Flight East 2018 Presentation–You've got your open source audit report, now what?

You’ve got your open
source audit report, now
what? Best practices for
companies of all sizes.
Tony Decicco, Shareholder, GTC Law Group & Affiliates
Leon Schwartz, Associate, GTC Law Group & Affiliates

© Synopsys, Inc. 2018 © Synopsys, Inc. 2018
Speakers
Leon Schwartz
Associate,
GTC Law Group &
Affiliates
Tony Decicco
Shareholder,
GTC Law Group &
Affiliates
2

Agenda
• How do you conduct an open source / third-party software audit?
• How do you select and prepare the code base?
• How do you get the most out of your Black Duck code scan?
• How do you implement a third party software policy?
• How do you contribute to the open source community?
• Q&A
3

How do you conduct
an open source / third-party software audit?
4

Review process: getting started
Realize this applies to you
• Scope
• Identify all your software
Define goals
Select initial code bases for
review
Line up your internal team
• Celebrity endorsements
• Set milestones
5

© Synopsys, Inc. 2018 © Synopsys, Inc. 2018 6
Review process overview
OVERALL GOAL: identify, quantify, mitigate and allocate third party software-related risks
Bill of materials
Notice and
attribution files
Reps and
schedules
OUTPUTS
Identify Plan / Remediate
Select code base
Define goals
SELECT
CODE

Identify
• All third party software (both
commercial and open source),
data/content and hardware
embedded in or used in the
development, maintenance,
support and offering of
products, along with the
applicable licenses and usage
facts
How?
• Self-disclosure
• Package managers
(e.g. npm, Maven, bower, etc.)
• Manual string/keyword searching
• Procurement records
• Manual check of repositories /
development machines
• Code scans (including BOM,
vulnerabilities and web services)
Review phase 1: identify

Review phase 2: analyze
Analyze
• Understand incompatibilities between the
described
or proposed use of a given third party
component and the license terms for that
component
• Analyze license terms which may be incompatible
with current or proposed business practices
• Assess security vulnerabilities
• Consider:
• Internal use
• Distribution
• Hosting and allowing others to host
• Modification
• Linking
• Use as a code generator
8

Review phase 3: plan / remediate
Plan / Remediate / Mitigate / Allocate
• Create a remediation plan to address identified issues
• Code remediation:
- Removing, rewriting or replacing code
- Addressing security vulnerabilities
- Costs: engineering, time
• Legal remediation:
- Amending/terminating agreements, seeking
clarifications,
seeking waivers of past liability, re-licensing
components
and obtaining new licenses
- Costs: Legal, time, fees to licensors
• Notice and attribution:
- Does not remedy past non-compliance
• Risk allocation through contract terms:
- Additional representations and warranties
- Remediation-focused closing conditions and best
efforts covenants 9

How do you select and prepare the code base?
10

Initial steps for companies of all
sizes:
• Select a code base to scan
• Importance
• Size
• Likely variety of components
• Number of developers
• Prepare code base for scan
• Remove known-unused
components
• Exclude known third-party
components?
Smaller Companies focus items:
• Biggest “bang” for the buck
• Code base with most shared code
• Likeliest to get done
• Code base with less busy / nicest developers
• Smaller code base
• Code bases with fewer release cycles
• Most important code base
• Which code base are acquirers / investors likely to worry
about most?
• Which code bases are customers asking about?
Preparing for a code scan
Larger companies focus items:
• Code base with most exposure
• Management interest
• Widest distribution/most customers
• Highest revenue
• Highest risk
• Most established product, with fewest anticipated changes
• Newest product
• Next generation of existing product

How do you get the most
out of your Black Duck code scan?
12

• Most of the time it is difficult
to review everything
• The review process can be time
consuming, labor intensive and
difficult
• Very important to focus on likely
riskiest areas first
• Goal should be to run out of
time/energy on the least risky
items
Prioritize, prioritize, prioritize
Never
Later
Tomorro
w
Today
NOW

Strategies for prioritization
Identify/eliminate false-positives
• Components no longer in use/obsolete
• Misidentified components/other
explanation
14
License categories
• Unknown license
• Less commercially friendly licenses
• Patent non-enforcement
• Public Domain

15
Components with dual-license models
• iTextPDF
• Qt
• RabbitMQ
• AmCharts
• CKEditor
• Highcharts
• TinyMCE
• MySQL

Components with known enforcement
or other potential issues
16

• All the items above
• License collection for “generic” licenses
• Strategic usage information collection
• Lower-risk usage scenarios
• Lower-risk licenses
Additional “cheat codes” for prioritization
• Review of “fourth party” components
• Easy-to-remediate components
• Industry practice / well-known components
• Linux
• Hibernate
• Commercial components
• How familiar is the list?
• “Microsoft Content”

Security vulnerabilities
Rank vulnerabilities by order of:
• Severity of risk
• Complexity of exploiting the risk
• Complexity of fixing the risk
Create a process for evaluating security fixes and applying them
The process does not have to be perfect (none are), but it should be
reasonable
• Following NIST guidelines
• GDPR Article 32
“implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk, including…. (d) a
process for regularly testing, assessing and evaluating the
effectiveness of technical and organizational measures for ensuring
the security of the processing.”
18

Web services
External services used by your applications
• Usually through an API
• Can be “free”
• Can be hard to identify / quantify
Prioritization
• Examine how used
• Separate API agreement?
• Not common; usually morass of terms (ToU, EULA, Privacy Policy, Data Policy)
• Importance of external service to product
• Who is the licensor?
• Competitors, “frenemies”
How to review
• Review is same as code: confirm you have rights and using within scope
19

