Presented by: Jeff Luszcz, ZebraCatZebra
Presented at All Things Open 2020
Abstract: Open Source powers the world, but you need to do more than use it.
In this talk we will provide background on the most common types of open source licenses, business models, security issues and the processes required to help you remain secure and in compliance. We will discuss best practices, scanning tools, remediation, customer and partner expectations around OSS compliance and how to manage OSS during events such as a product release or M&A.
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)Kai Wähner
Â
Golang-powered open source IoT project Flogo to build ultra-lightweight integration microservices.
The Internet of Things (IoT) brings up 50 billion devices until 2020, which have to be connected somehow. Challenges include low bandwidth, high latency, non-reliable connectivity and the need for low network costs. Therefore, a gateway is needed remotely on site of the devices to filter, aggregate and send just relevant data into the cloud or data center. This session introduces project Flogo: A 100% open source framework, which allows developing ultra lightweight IoT integration applications with a zero-coding web user interface or design chat bot. Coders can also rely just on code, of course. It is written in Googleâs Go programming language and 20-50x more lightweight than similar Java or JavaScript frameworks. Therefore building very lightweight microservices independent of IoT is another good use case for this framework, e.g. for serverless architectures using open source frameworks such as OpenWhisk. The session focuses on live demos and shows how to build microservices and integrate IoT devices using standards such as MQTT, WebSockets, CoaP or REST. The last part of the session compares Project Flogo to other open source IoT projects like Node-RED and SaaS offerings such as AWS IoT.
Please use the Flogo community to discuss or ask questions:
https://community.tibco.com/products/project-flogo
Video recording of these slides:
https://youtu.be/-ThK6BZdoxw
BI: new of the buzz words that everyone is talking about but what is it? How can it be used to make a impact in my organization? How do I get started? This session was delivered for SharePoint Saturday Reston.
Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt.
The sets of components that comprise the extended solution landscape, including those components that provide common or shared functionality, are located in different zones, each with different security characteristics.
The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution.
The complete solution security view should refer explicitly to the components and their controls.
While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions.
There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution architecture and solution security.
Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks.
Individual solutions must not be forced to implement individual infrastructural security facilities and controls. This is wasteful of solution implementation resources, results in multiple non-standard approaches to security and represents a security risk to the organisation.
The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns. Different security concerns and therefore controls apply to each of these components.
Solution security is not covered by a single control. It involves multiple overlapping sets of controls providing layers of security.
Structured Approach to Solution ArchitectureAlan McSweeney
Â
The role of solution architecture is to identify answer to a business problem and set of solution options and their components. There will be many potential solutions to a problem with varying degrees of suitability to the underlying business need. Solution options are derived from a combination of Solution Architecture Dimensions/Views which describe characteristics, features, qualities, requirements and Solution Design Factors, Limitations And Boundaries which delineate limitations. Use of structured approach can assist with solution design to create consistency. The TOGAF approach to enterprise architecture can be adapted to perform some of the analysis and design for elements of Solution Architecture Dimensions/Views.
Flogo - A Golang-powered Open Source IoT Integration Framework (Gophercon)Kai Wähner
Â
Golang-powered open source IoT project Flogo to build ultra-lightweight integration microservices.
The Internet of Things (IoT) brings up 50 billion devices until 2020, which have to be connected somehow. Challenges include low bandwidth, high latency, non-reliable connectivity and the need for low network costs. Therefore, a gateway is needed remotely on site of the devices to filter, aggregate and send just relevant data into the cloud or data center. This session introduces project Flogo: A 100% open source framework, which allows developing ultra lightweight IoT integration applications with a zero-coding web user interface or design chat bot. Coders can also rely just on code, of course. It is written in Googleâs Go programming language and 20-50x more lightweight than similar Java or JavaScript frameworks. Therefore building very lightweight microservices independent of IoT is another good use case for this framework, e.g. for serverless architectures using open source frameworks such as OpenWhisk. The session focuses on live demos and shows how to build microservices and integrate IoT devices using standards such as MQTT, WebSockets, CoaP or REST. The last part of the session compares Project Flogo to other open source IoT projects like Node-RED and SaaS offerings such as AWS IoT.
