SlideShare a Scribd company logo

nexB - Software audit for product release

nexB Inc.
nexB Inc.

As the use of open source software components grows across all industry supply chains, more customers are asking their suppliers to: - Provide detailed information about the open source content of supplier products, and - Proactively fulfill all attribution or software redistribution obligations associated with the open source components. nexB offers a wide range of professional services to help software organizations identify and comply with software license obligations for open source and other third-party components. See http://www.nexb.com/services.html

BusinessTechnology
1 of 19
Download to read offline
nexB - Software Provenance Analysis and Code Audit © 2014 nexB Inc.
Agenda • About nexB – What nexB does – Our experience • Software Provenance Analysis and Code Audit – Software Audit Process – Software Audit Tools – License Violation Risks & Recent Audit Issues • Additional Information – Why nexB? – Contact us – Lessons Learned © 2014 nexB Inc.
About nexB What nexB does • Enable component-based software development – Software provenance analysis services – Software asset management tools © 2014 nexB Inc. • Software audit services – Acquisitions – Software product releases • Expertise in all software IP• Active OSS developers
About nexB Our experience is our difference • nexB recognized by clients as: – experts in software origin analysis – a fair and trusted intermediary • nexB identifies issues along with practical remediation steps • 350+ software audit projects completed to-date © 2014 nexB Inc.
Software Provenance Analysis and Code Audit Software Audit Process © 2014 nexB Inc.
Software Provenance Analysis and Code Audit Software Analysis Scope © 2014 nexB Inc. Original Code Commercial Code Open Source Code
Software Provenance Analysis and Code Audit Software Analysis Deliverables • Complete inventory of OSS and third-party components in Development codebase(s) • Bill of materials for Deployed product components • Specific Action items and recommended actions for resolution – Including possible exposure for older product versions – Detailed analysis for copyleft “contamination” • Checklist of commercial components as input for contract review © 2014 nexB Inc.
Software Provenance Analysis and Code Audit Preparation – 1 week (1/2) • Establish NDA • Scope audit effort – Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code • Prepare/agree quote – always fixed fee, no surprises • Schedule project © 2014 nexB Inc.
Software Provenance Analysis and Code Audit License & Origin Analysis – 2 weeks (1/2) Analysis Activities • Discovery: scan files for license, copyright and other origin clues • Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”) • Map Deployed code to Development code to: – Validate that we have a complete Development codebase – Filter issues based on the effective Deployed/Distributed code • Analyze software interaction and dependency patterns for copyleft-licensed © 2014 nexB Inc. components as needed • Additional domain-specific investigations typically for embedded devices and applications of media codecs
Software Provenance Analysis and Code Audit License & Origin Analysis (2/2) Results • Software Inventory and Bill(s) of Materials • Draft Action items & recommendations © 2014 nexB Inc.
Software Provenance Analysis and Code Audit Review & Report – 1 week (1/2) Activities • Review draft findings with product team – Ask product team to respond to each Action item © 2014 nexB Inc. • Accept recommended solution or propose another approach • Acknowledge & investigate • Not a request to fix anything during the audit – Incorporate feedback and answers from product team into the Software BOM and Report • Complete final report – Second review cycle with product team – Release the report – Conference call with you to present findings & answer questions
Software Provenance Analysis and Code Audit Review & Report (2/2) Results • Final Software Inventory / BOM spreadsheets • Final Report - narrative with executive summary, project data and summary of the Action items and Responses © 2014 nexB Inc.
Software Provenance Analysis and Code Audit Software Audit Tools • nexB typically uses a combination of tools for a software audit – Our own DejaCode™ toolkit is the primary tool – Other tools used as needed or as licensed by a customer (open source or commercial) • Multiple layers of analysis – Discovery: direct scan for license and copyright notices – Identification: component matching for open source and publicly available third-party components (freeware/proprietary) – Analysis of source code and pre-built libraries (binary) – Interaction and dependency analysis as needed • Review and validation by software experts • All require expert humans to interpret the results! © 2014 nexB Inc.
Software Provenance Analysis and Code Audit License Violation Risks © 2014 nexB Inc. source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / Shareware many Java libraries Microsoft shared source Sun SCSL GNU GPL GNU LGPL MPL CDDL BSD MIT EPLApache Adobe Reader
Software Provenance Analysis and Code Audit Recent Audit Issue Examples • Dependency Issue “Workarounds” • License violation © 2014 nexB Inc.
Software Provenance Analysis and Code Audit Emerging Audit Issue Examples • Cloud computing and Dual Licensing • Personal Devices and Application store markets © 2014 nexB Inc.
Additional Information Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach – Automated code analysis AND analysis by software experts – Direct consultation with engineering, management and legal teams – Concrete Action items with recommended nexB action resolution © 2014 nexB Inc.
Additional Information Why nexB (2/2) • Trusted third party – Mitigates confidentiality concerns – Enables objective analysis with appropriate consideration of feedback from all parties © 2014 nexB Inc.
Additional Information Contact us Contact person: Pierre Lapointe, Customer Care Manager plapointe@nexb.com + 1 415 287-7643 More information: http://www.nexb.com/ © 2014 nexB Inc.

