SlideShare a Scribd company logo

Palamida Open Source Compliance Solution

Download as PPTX, PDF
Engineering Software Lab
Engineering Software Lab

Open Source Software: The Intersection of IP and Security

TechnologyNews & Politics
1 of 36
Open Source Software: The Intersection of IP and Security April 2012 Copyright © 2012 Palamida, Inc.
1995 F22 software (avionics only) ~1.7M LOC Copyright © 2012 Palamida, Inc.
2012 “It takes dozens of microprocessors F22 software (avionics only) running 100 million lines of code to get ~1.7M LOC a premium car out of the driveway” (IEEE Spectrum February 2009 Image: General Motors) Copyright © 2012 Palamida, Inc.
New Ways of Composing Services Cloud Computing … a style of computing in which massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers. Definition: Gartner Group Copyright © 2012 Palamida, Inc.
Smarter Devices Copyright © 2012 Palamida, Inc.
The point is… Copyright © 2012 Palamida, Inc.
More and Better… Software Copyright © 2012 Palamida, Inc.
Less Time In… Copyright © 2012 Palamida, Inc.
And with… Smaller Budgets Copyright © 2012 Palamida, Inc.
Today’s Reality… A software development organization cannot be competitive without widespread use of open source Copyright © 2012 Palamida, Inc.
Gartner OSS Predictions • By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. • By 2014, 50% of Global 2000 organizations will experience technology, cost and security challenges through lack of open-source governance. • By 2015, OSS will be used and adopted to help enable over 60% of platform-as-a-service (PaaS) services. • By 2014, 30% of applications running on proprietary versions of Unix will be migrated to OSS-based Linux on x86. • By 2014, those organizations with effective, open-source community participation will consistently deliver high returns from their open- source investments. • By 2013, up to 50% of Global 2000 non-IT enterprises will contribute to at least one OSS project. • By 2016, 50% of leading non-IT organizations will use OSS as a business strategy to gain competitive advantage. Predicts 2011: Open-Source Software, the Power Behind the Throne 23 November 2010 ID:G00209180 Copyright © 2012 Palamida, Inc.
Typical Software Project Metrics • 2.9 GB • 87,863 Files • 8,535,345 LOC • Copyright holders – ~350 • Binaries/Archives/JARS – 1207 What is This Software Project Trying To Tell You? Copyright © 2012 Palamida, Inc.
There is probably a lot of content that you don’t know about Audit Example 15.9GB Size 59.1M LOC Documented OS 303 components Undocumented OS 535 components Total # 838 % LOC from Open 60-65% Source Copyright © 2012 Palamida, Inc.
It’s Likely Your Disclosure of 3rd Party Content is Incomplete… 350 Open Source Components Disclosed In Advance of Audit vs. Undisclosed 300 250 200 Undisclosed 150 Disclosed 100 50 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Source: Palamida Audit Projects Copyright © 2012 Palamida, Inc.
…With License Terms that May Be Problematic Audit Breakdown by License 30% 25% 20% 15% TOTAL % 10% 5% 0% Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional Services Copyright © 2012 Palamida, Inc.
Open Source is not somehow “different” Plaintiffs would be happy to settle this matter with PLAINTIFFS' Best Buy and Phoebe Micro if they either (i) ceased all distribution of BusyBox or (ii) committed to MEMORANDUM OF LAW distribute BusyBox in compliance with the free and IN SUPPORT OF THEIR open source license terms under which Plaintiffs offer MOTION FOR BusyBox to the world. Plaintiffs have patiently worked with Best Buy and Phoebe Micro to bring their PRELIMINARY INJUNCTION products into compliance with the license, but AGAINST DEFENDANTS unfortunately have now concluded that those efforts BEST BUY, CO., INC. AND are destined to fail because neither Best Buy nor Phoebe Micro has the capacity and desire to meet PHOEBE MICRO, INC. either of Plaintiffs' demands for settlement. As such, Plaintiffs are forced to protect their interests in BusyBox by now respectfully moving for a preliminary SOFTWARE injunction, pursuant to Rule 65, enjoining and restraining defendants Best Buy and Phoebe Micro FREEDOM CONSERVANCY, INC. and from any further copying, distribution, or use of their ERIK ANDERSEN, copyrighted software BusyBox. Filed 1/31/11 Copyright © 2012 Palamida, Inc.
Software IP is a potent competitive weapon Love, Larry: Here Is the Oracle Statement and Final Complaint Versus Google by Kara Swisher Posted on August 12, 2010 at 6:46 PM PT This afternoon, the database software giant said it was suing Google (GOOG), alleging patent and copyright infringement of Java-related intellectual property in the development of Android mobile operating system software. http://kara.allthingsd.com/20100812/love-larry-here-is-the-oracle-statement-and-final-complaint-versus-google/ Copyright © 2012 Palamida, Inc.
And Open Source Is Not Immune to Vulnerabilities 90 80 70 60 50 89 40 30 61 60 20 41 27 31 10 11 1 5 5 0 Apache jQuery GNU C libpng LibTIFF OpenSSL Zlib Libcurl Libxml2 OpenSSH Tomcat Library Vulnerabilities in Popular Open Source Projects Source: National Vulnerability Database Copyright © 2012 Palamida, Inc.
Oh No, Kernel.org was Hacked by Susan Linton - Aug. 31, 2011 A notice appeared on www.kernel.org today informing visitors that the servers housing the Linux kernel source code had been hacked earlier this month. The breach was discovered yesterday and maintainers believe the source code itself is unaffected. Source: ostatic.com Copyright © 2012 Palamida, Inc.