Please use the Flogo community to discuss or ask questions:
https://community.tibco.com/products/project-flogo
Video recording of these slides:
https://youtu.be/-ThK6BZdoxw
BI: new of the buzz words that everyone is talking about but what is it? How can it be used to make a impact in my organization? How do I get started? This session was delivered for SharePoint Saturday Reston.
Solution architects must be aware of the need for solution security and of the need to have enterprise-level controls that solutions can adopt.
The sets of components that comprise the extended solution landscape, including those components that provide common or shared functionality, are located in different zones, each with different security characteristics.
The functional and operational design of any solution and therefore its security will include many of these components, including those inherited by the solution or common components used by the solution.
The complete solution security view should refer explicitly to the components and their controls.
While each individual solution should be able to inherit the security controls provided by these components, the solution design should include explicit reference to them for completeness and to avoid unvalidated assumptions.
There is a common and generalised set of components, many of which are shared, within the wider solution topology that should be considered when assessing overall solution architecture and solution security.
Individual solutions must be able to inherit security controls, facilities and standards from common enterprise-level controls, standards, toolsets and frameworks.
Individual solutions must not be forced to implement individual infrastructural security facilities and controls. This is wasteful of solution implementation resources, results in multiple non-standard approaches to security and represents a security risk to the organisation.
The extended solution landscape potentially consists of a large number of interacting components and entities located in different zones, each with different security profiles, requirements and concerns. Different security concerns and therefore controls apply to each of these components.
Solution security is not covered by a single control. It involves multiple overlapping sets of controls providing layers of security.
Structured Approach to Solution ArchitectureAlan McSweeney
Â
The role of solution architecture is to identify answer to a business problem and set of solution options and their components. There will be many potential solutions to a problem with varying degrees of suitability to the underlying business need. Solution options are derived from a combination of Solution Architecture Dimensions/Views which describe characteristics, features, qualities, requirements and Solution Design Factors, Limitations And Boundaries which delineate limitations. Use of structured approach can assist with solution design to create consistency. The TOGAF approach to enterprise architecture can be adapted to perform some of the analysis and design for elements of Solution Architecture Dimensions/Views.
Preparing, Piloting & Paths to Success with Microsoft CopilotRichard Harbridge
Â
Preparing, Piloting & Paths to Success with Microsoft Copilot
In the modern post generative AI era, leveraging innovative tools is crucial for enhancing productivity and improving performance. This workshop will explore how to get the most out of Microsoft 365 Copilot, Microsoft Viva Copilot and Microsoft Copilot experiences. Join Microsoft MVP and industry expert Richard Harbridge as we delve into challenges surrounding its adoption including initial preparation, user training, support, governance and integration into existing workflows. We will start with an overview highlighting the critical to understand elements that make Copilot so impactful in organizations today along with plenty of data and industry insights. As we transition into guidance around piloting Microsoft 365 Copilot, participants will explore its robust features through rich examples. Engaging with real-world scenarios will unveil common hurdles and provide a clear roadmap towards optimizing Microsoft 365 Copilot for your organizational needs.
Target architecture: Overcoming barriers to effective Enterprise ArchitectureDave Hornford
Â
Target architecture, and the resulting roadmap, is the fast path to effective business engagement. Change leaders are looking for help in effecting transformation. Dave will explore the real and self-imposed barriers to developing Target Architecture. Why most âTargetsâ look more like a first Transition Architecture?
Identity and Access Management Reference Architecture for Cloud ComputingJohn Bauer
Â
This presentation will outline a comprehensive reference architecture for meeting the secure access and provisioning demands of outsourcing business and technology processes to âthe cloudâ. The attendee will walk away with a more solid understanding of what identity and access management challenges face organizations looking to move application and business process support to cloud computing providers as well as offer a reference architecture that outlines how to build standards based solutions for each challenge.