Recommended

nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS Introduction
nexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with Dejacode
nexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software Identification
nexB Inc.
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCode
nexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCode
nexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
nexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
nexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCode
nexB Inc.
 

Recommended

nexB - FOSS Introduction
nexB - FOSS IntroductionnexB - FOSS Introduction
nexB - FOSS Introduction
nexB Inc.
 
Open source governance with Dejacode
Open source governance with DejacodeOpen source governance with Dejacode
Open source governance with Dejacode
nexB Inc.
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software Identification
nexB Inc.
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCode
nexB Inc.
 
Managing Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCodeManaging Open Source Software License Compliance with DejaCode
Managing Open Source Software License Compliance with DejaCode
nexB Inc.
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
nexB Inc.
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
nexB Inc.
 
Open source software governance with DejaCode
Open source software governance with DejaCodeOpen source software governance with DejaCode
Open source software governance with DejaCode
nexB Inc.
 
nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a Seller
nexB Inc.
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
Protecode
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
Rogue Wave Software
 
Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)
DevDays
 
Degrees of Freedom
Degrees of FreedomDegrees of Freedom
Degrees of Freedom
Johan Thelin
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
Basis Technology
 
OmegaT "Team Project" feature: a case study
OmegaT "Team Project" feature: a case studyOmegaT "Team Project" feature: a case study
OmegaT "Team Project" feature: a case study
Qabiria
 
Timelines
TimelinesTimelines
Timelines
primeteacher32
 
RDAP @ .at
RDAP @ .at RDAP @ .at
RDAP @ .at
Alex Mayrhofer
 
documentation-testing.ppt
documentation-testing.pptdocumentation-testing.ppt
documentation-testing.ppt
Gaurav Nigam
 
Legal analysis of source code
Legal analysis of source codeLegal analysis of source code
Legal analysis of source code
Robert Viseur
 
audit report software
audit report softwareaudit report software
audit report software
easyoffice
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexB
nexB Inc.
 
IELTS tips and strategies tesol conference 2011
IELTS tips and strategies tesol conference 2011IELTS tips and strategies tesol conference 2011
IELTS tips and strategies tesol conference 2011
David Bartsch
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
nexB Inc.
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due Diligence
nexB Inc.
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
kzoe1996
 
IELTS Reading Overview, Tips and Matching Headings
IELTS Reading Overview, Tips and Matching Headings IELTS Reading Overview, Tips and Matching Headings
IELTS Reading Overview, Tips and Matching Headings
British Council
 
General tips for ielts reading
General tips for ielts readingGeneral tips for ielts reading
General tips for ielts reading
Joseph Tatepo
 
General training reading ielts
General training reading ielts General training reading ielts
General training reading ielts
Alexander Benito
 
IELTS Reading Preparation Tips
IELTS Reading Preparation TipsIELTS Reading Preparation Tips
IELTS Reading Preparation Tips
Julia Robert
 
Improve your ielts writing skills
Improve your ielts writing skillsImprove your ielts writing skills
Improve your ielts writing skills
IELTSExpert
 