August 2011 ‘Devastating’ Apache bug leaves servers exposed Devs race to fix weakness disclosed in 2007 Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache handles HTTP-based range requests was published Friday on the Full-disclosure mailing list. By sending servers running versions 1.3 and 2 of Apache multiple GET requests containing overlapping byte ranges, an attacker can consume all memory on a target system. August 14, 2011 Copyright © 2012 Palamida, Inc.
Mango OSS DWR OSS Components Scriptaculous Components Apache Spring Framework Components Quartz Enterprise Job Scheduler Apache Struts PrototypeJS 1.5.0 Apache Commons Logging Hibernate Apache Jakarta Taglibs NVD Reported Scriptaculous Vulnerabilities: 1 Spring Framework Beehive JfreeChart WebWork Apache Jakarta Commons Backport Util Concurrent Freemarker Google Injection Framework Jcommon Utility Classes Apache-db-derby Apache Log4J NVD Reported JavaMail API Vulnerabilities: 4 MySQL SAX: Simple API for XML J2EE Java2 SDK Activation AQP Alliance DWR Direct Web Remoting pngencoder NVD Reported git-MM JDBC driver Vulnerabilities: 0 Apache Xerces Copyright © 2012 Palamida, Inc.
Risk is Risk And you can’t mitigate risk you don’t know you have Copyright © 2012 Palamida, Inc.
Copyright © 2012 Palamida, Inc.
What to Do Tomorrow • Set up an OSRB or equivalent • Establish your policy for use of externally sourced software • Don’t stop at IP, include security • Audit any software acquired via M&A • Evaluate compliance alternatives, and get started Copyright © 2012 Palamida, Inc.
• Comprised of Legal, Open Source Development and Security • Review and Approve Policy for Review Board externally sourced software • Establish the scope of information required and retained (the request form) • Case-by-case use decisions • Review and approve the policy for compliance with obligations • Reports to CFO, GC, VP engineering or others periodically on compliance status Copyright © 2012 Palamida, Inc.
Policy What is the name and version of this software component? Where is it used? What is the license? Is this component in a software product that ships to customers? Does this component contain known vulnerabilities? Have we modified this component? When was the last time we checked this software for version and vulnerability? Does this component contain encryption? Have we added this component to the notices file? Copyright © 2012 Palamida, Inc.
Mergers and Acquisitions (and outsourced development) • Make code audit a contract item • Don’t rely on reps regarding code content – typically 3-5x more found than disclosed • Use outside firms to maintain an “arms-length” relationship • Factor in remediation costs • Don’t integrate the code with yours until you are confident of origin Copyright © 2012 Palamida, Inc.
What Acquiring Firms Are Concerned About Today • GPL and other Viral Licenses (esp v3.0) • Affero GPL • Commercial Content and Libraries • Restrictions on commercial use or field of use (e.g. no Military use) • Cryptography • Code with Unknown Licenses • % of undisclosed content Copyright © 2012 Palamida, Inc.
Evaluate Compliance Alternatives, and Get Started • In-house process • External Professional Services – periodic reports • In-house system • Owned by development • Used by development, legal and security • System of record for policy and content • The first pass is the most time-consuming – consider a outside audit to populate the internal system Copyright © 2012 Palamida, Inc.
Key Questions to Ask… • How High is the Bar? • What is “Good Enough”? • Have You Scanned Everything? [Probably Not!] • What’s Out There That’s Hard, But Important? Copyright © 2012 Palamida, Inc.
How High Is the Bar? • More Linux kernel and related materials “in scope” • More interest in historical versions / installed base • Open Source projects requiring more internal deep reviews • Management signing off on Bill of Materials or equivalent • More divestitures, concern about internal process exposure Copyright © 2012 Palamida, Inc.
What Is “Good Enough”? • The Community is getting more savvy and vocal • The “Community” includes commercial vendors $$$$$ • More internal emphasis on tracking down source for LGPL binaries – compliance and disaster recovery • Customers are demanding more; at delivery and at contract signing • Scanning is occurring at internal and external touch points • More historical versions being reviewed at M&A time • A supplier to my supplier is MY supplier! Copyright © 2012 Palamida, Inc.
Have You Scanned Everything [Probably Not]? • Java: Maven becoming more prevalent • C/C++/etc…: Github remote repositories • Commercial Source compiled on laptop • Binary analysis bar is being raised • Where did all these binaries come from? 1000 to 10,000+ • More naïve companies requiring scans / Bad Advice • Web services • Post acquisition discovery of missing code Copyright © 2012 Palamida, Inc.
What’s Out There That Is Hard, But Important? • Object Oriented Design Issues (esp. C++/Java/C#) • Header files cut and pastes (The Google Bionic Issue) • Binaries and subcomponents • Code with Unknown licenses – more every day • Popular projects w/ Bad Licenses (Code Project CPOL or Stack Overflow CC BY-SA) • Employees that travel w/ “Toolkits” “Wall St. Programmer Guilty of Code Theft” http://query.nytimes.com/gst/fullpage.html?res=9E00E2D81E31F932A25751C1A9669D8B63 Copyright © 2012 Palamida, Inc.
What’s In Your Code? Copyright © 2012 Palamida, Inc.
Open Source Software: The Intersection of IP and Security April 2012 Copyright © 2012 Palamida, Inc.

