Scott M. Johnson, Lead PM - Technical Compliance presented, "How Docusign uses Black Duck for DevOps, AppSec and Compliance." For more information, visit our website at www.blackducksoftware.com.

1. Black Duck @ DocuSign
Scott M. Johnson
Lead PM – Technical Compliance
How DocuSign uses BlackDuck for
Devops, AppSec and Compliance

2. DocuSign is now a verb
The industry leader in signing is now building
the first end to end digital System of Agreement

3. 430,000 Customers – 350 Million users – 1 Million documents/day
High Performance Architecture at DocuSign
3
1.1 M+
transactions
per day
100s of Gbps
of network
bandwidth
6,000+
Blob trx/sec
150TB+
of PCI flash storage
powering our
OLTP system
Thousands
of drives, tens
of PBs of storage
4.5K+ HTTP
requests/sec
>99.99%
uptime

4. Platform Security is Core to our Mission
4
Hardware &
Infrastructure
• Geo-dispersed data
centers
• Near real-time data
replication
• Round-the-clock security
Systems &
Operations
• Separate corporate,
development and
production networks
• Active 24/7 monitoring and
alerting
• Data stored up to nine
times across
geographically disparate
locations
Applications
& Access
• Customer control over
account authentication
options
• Multiple recipient
authentication options
• Layers of auditing,
including digital audit trails
and logging capabilities
Transmission
& Storage
• Anti-tampering controls on
documents
• Reliable, systematic
capture of signing data
• Cloud and on-premises
solutions

6. Why did we choose
Black Duck?

7. DocuSign Complies With the Top Security and Privacy
Standards
Global Security
Gold Standard:
Full ISO
27001:2013
Standardized
approach to
security
assessment,
authorization, and
continuous
monitoring for cloud
products and
services
First company to be
compliant with
xDTM Standard,
v.1.0, standard
focused on quality
for Digital
Transaction
Management
DocuSign adheres
to the requirements
of the European
Union’s General
Data Protection
Regulation (GDPR)
SOC 1 Type 2:
Audit report on
controls relevant to
financial reporting,
verifies operating
effectiveness
SOC 2 Type 2:
Audit report covers
security, availability,
processing integrity,
confidentiality
Data Security
Standard for
handling credit card
information.
DocuSign
compliant as both
service provider
and merchant
Approved
DocuSign Binding
Corporate Rules
(BCR) as a data
Controller and
Processor,
sponsored by the
Irish Data
Protection
Commissioner

8. Goals of using Black Duck at DocuSign
1. Detect and understand the open source risks in our portfolio:
ü Create an inventory that is accurate
ü Auto-generate DocuSign’s quarterly compliance evidence
ü Map paths to engineering owners and drop offline PDF risk reports for all teams
ü File tickets for vulnerable components
ü Analyze xGPL usage for arm’s-length implementation
ü Build notice/attribution pages with © , Warranty Disclaimers and license terms
ü Dump entire dataset to SQL and create Power BI dashboards
ü Publish a legal agreement whitelist and implement a scalable agreement matrix.
2. Improve the DocuSign component authorization process and templates
ü Integrate AppSec reviews with regular development cycles
ü Reduce signers by 30%
ü Detect unapproved components
ü Implement threat model pre-scanning with Black Duck risk reports

9. Top Challenges and
Metrics

10. Top 10 Challenges of OSS Governance
1) Creating accurate reports of what is actually shipping in a complex
dev environment.
2) Implementing a Patching Policy without disrupting new features
3) Compiled binaries in GitHub. Arg!
4) 10 year old code is still in the system - POC / Dead Code / Unshipped
repos
5) Some GitHub code not actually shipping, or team ships from a sub
branch
6) Identifying ownership and non-ownership
7) Integrating with Sonarcube, Fortify, Nessus scanning to augment
results.
8) AGPL converted to commercial – Still detected as AGPL
9) Refreshing all data while persisting exceptions, ignores and license
updates.