John F. Bauer III has over 20 years of Information Technology and Security delivery experience. John is currently the Enterprise Security Architect for Key Bank and has previous held leadership positions at British Petroleum, Cliffs Natural Resources, MTD Products, and National City/PNC Bank. John has spoken previously on the topic of Information Security at CA World, Oracle Open World, Digital ID World and NACHA conferences. John has both a Computer Science degree and MBA from Case Western Reserve Universityâs Weatherhead School of Management and is a frequent Adjunct Professor on Network Security at Cuyahoga Community College. John also maintains an active blog: MidwestITSurvival.com.
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...Nikki Chapple
Â
Microsoft 365 Copilot is a new technology that uses generative AI to help users create content, code, and data insights from within your Microsoft 365 Apps such as Word, Excel, PowerPoint, Outlook, Teams and Loop. It can boost productivity, creativity, and skills, but it also poses some challenges for governance and data security. To prepare for Microsoft 365 Copilot, users need to follow some best practices, such as:
- Assessing their technical , and data security readiness.
- Understand the importance of âJust enough accessâ
-How to build your data security and governance maturity by setting up data security, governance and access controls at the tenant level, the container (Team or Group) level and at the individual user level.
By following these best practices, users can ensure that they get the most out of Microsoft 365 Copilot while protecting their data and reputation.
Modeling Big Data with the ArchiMate 3.0 LanguageIver Band
Â
Health care enterprises use big data methods and technologies to gain insights for improving the efficacy, efficiency, and accessibility of their services. Effective big data initiatives require shared understanding among diverse stakeholders of business challenges and the often complex architectures required to address them. Enterprise and solution architects can use the ArchiMate language to build this understanding with compelling visual models.
This presentation introduces the ArchiMate 3.0 language, and uses it to explore the US National Institute of Standards and Technology (NIST) Big Data Reference Architecture (NBDRA), and to present a health care case study based on the NBDRA. Participants will learn how to use the ArchiMate 3.0 language, in alignment with the TOGAF framework, to propose, justify and plan big data initiatives, and to guide their successful implementation.
Overview of Data Loss Prevention Policies in Office 365Dock 365
Â
Presentation about identifying, monitoring, and automatically protect sensitive information across Office 365.
With a DLP Policy, you can:
- Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business.
- Prevent the accidental sharing of sensitive information.
- Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
- Help users learn how to stay compliant without interrupting their workflow.
- View DLP reports showing content that matches your organization's DLP policies.
Visit www.mydock365.com to learn more about SharePoint with Dock.
Why Solutions Fail and the Business Value of Solution ArchitectureAlan McSweeney
Â
This is an extract from the book introduction to Solution Architecture that provides a solution architecture perspective on why solution delivery fails. It is a reasonable statement that in the minds of many people failure is synonymous with information technology projects. While this perception is an exaggeration, the outcomes of many IT solution delivery projects represent failures to at least some extent. It is also often true that solution delivery failure is attributed to project management failure such as the quality, skill and experience of the project manager or the misapplication or lack of application of a project management methodology. However, the most effective project management will not make an undeliverable, unworkable, unusable solution deliverable, workable or usable. The solution architect should concern himself or herself with the ultimate success of the project to deliver the designed solution.
IT4IT: Realize a Digital Strategy with ServiceNowZenoss
Â
ServiceNow's Senior Product Manager, Mark Bodman, presents IT4IT: Realize a Digital Strategy with ServiceNow.
Access the full presentation recordings for GalaxZ17 here: http://ow.ly/WyBu30cakk0
IT Application Decommissioning - Application Retirement ServicesAvenDATA
Â
Whether ERP or CRM systems, unstructured data or files you have, we will build an archiving system for you that will free you from your legacy systems at the same time fulfilling legal requirements. Benefit from our many yearsâ experience in the market, which is reflected in the hundreds of our archiving projects worldwide.
Due to our specialisation in system archiving, system decommissioning and carve-out, we are significantly more efficient, cost-effective, functional and faster than you could ever imagine.
Why AvenDATA?