More Related Content

What's hot

nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a Seller
nexB Inc.
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
Protecode
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
Rogue Wave Software
 
Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)
DevDays
 
Degrees of Freedom
Degrees of FreedomDegrees of Freedom
Degrees of Freedom
Johan Thelin
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
Basis Technology
 
OmegaT "Team Project" feature: a case study
OmegaT "Team Project" feature: a case studyOmegaT "Team Project" feature: a case study
OmegaT "Team Project" feature: a case study
Qabiria
 
Timelines
TimelinesTimelines
Timelines
primeteacher32
 
RDAP @ .at
RDAP @ .at RDAP @ .at
RDAP @ .at
Alex Mayrhofer
 
documentation-testing.ppt
documentation-testing.pptdocumentation-testing.ppt
documentation-testing.ppt
Gaurav Nigam
 
Legal analysis of source code
Legal analysis of source codeLegal analysis of source code
Legal analysis of source code
Robert Viseur
 

What's hot (11)

nexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a SellernexB Software Audit M&A: What to expect as a Seller
nexB Software Audit M&A: What to expect as a Seller
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...
 
Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)Vonk fhir facade (christiaan)
Vonk fhir facade (christiaan)
 
Degrees of Freedom
Degrees of FreedomDegrees of Freedom
Degrees of Freedom
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
OmegaT "Team Project" feature: a case study
OmegaT "Team Project" feature: a case studyOmegaT "Team Project" feature: a case study
OmegaT "Team Project" feature: a case study
 
Timelines
TimelinesTimelines
Timelines
 
RDAP @ .at
RDAP @ .at RDAP @ .at
RDAP @ .at
 
documentation-testing.ppt
documentation-testing.pptdocumentation-testing.ppt
documentation-testing.ppt
 
Legal analysis of source code
Legal analysis of source codeLegal analysis of source code
Legal analysis of source code
 

Viewers also liked

audit report software
audit report softwareaudit report software
audit report software
easyoffice
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexB
nexB Inc.
 
IELTS tips and strategies tesol conference 2011
IELTS tips and strategies tesol conference 2011IELTS tips and strategies tesol conference 2011
IELTS tips and strategies tesol conference 2011
David Bartsch
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
nexB Inc.
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due Diligence
nexB Inc.
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
kzoe1996
 
IELTS Reading Overview, Tips and Matching Headings
IELTS Reading Overview, Tips and Matching Headings IELTS Reading Overview, Tips and Matching Headings
IELTS Reading Overview, Tips and Matching Headings
British Council
 
General tips for ielts reading
General tips for ielts readingGeneral tips for ielts reading
General tips for ielts reading
Joseph Tatepo
 
General training reading ielts
General training reading ielts General training reading ielts
General training reading ielts
Alexander Benito
 
IELTS Reading Preparation Tips
IELTS Reading Preparation TipsIELTS Reading Preparation Tips
IELTS Reading Preparation Tips
Julia Robert
 
Improve your ielts writing skills
Improve your ielts writing skillsImprove your ielts writing skills
Improve your ielts writing skills
IELTSExpert
 
15 days practice for ielts writing
15 days practice for ielts writing15 days practice for ielts writing
15 days practice for ielts writing
shankyverma04
 

Viewers also liked (12)

audit report software
audit report softwareaudit report software
audit report software
 
Software audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexBSoftware audit for acquisition due diligence with nexB
Software audit for acquisition due diligence with nexB
 
IELTS tips and strategies tesol conference 2011
IELTS tips and strategies tesol conference 2011IELTS tips and strategies tesol conference 2011
IELTS tips and strategies tesol conference 2011
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
 
nexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due DiligencenexB: Software Audit for Acquisition Due Diligence
nexB: Software Audit for Acquisition Due Diligence
 
Generalized audit-software
Generalized audit-softwareGeneralized audit-software
Generalized audit-software
 
IELTS Reading Overview, Tips and Matching Headings
IELTS Reading Overview, Tips and Matching Headings IELTS Reading Overview, Tips and Matching Headings
IELTS Reading Overview, Tips and Matching Headings
 
General tips for ielts reading
General tips for ielts readingGeneral tips for ielts reading
General tips for ielts reading
 