Recommended

BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application SecurityOpSource
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 

Recommended

BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Smart Phones Dumb Apps
Smart Phones Dumb AppsSmart Phones Dumb Apps
Smart Phones Dumb AppsDenim Group
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Strategies for Web Application Security
Strategies for Web Application SecurityStrategies for Web Application Security
Strategies for Web Application SecurityOpSource
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
The Magic of Symbiotic Security
The Magic of Symbiotic SecurityThe Magic of Symbiotic Security
The Magic of Symbiotic SecurityDenim Group
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Vulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldVulnerability Management In An Application Security World
Vulnerability Management In An Application Security WorldDenim Group
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleDevOps.com
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Elevator Up Software Licensing Issues Checklist
Elevator Up Software Licensing Issues ChecklistElevator Up Software Licensing Issues Checklist
Elevator Up Software Licensing Issues ChecklistP. Haans Mulder, JD, MST, CFP®
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source ComplianceSamsung Open Source Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Jason Haislmaier
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCloudIDSummit
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15Mike Lemons
 
PSI corporate profile
PSI corporate profilePSI corporate profile
PSI corporate profilesanirudha
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
BYOD Monitoring
BYOD MonitoringBYOD Monitoring
BYOD MonitoringNetFlow Analyzer
 
PSI Corporate Profile
PSI Corporate ProfilePSI Corporate Profile
PSI Corporate Profilemike_vincent
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalOracleIDM
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...Black Duck by Synopsys
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Black duck Software's pitch
Black duck Software's pitchBlack duck Software's pitch
Black duck Software's pitchi7
 

More Related Content

What's hot

Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleDevOps.com
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityDirk Nicol
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Jason Haislmaier
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Denim Group
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCloudIDSummit
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15Mike Lemons
 
PSI corporate profile
PSI corporate profilePSI corporate profile
PSI corporate profilesanirudha
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
PSI Corporate Profile
PSI Corporate ProfilePSI Corporate Profile
PSI Corporate Profilemike_vincent
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalOracleIDM
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...Black Duck by Synopsys
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 

What's hot (20)

Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Elevator Up Software Licensing Issues Checklist
Elevator Up Software Licensing Issues ChecklistElevator Up Software Licensing Issues Checklist
Elevator Up Software Licensing Issues Checklist
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source Compliance
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)
 
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011Software Security: Is OK Good Enough? OWASP AppSec USA 2011
Software Security: Is OK Good Enough? OWASP AppSec USA 2011
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15SWM_WP_MaturityModel_July15
SWM_WP_MaturityModel_July15
 
PSI corporate profile
PSI corporate profilePSI corporate profile
PSI corporate profile
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
BYOD Monitoring
BYOD MonitoringBYOD Monitoring
BYOD Monitoring
 
PSI Corporate Profile
PSI Corporate ProfilePSI Corporate Profile
PSI Corporate Profile
 
Con8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-finalCon8902 developing secure mobile applications-final
Con8902 developing secure mobile applications-final
 
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
LinuxCon Europe 2014: License Compliance and Open Source Software Logistics f...
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 

Viewers also liked

Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationnexB Inc.
 
Black duck Software's pitch
Black duck Software's pitchBlack duck Software's pitch
Black duck Software's pitchi7
 
Amran Tuberi - the damage of cycling to the desert ecosystem
Amran Tuberi - the damage of cycling to the desert ecosystemAmran Tuberi - the damage of cycling to the desert ecosystem
Amran Tuberi - the damage of cycling to the desert ecosystemEngineering Software Lab
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Engineering Software Lab
 
Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Engineering Software Lab
 
Perforce עשרת היתרונות המובילים של מערכת ניהול התצורה
Perforce עשרת היתרונות המובילים של מערכת ניהול התצורהPerforce עשרת היתרונות המובילים של מערכת ניהול התצורה
Perforce עשרת היתרונות המובילים של מערכת ניהול התצורהEngineering Software Lab
 
Nunit C# source code defects report by Parasoft dotTEST
Nunit C# source code defects report by Parasoft dotTEST Nunit C# source code defects report by Parasoft dotTEST
Nunit C# source code defects report by Parasoft dotTEST Engineering Software Lab
 
WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011
WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011
WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011Engineering Software Lab
 
Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveEngineering Software Lab
 
CppUnit using introduction
CppUnit using introductionCppUnit using introduction
CppUnit using introductionIurii Kyian
 
Unit testing on embedded target with C++Test
Unit testing on embedded target with C++TestUnit testing on embedded target with C++Test
Unit testing on embedded target with C++TestEngineering Software Lab
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Engineering Software Lab
 

Viewers also liked (20)

Rightsizing Open Source Software Identification
Rightsizing Open Source Software IdentificationRightsizing Open Source Software Identification
Rightsizing Open Source Software Identification
 
Black duck Software's pitch
Black duck Software's pitchBlack duck Software's pitch
Black duck Software's pitch
 
Amran Tuberi - the damage of cycling to the desert ecosystem
Amran Tuberi - the damage of cycling to the desert ecosystemAmran Tuberi - the damage of cycling to the desert ecosystem
Amran Tuberi - the damage of cycling to the desert ecosystem
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
 
Parasoft fda software compliance part1
Parasoft fda software compliance part1Parasoft fda software compliance part1
Parasoft fda software compliance part1
 
Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST Introduction to Parasoft C++TEST
Introduction to Parasoft C++TEST
 
A Scalable Software Build Accelerator
A Scalable Software Build AcceleratorA Scalable Software Build Accelerator
A Scalable Software Build Accelerator
 
Parasoft fda software compliance part2
Parasoft fda software compliance part2Parasoft fda software compliance part2
Parasoft fda software compliance part2
 
Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...Parasoft Concerto A complete ALM platform that ensures quality software can b...
Parasoft Concerto A complete ALM platform that ensures quality software can b...
 
