in our environment
- 30. Setting up policies •Take care about all high license risks • Add missing licenses • Clean up false identifications • No problem due to great UX • Dynatrace Product • 4 Blackduck Projects • 970 OS components • 0 high license risks
- 31. Great, but Ican’t check for new violations every day � You don’t have to, set up notifications!
- 32. • Notifications fromCI System • Policy vioation -> fail build -> send mail • Hub alert • Alerts per Blackduck project • Slack, Hipchat, Email Notifications
- 33. • Define projectowner per Hub project • Make project owners responsible for taking care of policy violations • Easy onboarding of new users Project Owners
- 34. So what aboutsecurity risks? � We don’t really cover that topic so far... !
- 36. • List ofall vulnerabilities of OS components in use • Workflow for remediation • Set status • Upgrade guidance • Comment - link to bug ticket • Notifications for new vulnerabilities • Our goal: 0 high license risks Managing Security Risks
- 37. Black Duck Hubbecame an integral part of our secure SDLC Part of our “4 principles of secure development”
- 39. • Stay policyviolation free • Scan the right thing • New version every 2 weeks (1.140, 1.141, ... latest) • Clean up security and license risks initially • Deal with false identifications Challenges with Hub
- 40. 1. Bill ofMaterial published to web site automatically 2. 0 High, 0 Medium security risks 3. Remediate policy violations immediately Ultimate Goals
- 41. A true storyabout the transition from ... Protex Hub yearly daily scans hate love
- 42.
- 43.
Editor's Notes
- #10 Security in SDLC Secure development Secure operations
- #16 Everybody hated Blackduck It was kind of a swear word in the whole company
- #18 Everybody hated Blackduck It was kind of a swear word in the whole company
- #22 UI Drove me cracy Every single click took ages to execute We tried hard – didn’t get it in shape With horrible UX, nobody would ever wanted to work with it
- #25 1. no, we can use automated policy checks 2. no, there are 3 simple categories 3. Do we really need that?
- #34 With Protex you needed a 2 day training to understand just the basics
- #42 Also Blackduck loved our story... Video testimonial