General training reading ielts
General training reading ielts General training reading ielts
General training reading ielts
 
IELTS Reading Preparation Tips
IELTS Reading Preparation TipsIELTS Reading Preparation Tips
IELTS Reading Preparation Tips
 
Improve your ielts writing skills
Improve your ielts writing skillsImprove your ielts writing skills
Improve your ielts writing skills
 
15 days practice for ielts writing
15 days practice for ielts writing15 days practice for ielts writing
15 days practice for ielts writing
 

Similar to nexB - Software audit for product release

Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Emerasoft, solutions to collaborate
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
Protecode
 
Jan De Nul & LoQutus: Implementing an API strategy at Jan De Nul
Jan De Nul & LoQutus: Implementing an API strategy at Jan De NulJan De Nul & LoQutus: Implementing an API strategy at Jan De Nul
Jan De Nul & LoQutus: Implementing an API strategy at Jan De Nul
LoQutus
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile Developer
BSGAfrica
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
gaoliang641
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
saurabhshertukde
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
nexB Inc.
 
Open Source Software - What is it?
Open Source Software - What is it?Open Source Software - What is it?
Open Source Software - What is it?
Johan Linåker
 
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
AnikeyRoy
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev ops
Len Bass
 
"Different software evolutions from Start till Release in PHP product" Oleksa...
"Different software evolutions from Start till Release in PHP product" Oleksa..."Different software evolutions from Start till Release in PHP product" Oleksa...
"Different software evolutions from Start till Release in PHP product" Oleksa...
Fwdays
 
PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...
PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...
PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...
Alexandr Savchenko
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
Rogue Wave Software
 
Tuli eServices_Magento portfolio
Tuli eServices_Magento portfolioTuli eServices_Magento portfolio
Tuli eServices_Magento portfolio
TULI eServices Inc.
 
Coding - SDLC Model
Coding - SDLC ModelCoding - SDLC Model
Coding - SDLC Model
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Kyle Lai
 
Driving Innovation with Component-based Development at Boeing
Driving Innovation with Component-based Development at BoeingDriving Innovation with Component-based Development at Boeing
Driving Innovation with Component-based Development at Boeing
Perforce
 

Similar to nexB - Software audit for product release (20)

Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Jan De Nul & LoQutus: Implementing an API strategy at Jan De Nul
Jan De Nul & LoQutus: Implementing an API strategy at Jan De NulJan De Nul & LoQutus: Implementing an API strategy at Jan De Nul
Jan De Nul & LoQutus: Implementing an API strategy at Jan De Nul
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile Developer
 
Understand release engineering
Understand release engineeringUnderstand release engineering
Understand release engineering
 
Analysis concepts and principles
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
Open Source Software - What is it?
Open Source Software - What is it?Open Source Software - What is it?
Open Source Software - What is it?
 
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
Building an In-House DevOps Service Platform for Mobility Solutions | Mindtree
 
Introduction to dev ops
Introduction to dev opsIntroduction to dev ops
Introduction to dev ops
 
"Different software evolutions from Start till Release in PHP product" Oleksa...
"Different software evolutions from Start till Release in PHP product" Oleksa..."Different software evolutions from Start till Release in PHP product" Oleksa...
"Different software evolutions from Start till Release in PHP product" Oleksa...
 
PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...
PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...
PHPFrameworkDay 2020 - Different software evolutions from Start till Release ...
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
 
Tuli eServices_Magento portfolio
Tuli eServices_Magento portfolioTuli eServices_Magento portfolio
Tuli eServices_Magento portfolio
 
Coding - SDLC Model
Coding - SDLC ModelCoding - SDLC Model
Coding - SDLC Model
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Driving Innovation with Component-based Development at Boeing
Driving Innovation with Component-based Development at BoeingDriving Innovation with Component-based Development at Boeing
Driving Innovation with Component-based Development at Boeing
 

Recently uploaded

The Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdfThe Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
thesiliconleaders
 
The Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac SignThe Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac Sign
my Pandit
 