11. Releases and Compliance: From Manual to Real-Time

14. Metrics
Unique components detected: 4527
Code under management: 500 repositories and 80,000 OSS files.
BlackDuck Flags: 2,400
After 6 months of remediation: 150 – all classified low risk due to use
Patch compliance: New versions for 1500 components
Jenkins build scanning: 6 builds in daily scan
Artifactory: 400 Artifacts scanned weekly
Licenses in use: 120 – 95% permissive
Attributions: 300 components – 17 downloadable
products

15. Legal Guidance and
Evidence

16. Open Source Legal Guidance

17. Production Authorization Envelopes for Open Source:

18. Create immutable envelopes using the DocuSign API

19. PowerBI Reports

20. Power BI reporting with dynamic filtering
• Team/User/Component
views
• Exec reporting
• Phone formatted

21. Prepping the Data -- Python 3 – Pandas and SQL
Alchemy
20 Lines of code to
import all reports into
SQL!

22. Live Demo? Or Memorex…

23. Projects and Tools

24. Automate the creation of compliance evidence:
BlackDuck, Jenkins, Github, SonarCube, Artifactory and DocuSign
• Automatically sync and scan code bases, builds and release artifacts
• Annotate risks for developers in SonarCube and Artifactory
• Create DocuSign embedded component authorization forms for AppSec + architecture leads
• Auto-generate DocuSign envelopes for quarterly authorization signoffs for each project
• Build quarterly inventory for compliance evidence with signoff from VP and deputy risk
managers
• SQL Import jobs to automatically link ownership with binaries and produce Power BI reports
• Scan every PR for new components and follow up with developers and teams.
• AI?
In-progress Aspirations: API Mashups!

25. Security = Trust

27. Regular Assessment Activities
Activity Cadence Requirement Scope
Vulnerability Scanning Monthly ISO/PCI/FedRamp, Customer All DocuSign systems
ASV Scanning Quarterly PCI PCI Scope
Release Scanning Monthly ISO/PCI/FedRamp, Customer Primary Products
Go Live Scanning On Demand ISO/PCI/FedRamp New dynamic web sites
Website Scan On Demand ISO/PCI/FedRamp All DocuSign web sites
Website Malware and
Change Monitoring
Daily ISO/PCI/FedRamp All DocuSign web sites
Server Acceptance On Demand ISO/PCI/FedRamp New DocuSign systems
Pentest Annual PCI/ISO/FedRamp PCI Scope

28. 3rd Party Security Tooling
Product Area Scope
BlackDuck Hub Open source vulnerabilities, licenses,
operational risks, patch levels and
attribution.
Open Source in Github,
Compiled apps, Jenkins,
Artifactory
Tenable Security Center and
Nessus Scanners
Network and OS vulnerability scanning All DocuSign systems
Rapid 7 AppSpider / Arachni Web application and release scanning /
Dynamic Analysis
Primary Products / New
dynamic websites
Risk IQ Web application inventory management All DocuSign websites
HP Fortify Static code analysis Primary Products
Burp Suite Dynamic application scanning and
penetration testing tool
Primary Products / PenTests

29. Delivering World-Class Security
Platform and Architecture Overview2
• Security strategy
• Security policies
• Security council
• SDLC security
• Threat &
Vulnerability mgmt
• Information
assurance
Governance,
Risk, and
Compliance
Endpoint
Security
• Security tools
architecture
• Intel security suite
• Data leakage
prevention
• Malware protection
Monitoring,
Defense,
and Incident
Response
• 24/7 security ops
center
• Correlation ranking
and escalation of
security events
Managed
Services
• Vendor security life-
cycle compliance
program
Physical
Security
• Data centers
& offices
• People security
& safety
• Badging
• Cameras
• Sign-in process
World-
Class
Security
Program

30. Processes
The DocuSign Security Program
3
Delivering World-Class Security
People
• Comprehensive cross-functional security
expertise
• Industry thought leadership
• Extensive security and privacy training
Platform and Operations
• Customer control over account authentication
options
• Multiple recipient authentication options
• Layers of auditing and logging capabilities
People
Platform
Processes
• Expansive, holistic protection program with
incident response, endpoint security,
physical security, privacy and compliance
• Internationally recognized security standards
and certifications

31. Thanks!
Feel free to reach out:
Scott.johnson@docusign.com