Perforce עשרת היתרונות המובילים של מערכת ניהול התצורה
Perforce עשרת היתרונות המובילים של מערכת ניהול התצורהPerforce עשרת היתרונות המובילים של מערכת ניהול התצורה
Perforce עשרת היתרונות המובילים של מערכת ניהול התצורה
 
המסדרת הפכה למגוהצת
המסדרת הפכה למגוהצתהמסדרת הפכה למגוהצת
המסדרת הפכה למגוהצת
 
Nunit C# source code defects report by Parasoft dotTEST
Nunit C# source code defects report by Parasoft dotTEST Nunit C# source code defects report by Parasoft dotTEST
Nunit C# source code defects report by Parasoft dotTEST
 
WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011
WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011
WPF/ XamDataGrid Performance, Infragistics Seminar, Israel , November 2011
 
Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspective
 
FDA software compliance 2016
FDA software compliance 2016FDA software compliance 2016
FDA software compliance 2016
 
CppUnit using introduction
CppUnit using introductionCppUnit using introduction
CppUnit using introduction
 
Unit testing on embedded target with C++Test
Unit testing on embedded target with C++TestUnit testing on embedded target with C++Test
Unit testing on embedded target with C++Test
 
Embedded System Test Automation
Embedded System Test AutomationEmbedded System Test Automation
Embedded System Test Automation
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective
 
Cpp unit
Cpp unit Cpp unit
Cpp unit
 

Similar to Palamida Open Source Compliance Solution

FITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business ModelFITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business ModelFITT
 
FITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business ModelFITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business ModelFITT
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
Ibm software network2012 claudio cinquepalmi #ibmsocialbiz
Ibm software network2012 claudio cinquepalmi #ibmsocialbiz Ibm software network2012 claudio cinquepalmi #ibmsocialbiz
Ibm software network2012 claudio cinquepalmi #ibmsocialbiz Claudio Cinquepalmi
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapDevOps.com
 
Implementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projectsImplementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projectsTom Stiehm
 
Cloud Computing - Why and How? (by Forrester Research, Inc.)
Cloud Computing - Why and How? (by Forrester Research, Inc.)Cloud Computing - Why and How? (by Forrester Research, Inc.)
Cloud Computing - Why and How? (by Forrester Research, Inc.)José Ferreiro
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference HighlightsJulie_Vasquez
 
Intro to Open Cloud Initiative
Intro to Open Cloud InitiativeIntro to Open Cloud Initiative
Intro to Open Cloud InitiativeJohn Mark Walker
 
Enterprise Open Source Fccs March
Enterprise Open Source Fccs MarchEnterprise Open Source Fccs March
Enterprise Open Source Fccs Marcharnaudblandin
 
Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ramy Houssaini
 
CloudSpokes Overview
CloudSpokes OverviewCloudSpokes Overview
CloudSpokes OverviewJeff Douglas
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Directory Services with the ForgeRock Identity Platform - So What’s New?
Directory Services with the ForgeRock Identity Platform - So What’s New?Directory Services with the ForgeRock Identity Platform - So What’s New?
Directory Services with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...
Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...
Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...HCL Infosystems
 
AiLibrary Garage.com application review - by Gordon Kraft
AiLibrary Garage.com application review - by Gordon Kraft AiLibrary Garage.com application review - by Gordon Kraft
AiLibrary Garage.com application review - by Gordon Kraft Gordon Kraft
 
Oracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenOracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenluisw19
 

Similar to Palamida Open Source Compliance Solution (20)

FITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business ModelFITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business Model
 
FITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business ModelFITT Toolbox: Open Source Business Model
FITT Toolbox: Open Source Business Model
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
Ibm software network2012 claudio cinquepalmi #ibmsocialbiz
Ibm software network2012 claudio cinquepalmi #ibmsocialbiz Ibm software network2012 claudio cinquepalmi #ibmsocialbiz
Ibm software network2012 claudio cinquepalmi #ibmsocialbiz
 
OW2 Community and more!
OW2 Community and more!OW2 Community and more!
OW2 Community and more!
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled RoadmapMainframe DevOps: A Zowe CLI-enabled Roadmap
Mainframe DevOps: A Zowe CLI-enabled Roadmap
 
Implementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projectsImplementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projects
 
Cloud Computing - Why and How? (by Forrester Research, Inc.)
Cloud Computing - Why and How? (by Forrester Research, Inc.)Cloud Computing - Why and How? (by Forrester Research, Inc.)
Cloud Computing - Why and How? (by Forrester Research, Inc.)
 
2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights2011 VMI DEMO Conference Highlights
2011 VMI DEMO Conference Highlights
 
Intro to Open Cloud Initiative
Intro to Open Cloud InitiativeIntro to Open Cloud Initiative
Intro to Open Cloud Initiative
 
Enterprise Open Source Fccs March
Enterprise Open Source Fccs MarchEnterprise Open Source Fccs March
Enterprise Open Source Fccs March
 
Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011Ciphercloud Solutions Overview hsa oct2011
Ciphercloud Solutions Overview hsa oct2011
 
CloudSpokes Overview
CloudSpokes OverviewCloudSpokes Overview
CloudSpokes Overview
 
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?Identity Gateway with the ForgeRock Identity Platform - So What’s New?
Identity Gateway with the ForgeRock Identity Platform - So What’s New?
 