How MJ Global Leads the Packaging Industry.pdf
How MJ Global Leads the Packaging Industry.pdfHow MJ Global Leads the Packaging Industry.pdf
How MJ Global Leads the Packaging Industry.pdf
MJ Global
 
NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...
NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...
NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...
BBPMedia1
 
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your TasteZodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
my Pandit
 
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdfHOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
46adnanshahzad
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings
aragme
 
Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024
Top Forex Brokers Review
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
SOFTTECHHUB
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Stone Art Hub
 
Top mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptxTop mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptx
JeremyPeirce1
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
Alexandra Fulford
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
jeffkluth1
 
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & InnovationInnovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Operational Excellence Consulting
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
SEOSMMEARTH
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
Stephen Cashman
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
GraceKohler1
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
my Pandit
 
Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)
Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)
Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)
Lviv Startup Club
 
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.
AnnySerafinaLove
 

Recently uploaded (20)

The Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdfThe Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
 
The Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac SignThe Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac Sign
 
How MJ Global Leads the Packaging Industry.pdf
How MJ Global Leads the Packaging Industry.pdfHow MJ Global Leads the Packaging Industry.pdf
How MJ Global Leads the Packaging Industry.pdf
 
NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...
NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...
NIMA2024 | De toegevoegde waarde van DEI en ESG in campagnes | Nathalie Lam |...
 
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your TasteZodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Taste
 
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdfHOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf
 
2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings2022 Vintage Roman Numerals Men Rings
2022 Vintage Roman Numerals Men Rings
 
Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024Best Forex Brokers Comparison in INDIA 2024
Best Forex Brokers Comparison in INDIA 2024
 
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
Hamster Kombat' Telegram Game Surpasses 100 Million Players—Token Release Sch...
 
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666Best Competitive Marble Pricing in Dubai - ☎ 9928909666
Best Competitive Marble Pricing in Dubai - ☎ 9928909666
 
Top mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptxTop mailing list providers in the USA.pptx
Top mailing list providers in the USA.pptx
 
Business storytelling: key ingredients to a story
Business storytelling: key ingredients to a storyBusiness storytelling: key ingredients to a story
Business storytelling: key ingredients to a story
 
Part 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 SlowdownPart 2 Deep Dive: Navigating the 2024 Slowdown
Part 2 Deep Dive: Navigating the 2024 Slowdown
 
Innovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & InnovationInnovation Management Frameworks: Your Guide to Creativity & Innovation
Innovation Management Frameworks: Your Guide to Creativity & Innovation
 
3 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 20243 Simple Steps To Buy Verified Payoneer Account In 2024
3 Simple Steps To Buy Verified Payoneer Account In 2024
 
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
The Heart of Leadership_ How Emotional Intelligence Drives Business Success B...
 
GKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt PresentationGKohler - Retail Scavenger Hunt Presentation
GKohler - Retail Scavenger Hunt Presentation
 
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...
 
Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)
Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)
Maksym Vyshnivetskyi: PMO KPIs (UA) (#12)
 
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.
 