For many years we have specialized in archiving legacy systems in applications decommissioning. As a result, we have successfully implemented our software in the hundreds of companies from a wide range of industries worldwide. Our experience portfolio includes more than 250 systems from various manufacturers. Benefit from our long experience. Our archiving solution can manage 250+ systems and up to 100+ TB.
We are specialized in archiving legacy systems within applications decommissioning. In doing so, we have successfully implemented with hundreds of companies from a wide range of industries worldwide. Our portfolio includes experience with more than 250 systems from various manufacturers. Benefit from our years of experience. The AvenDATA Group operates worldwide with headquarters in Berlin and additional offices in Budapest, Mumbai and New York.
Labelling in Microsoft 365 - Retention & SensitivityDrew Madelung
Â
Are you classifying your data in Microsoft 365? You can add data classifications using sensitivity and retention labels but they do two very different things. In this session I will break down what the label options are, how you can use them, and why you should deploy them in your organization to keep your content compliant and secure.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Recently Ansel Halliburton held a webinar to discuss the common pitfalls in open source licensing, and the best practices for avoiding them.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Topics:
⢠The most common sources of non-compliance with open source licenses
⢠The key differences between the most popular licenses
⢠The basis in intellectual property law for open source licensing
⢠How courts in the US and abroad have enforced open source licenses
These slides are from a webinar by attorney Ansel Halliburton on September 22, 2015.
Preparing, Piloting & Paths to Success with Microsoft CopilotRichard Harbridge
Â
Preparing, Piloting & Paths to Success with Microsoft Copilot
In the modern post generative AI era, leveraging innovative tools is crucial for enhancing productivity and improving performance. This workshop will explore how to get the most out of Microsoft 365 Copilot, Microsoft Viva Copilot and Microsoft Copilot experiences. Join Microsoft MVP and industry expert Richard Harbridge as we delve into challenges surrounding its adoption including initial preparation, user training, support, governance and integration into existing workflows. We will start with an overview highlighting the critical to understand elements that make Copilot so impactful in organizations today along with plenty of data and industry insights. As we transition into guidance around piloting Microsoft 365 Copilot, participants will explore its robust features through rich examples. Engaging with real-world scenarios will unveil common hurdles and provide a clear roadmap towards optimizing Microsoft 365 Copilot for your organizational needs.
Target architecture: Overcoming barriers to effective Enterprise ArchitectureDave Hornford
Â
Target architecture, and the resulting roadmap, is the fast path to effective business engagement. Change leaders are looking for help in effecting transformation. Dave will explore the real and self-imposed barriers to developing Target Architecture. Why most âTargetsâ look more like a first Transition Architecture?
Identity and Access Management Reference Architecture for Cloud ComputingJohn Bauer
Â
This presentation will outline a comprehensive reference architecture for meeting the secure access and provisioning demands of outsourcing business and technology processes to âthe cloudâ. The attendee will walk away with a more solid understanding of what identity and access management challenges face organizations looking to move application and business process support to cloud computing providers as well as offer a reference architecture that outlines how to build standards based solutions for each challenge.
John F. Bauer III has over 20 years of Information Technology and Security delivery experience. John is currently the Enterprise Security Architect for Key Bank and has previous held leadership positions at British Petroleum, Cliffs Natural Resources, MTD Products, and National City/PNC Bank. John has spoken previously on the topic of Information Security at CA World, Oracle Open World, Digital ID World and NACHA conferences. John has both a Computer Science degree and MBA from Case Western Reserve Universityâs Weatherhead School of Management and is a frequent Adjunct Professor on Network Security at Cuyahoga Community College. John also maintains an active blog: MidwestITSurvival.com.
Preparing for Microsoft 365 Copilot - Best Practices for Governance and Data ...Nikki Chapple
Â
Microsoft 365 Copilot is a new technology that uses generative AI to help users create content, code, and data insights from within your Microsoft 365 Apps such as Word, Excel, PowerPoint, Outlook, Teams and Loop. It can boost productivity, creativity, and skills, but it also poses some challenges for governance and data security. To prepare for Microsoft 365 Copilot, users need to follow some best practices, such as:
- Assessing their technical , and data security readiness.