Rights Technologies for E-Publishing
Rights Technologies for E-PublishingRights Technologies for E-Publishing
Rights Technologies for E-Publishing
 
Directory Services with the ForgeRock Identity Platform - So What’s New?
Directory Services with the ForgeRock Identity Platform - So What’s New?Directory Services with the ForgeRock Identity Platform - So What’s New?
Directory Services with the ForgeRock Identity Platform - So What’s New?
 
Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...
Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...
Transcending IT Planetary Boundaries: Future of cloud, By Pradeep Gupta, Cha...
 
AiLibrary Garage.com application review - by Gordon Kraft
AiLibrary Garage.com application review - by Gordon Kraft AiLibrary Garage.com application review - by Gordon Kraft
AiLibrary Garage.com application review - by Gordon Kraft
 
Oracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heavenOracle Code Capgemini: API management & microservices a match made in heaven
Oracle Code Capgemini: API management & microservices a match made in heaven
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

Palamida Open Source Compliance Solution

  • 1. Open Source Software: The Intersection of IP and Security April 2012 Copyright © 2012 Palamida, Inc.
  • 2. 1995 F22 software (avionics only) ~1.7M LOC Copyright © 2012 Palamida, Inc.
  • 3. 2012 “It takes dozens of microprocessors F22 software (avionics only) running 100 million lines of code to get ~1.7M LOC a premium car out of the driveway” (IEEE Spectrum February 2009 Image: General Motors) Copyright © 2012 Palamida, Inc.
  • 4. New Ways of Composing Services Cloud Computing … a style of computing in which massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers. Definition: Gartner Group Copyright © 2012 Palamida, Inc.
  • 5. Smarter Devices Copyright © 2012 Palamida, Inc.
  • 6. The point is… Copyright © 2012 Palamida, Inc.
  • 7. More and Better… Software Copyright © 2012 Palamida, Inc.
  • 8. Less Time In… Copyright © 2012 Palamida, Inc.
  • 9. And with… Smaller Budgets Copyright © 2012 Palamida, Inc.
  • 10. Today’s Reality… A software development organization cannot be competitive without widespread use of open source Copyright © 2012 Palamida, Inc.
  • 11. Gartner OSS Predictions • By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. • By 2014, 50% of Global 2000 organizations will experience technology, cost and security challenges through lack of open-source governance. • By 2015, OSS will be used and adopted to help enable over 60% of platform-as-a-service (PaaS) services. • By 2014, 30% of applications running on proprietary versions of Unix will be migrated to OSS-based Linux on x86. • By 2014, those organizations with effective, open-source community participation will consistently deliver high returns from their open- source investments. • By 2013, up to 50% of Global 2000 non-IT enterprises will contribute to at least one OSS project. • By 2016, 50% of leading non-IT organizations will use OSS as a business strategy to gain competitive advantage. Predicts 2011: Open-Source Software, the Power Behind the Throne 23 November 2010 ID:G00209180 Copyright © 2012 Palamida, Inc.
  • 12. Typical Software Project Metrics • 2.9 GB • 87,863 Files • 8,535,345 LOC • Copyright holders – ~350 • Binaries/Archives/JARS – 1207 What is This Software Project Trying To Tell You? Copyright © 2012 Palamida, Inc.
  • 13. There is probably a lot of content that you don’t know about Audit Example 15.9GB Size 59.1M LOC Documented OS 303 components Undocumented OS 535 components Total # 838 % LOC from Open 60-65% Source Copyright © 2012 Palamida, Inc.
  • 14. It’s Likely Your Disclosure of 3rd Party Content is Incomplete… 350 Open Source Components Disclosed In Advance of Audit vs. Undisclosed 300 250 200 Undisclosed 150 Disclosed 100 50 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Source: Palamida Audit Projects Copyright © 2012 Palamida, Inc.
  • 15. …With License Terms that May Be Problematic Audit Breakdown by License 30% 25% 20% 15% TOTAL % 10% 5% 0% Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional Services Copyright © 2012 Palamida, Inc.