nexB - Software audit for product release

  • 1. nexB - Software Provenance Analysis and Code Audit © 2014 nexB Inc.
  • 2. Agenda • About nexB – What nexB does – Our experience • Software Provenance Analysis and Code Audit – Software Audit Process – Software Audit Tools – License Violation Risks & Recent Audit Issues • Additional Information – Why nexB? – Contact us – Lessons Learned © 2014 nexB Inc.
  • 3. About nexB What nexB does • Enable component-based software development – Software provenance analysis services – Software asset management tools © 2014 nexB Inc. • Software audit services – Acquisitions – Software product releases • Expertise in all software IP• Active OSS developers
  • 4. About nexB Our experience is our difference • nexB recognized by clients as: – experts in software origin analysis – a fair and trusted intermediary • nexB identifies issues along with practical remediation steps • 350+ software audit projects completed to-date © 2014 nexB Inc.
  • 5. Software Provenance Analysis and Code Audit Software Audit Process © 2014 nexB Inc.
  • 6. Software Provenance Analysis and Code Audit Software Analysis Scope © 2014 nexB Inc. Original Code Commercial Code Open Source Code
  • 7. Software Provenance Analysis and Code Audit Software Analysis Deliverables • Complete inventory of OSS and third-party components in Development codebase(s) • Bill of materials for Deployed product components • Specific Action items and recommended actions for resolution – Including possible exposure for older product versions – Detailed analysis for copyleft “contamination” • Checklist of commercial components as input for contract review © 2014 nexB Inc.
  • 8. Software Provenance Analysis and Code Audit Preparation – 1 week (1/2) • Establish NDA • Scope audit effort – Audit profile (questionnaire) – Size of code base - # files and lines of source code – Disclosure of known third-party and open source software – Onsite or remote access to the code • Prepare/agree quote – always fixed fee, no surprises • Schedule project © 2014 nexB Inc.
  • 9. Software Provenance Analysis and Code Audit License & Origin Analysis – 2 weeks (1/2) Analysis Activities • Discovery: scan files for license, copyright and other origin clues • Identification: match target code to reference code repository for origin and license detection (based on digital “fingerprints”) • Map Deployed code to Development code to: – Validate that we have a complete Development codebase – Filter issues based on the effective Deployed/Distributed code • Analyze software interaction and dependency patterns for copyleft-licensed © 2014 nexB Inc. components as needed • Additional domain-specific investigations typically for embedded devices and applications of media codecs
  • 10. Software Provenance Analysis and Code Audit License & Origin Analysis (2/2) Results • Software Inventory and Bill(s) of Materials • Draft Action items & recommendations © 2014 nexB Inc.
  • 11. Software Provenance Analysis and Code Audit Review & Report – 1 week (1/2) Activities • Review draft findings with product team – Ask product team to respond to each Action item © 2014 nexB Inc. • Accept recommended solution or propose another approach • Acknowledge & investigate • Not a request to fix anything during the audit – Incorporate feedback and answers from product team into the Software BOM and Report • Complete final report – Second review cycle with product team – Release the report – Conference call with you to present findings & answer questions
  • 12. Software Provenance Analysis and Code Audit Review & Report (2/2) Results • Final Software Inventory / BOM spreadsheets • Final Report - narrative with executive summary, project data and summary of the Action items and Responses © 2014 nexB Inc.
  • 13. Software Provenance Analysis and Code Audit Software Audit Tools • nexB typically uses a combination of tools for a software audit – Our own DejaCode™ toolkit is the primary tool – Other tools used as needed or as licensed by a customer (open source or commercial) • Multiple layers of analysis – Discovery: direct scan for license and copyright notices – Identification: component matching for open source and publicly available third-party components (freeware/proprietary) – Analysis of source code and pre-built libraries (binary) – Interaction and dependency analysis as needed • Review and validation by software experts • All require expert humans to interpret the results! © 2014 nexB Inc.
  • 14. Software Provenance Analysis and Code Audit License Violation Risks © 2014 nexB Inc. source code available source with limitations (Proprietary) Copyleft FOSS Attribution Binary-only (Proprietary) Free Software Freeware / Shareware many Java libraries Microsoft shared source Sun SCSL GNU GPL GNU LGPL MPL CDDL BSD MIT EPLApache Adobe Reader
  • 15. Software Provenance Analysis and Code Audit Recent Audit Issue Examples • Dependency Issue “Workarounds” • License violation © 2014 nexB Inc.
  • 16. Software Provenance Analysis and Code Audit Emerging Audit Issue Examples • Cloud computing and Dual Licensing • Personal Devices and Application store markets © 2014 nexB Inc.
  • 17. Additional Information Why nexB (1/2) 100% of our customers are repeat customers and references We have a balanced approach – Automated code analysis AND analysis by software experts – Direct consultation with engineering, management and legal teams – Concrete Action items with recommended nexB action resolution © 2014 nexB Inc.
  • 18. Additional Information Why nexB (2/2) • Trusted third party – Mitigates confidentiality concerns – Enables objective analysis with appropriate consideration of feedback from all parties © 2014 nexB Inc.
  • 19. Additional Information Contact us Contact person: Pierre Lapointe, Customer Care Manager plapointe@nexb.com + 1 415 287-7643 More information: http://www.nexb.com/ © 2014 nexB Inc.