Overall Calibration
Much of the details are in the eye of the
beholder
Important to keep in mind:
• Your goals
• Context of the review
20

How do you implement a third party software policy?
21

Third party software policy
What is it?
• High-level guidelines for use of Third Party Software
• Processes for review of Third Party Software
• Consider privilege
How is it created?
• Best when collaborative effort, not edict from mountaintop
• Identify stakeholders and highly-opinionated influencers (key people)
• Draft policy and solicit input
• Listen to the stakeholders’ feedback
When should it be written?
• Ideally after initial review, when you know your risk tolerance
• As soon as possible, so less remediation will be required in the future
What does it cover?
• Broad, but not so broad as to capture software present on fax machines
What makes a good one?
• Brevity; avoid overly complicated policies and covering every “corner case”
• Balancing act between strict compliance and practicality
• Ironclad policies that don’t work in the real world won’t be followed
• Living document
22

• More informal policy and review process
• Train developers to use easier-to-approve
components
• Mandate use of package managers?
• Update policy as new licenses are encountered
Third party software policy considerations
• Diverse approval committee
• Automatic approval / rejection?
• Record-keeping
• Available tracking tools
• Black Duck Hub
• Code Center
• Auditing mechanism
• Periodic code scans

Third party software policy substance
How is guidance on preferred licenses provided?
• Broad-terms guidance in the policy itself
• More detailed guidance, including “corner cases” through training
Auto-approve certain licenses?
• Tempting, because permissive licenses can be approved for virtually any use
• Beware the “hidden patent license”
• Train developers early and often
• Continue to keep records
Auto-reject certain licenses?
• World is not absolute; almost every license can be approved under certain conditions
• Except maybe the CCA-NonCommercial licenses
How will the policy be enforced?
• Consider having employees sign the policy
• Perform future code scans
• Perform spot-checks
• KGB-style encouragement of tattling on your neighbor
Final thoughts
• Make sure policy matches practice
• Do not treat policy as set in stone
24

Third party software policy mechanics
Who initiates review?
• Developer
• Tech lead
Who is on the review committee?
• Representatives from all areas of company
• Legal, Business, Development, SecOps
Who reviews first?
• Obtain technical “pre-review?”
How to kick off review?
• Use the tools the developers already use
• Jira, slack, BlackDuck, email
• Use easy-to-follow forms for initial information
Where are records kept?
• Use the tools the developers already use
• Make sure to provide access of prior decisions to developers to avoid duplicate requests
25

Third party software approval sample flow-chart
START

How do you contribute to the open source community?
27

Contributing to the open source community
Define goals for contributing to existing projects
• Publicity (reputation, goodwill, visibility)
• “Good citizen” – believe in giving back to the community
• Make it easier to maintain your code (contribute back patches / bug fixes)
Define goals for running your own projects
• Recruiting tool
• Develop relationships with open source developers
• Attract talent
• Crowdsource development
• Non-core ideas implemented for “free”
• Reduce development costs and time
• Drive adoption of platform / eco-system
• Create a new line of business (support, apps / plug-ins)
Recognize risks
• Competitors / competitive issues
• Loss of control over contributed code (forking)
• Contributor License Agreements (CLAs)
• Material changes
• Unintended patent licenses
• Over-share (accidental/malicious contribution of trade secrets)
• Cost and resources to support open source contributions
• Contributing to “ghost towns” (orphaned projects)
28

Contributor License Agreement (CLA)
• Typically based on the Apache Software Foundation
form agreements
• Two forms: individual and corporate
• Usually slightly modified, but sometimes materially
• Really broad license grants
• Copyright
• Covers the contribution and derivative works,
sublicensable, perpetual
• Granted to anyone who receives software from the
Foundation that includes the contribution (not just the
Work to which it was submitted)
• Patent
• Covers the contribution and the combination of the
contribution and the Work to which it was submitted,
irrevocable
• No temporal restriction
• Does contain defensive termination clause
• Contributor has no control over direction of project
29

• Protect the “crown jewels”
• Think about future investors / acquirers and
what they would want
• Beware of project scope creep
• Keep in mind potential future markets
• Revise policies to match company’s growth
Contributing to open source projects considerations
• Review all code prior to submission
• Policy should match employment agreements
• Even code written outside business hours / not
using Company resources?
• Consider sponsorship without code submission
Considerations for companies
of all sizes:
• Beware the Corporate CLA
• Individual submissions versus
corporate submissions
• Beware the rogue CLA
• Not all CLAs are created equal
• Know your competitors
• Decide whether to contribute
to their projects

Some Takeaways
31
• It’s not as hard as it looks, but need to start somewhere
• Performing a code scan is an easy way to get started
• Always finds previously unknown components
• Hard to undo the impact of poor practices
• Don’t have to do everything we discussed
• Start small, scale up as needed
• Get initial list of third party components, licenses, usage

Q&A
32

This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar
outcomes. Attorney Advertising

Flight East 2018 Presentation–You've got your open source audit report, now what?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Flight East 2018 Presentation–You've got your open source audit report, now what?

Similar to Flight East 2018 Presentation–You've got your open source audit report, now what? (20)

More from Synopsys Software Integrity Group

More from Synopsys Software Integrity Group (20)

Recently uploaded

Recently uploaded (20)

Flight East 2018 Presentation–You've got your open source audit report, now what?