  • 16. Open Source is not somehow “different” Plaintiffs would be happy to settle this matter with PLAINTIFFS' Best Buy and Phoebe Micro if they either (i) ceased all distribution of BusyBox or (ii) committed to MEMORANDUM OF LAW distribute BusyBox in compliance with the free and IN SUPPORT OF THEIR open source license terms under which Plaintiffs offer MOTION FOR BusyBox to the world. Plaintiffs have patiently worked with Best Buy and Phoebe Micro to bring their PRELIMINARY INJUNCTION products into compliance with the license, but AGAINST DEFENDANTS unfortunately have now concluded that those efforts BEST BUY, CO., INC. AND are destined to fail because neither Best Buy nor Phoebe Micro has the capacity and desire to meet PHOEBE MICRO, INC. either of Plaintiffs' demands for settlement. As such, Plaintiffs are forced to protect their interests in BusyBox by now respectfully moving for a preliminary SOFTWARE injunction, pursuant to Rule 65, enjoining and restraining defendants Best Buy and Phoebe Micro FREEDOM CONSERVANCY, INC. and from any further copying, distribution, or use of their ERIK ANDERSEN, copyrighted software BusyBox. Filed 1/31/11 Copyright © 2012 Palamida, Inc.
  • 17. Software IP is a potent competitive weapon Love, Larry: Here Is the Oracle Statement and Final Complaint Versus Google by Kara Swisher Posted on August 12, 2010 at 6:46 PM PT This afternoon, the database software giant said it was suing Google (GOOG), alleging patent and copyright infringement of Java-related intellectual property in the development of Android mobile operating system software. http://kara.allthingsd.com/20100812/love-larry-here-is-the-oracle-statement-and-final-complaint-versus-google/ Copyright © 2012 Palamida, Inc.
  • 18. And Open Source Is Not Immune to Vulnerabilities 90 80 70 60 50 89 40 30 61 60 20 41 27 31 10 11 1 5 5 0 Apache jQuery GNU C libpng LibTIFF OpenSSL Zlib Libcurl Libxml2 OpenSSH Tomcat Library Vulnerabilities in Popular Open Source Projects Source: National Vulnerability Database Copyright © 2012 Palamida, Inc.
  • 19. Oh No, Kernel.org was Hacked by Susan Linton - Aug. 31, 2011 A notice appeared on www.kernel.org today informing visitors that the servers housing the Linux kernel source code had been hacked earlier this month. The breach was discovered yesterday and maintainers believe the source code itself is unaffected. Source: ostatic.com Copyright © 2012 Palamida, Inc.
  • 20. August 2011 ‘Devastating’ Apache bug leaves servers exposed Devs race to fix weakness disclosed in 2007 Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache handles HTTP-based range requests was published Friday on the Full-disclosure mailing list. By sending servers running versions 1.3 and 2 of Apache multiple GET requests containing overlapping byte ranges, an attacker can consume all memory on a target system. August 14, 2011 Copyright © 2012 Palamida, Inc.
  • 21. Mango OSS DWR OSS Components Scriptaculous Components Apache Spring Framework Components Quartz Enterprise Job Scheduler Apache Struts PrototypeJS 1.5.0 Apache Commons Logging Hibernate Apache Jakarta Taglibs NVD Reported Scriptaculous Vulnerabilities: 1 Spring Framework Beehive JfreeChart WebWork Apache Jakarta Commons Backport Util Concurrent Freemarker Google Injection Framework Jcommon Utility Classes Apache-db-derby Apache Log4J NVD Reported JavaMail API Vulnerabilities: 4 MySQL SAX: Simple API for XML J2EE Java2 SDK Activation AQP Alliance DWR Direct Web Remoting pngencoder NVD Reported git-MM JDBC driver Vulnerabilities: 0 Apache Xerces Copyright © 2012 Palamida, Inc.
  • 22. Risk is Risk And you can’t mitigate risk you don’t know you have Copyright © 2012 Palamida, Inc.
  • 23. Copyright © 2012 Palamida, Inc.
  • 24. What to Do Tomorrow • Set up an OSRB or equivalent • Establish your policy for use of externally sourced software • Don’t stop at IP, include security • Audit any software acquired via M&A • Evaluate compliance alternatives, and get started Copyright © 2012 Palamida, Inc.
  • 25. • Comprised of Legal, Open Source Development and Security • Review and Approve Policy for Review Board externally sourced software • Establish the scope of information required and retained (the request form) • Case-by-case use decisions • Review and approve the policy for compliance with obligations • Reports to CFO, GC, VP engineering or others periodically on compliance status Copyright © 2012 Palamida, Inc.
  • 26. Policy What is the name and version of this software component? Where is it used? What is the license? Is this component in a software product that ships to customers? Does this component contain known vulnerabilities? Have we modified this component? When was the last time we checked this software for version and vulnerability? Does this component contain encryption? Have we added this component to the notices file? Copyright © 2012 Palamida, Inc.
  • 27. Mergers and Acquisitions (and outsourced development) • Make code audit a contract item • Don’t rely on reps regarding code content – typically 3-5x more found than disclosed • Use outside firms to maintain an “arms-length” relationship • Factor in remediation costs • Don’t integrate the code with yours until you are confident of origin Copyright © 2012 Palamida, Inc.
  • 28. What Acquiring Firms Are Concerned About Today • GPL and other Viral Licenses (esp v3.0) • Affero GPL • Commercial Content and Libraries • Restrictions on commercial use or field of use (e.g. no Military use) • Cryptography • Code with Unknown Licenses • % of undisclosed content Copyright © 2012 Palamida, Inc.
  • 29. Evaluate Compliance Alternatives, and Get Started • In-house process • External Professional Services – periodic reports • In-house system • Owned by development • Used by development, legal and security • System of record for policy and content • The first pass is the most time-consuming – consider a outside audit to populate the internal system Copyright © 2012 Palamida, Inc.
  • 30. Key Questions to Ask… • How High is the Bar? • What is “Good Enough”? • Have You Scanned Everything? [Probably Not!] • What’s Out There That’s Hard, But Important? Copyright © 2012 Palamida, Inc.
  • 31. How High Is the Bar? • More Linux kernel and related materials “in scope” • More interest in historical versions / installed base • Open Source projects requiring more internal deep reviews • Management signing off on Bill of Materials or equivalent • More divestitures, concern about internal process exposure Copyright © 2012 Palamida, Inc.
  • 32. What Is “Good Enough”? • The Community is getting more savvy and vocal • The “Community” includes commercial vendors $$$$$ • More internal emphasis on tracking down source for LGPL binaries – compliance and disaster recovery • Customers are demanding more; at delivery and at contract signing • Scanning is occurring at internal and external touch points • More historical versions being reviewed at M&A time • A supplier to my supplier is MY supplier! Copyright © 2012 Palamida, Inc.
  • 33. Have You Scanned Everything [Probably Not]? • Java: Maven becoming more prevalent • C/C++/etc…: Github remote repositories • Commercial Source compiled on laptop • Binary analysis bar is being raised • Where did all these binaries come from? 1000 to 10,000+ • More naïve companies requiring scans / Bad Advice • Web services • Post acquisition discovery of missing code Copyright © 2012 Palamida, Inc.
  • 34. What’s Out There That Is Hard, But Important? • Object Oriented Design Issues (esp. C++/Java/C#) • Header files cut and pastes (The Google Bionic Issue) • Binaries and subcomponents • Code with Unknown licenses – more every day • Popular projects w/ Bad Licenses (Code Project CPOL or Stack Overflow CC BY-SA) • Employees that travel w/ “Toolkits” “Wall St. Programmer Guilty of Code Theft” http://query.nytimes.com/gst/fullpage.html?res=9E00E2D81E31F932A25751C1A9669D8B63 Copyright © 2012 Palamida, Inc.
  • 35. What’s In Your Code? Copyright © 2012 Palamida, Inc.
  • 36. Open Source Software: The Intersection of IP and Security April 2012 Copyright © 2012 Palamida, Inc.

Editor's Notes

  1. Here’s a typical example from an audit we did in 2007. This is from a well known enterprise software company. They were very diligent about keeping track of what was going into their software and had catalogued 303 open source components they were using. But as you can see here they were way off base and the actual number was 838. We discovered 535 components—big moving parts critical to their product—that they had no idea were there. And there is nothing unique about their situation. We have seen something similar in every audit we’ve ever done. Based on our experience it is a virtual certainty that your company’s software is similar. This means that you are using components that probably have known security exploits that are listed in the NVD, and that your undocumented code is also unpatched and un-upgraded.