- Understand the importance of âJust enough accessâ
-How to build your data security and governance maturity by setting up data security, governance and access controls at the tenant level, the container (Team or Group) level and at the individual user level.
By following these best practices, users can ensure that they get the most out of Microsoft 365 Copilot while protecting their data and reputation.
Modeling Big Data with the ArchiMate 3.0 LanguageIver Band
Â
Health care enterprises use big data methods and technologies to gain insights for improving the efficacy, efficiency, and accessibility of their services. Effective big data initiatives require shared understanding among diverse stakeholders of business challenges and the often complex architectures required to address them. Enterprise and solution architects can use the ArchiMate language to build this understanding with compelling visual models.
This presentation introduces the ArchiMate 3.0 language, and uses it to explore the US National Institute of Standards and Technology (NIST) Big Data Reference Architecture (NBDRA), and to present a health care case study based on the NBDRA. Participants will learn how to use the ArchiMate 3.0 language, in alignment with the TOGAF framework, to propose, justify and plan big data initiatives, and to guide their successful implementation.
Overview of Data Loss Prevention Policies in Office 365Dock 365
Â
Presentation about identifying, monitoring, and automatically protect sensitive information across Office 365.
With a DLP Policy, you can:
- Identify sensitive information across many locations, such as SharePoint Online and OneDrive for Business.
- Prevent the accidental sharing of sensitive information.
- Monitor and protect sensitive information in the desktop versions of Excel 2016, PowerPoint 2016, and Word 2016.
- Help users learn how to stay compliant without interrupting their workflow.
- View DLP reports showing content that matches your organization's DLP policies.
Visit www.mydock365.com to learn more about SharePoint with Dock.
Why Solutions Fail and the Business Value of Solution ArchitectureAlan McSweeney
Â
This is an extract from the book introduction to Solution Architecture that provides a solution architecture perspective on why solution delivery fails. It is a reasonable statement that in the minds of many people failure is synonymous with information technology projects. While this perception is an exaggeration, the outcomes of many IT solution delivery projects represent failures to at least some extent. It is also often true that solution delivery failure is attributed to project management failure such as the quality, skill and experience of the project manager or the misapplication or lack of application of a project management methodology. However, the most effective project management will not make an undeliverable, unworkable, unusable solution deliverable, workable or usable. The solution architect should concern himself or herself with the ultimate success of the project to deliver the designed solution.
IT4IT: Realize a Digital Strategy with ServiceNowZenoss
Â
ServiceNow's Senior Product Manager, Mark Bodman, presents IT4IT: Realize a Digital Strategy with ServiceNow.
Access the full presentation recordings for GalaxZ17 here: http://ow.ly/WyBu30cakk0
IT Application Decommissioning - Application Retirement ServicesAvenDATA
Â
Whether ERP or CRM systems, unstructured data or files you have, we will build an archiving system for you that will free you from your legacy systems at the same time fulfilling legal requirements. Benefit from our many yearsâ experience in the market, which is reflected in the hundreds of our archiving projects worldwide.
Due to our specialisation in system archiving, system decommissioning and carve-out, we are significantly more efficient, cost-effective, functional and faster than you could ever imagine.
Why AvenDATA?
For many years we have specialized in archiving legacy systems in applications decommissioning. As a result, we have successfully implemented our software in the hundreds of companies from a wide range of industries worldwide. Our experience portfolio includes more than 250 systems from various manufacturers. Benefit from our long experience. Our archiving solution can manage 250+ systems and up to 100+ TB.
We are specialized in archiving legacy systems within applications decommissioning. In doing so, we have successfully implemented with hundreds of companies from a wide range of industries worldwide. Our portfolio includes experience with more than 250 systems from various manufacturers. Benefit from our years of experience. The AvenDATA Group operates worldwide with headquarters in Berlin and additional offices in Budapest, Mumbai and New York.
Labelling in Microsoft 365 - Retention & SensitivityDrew Madelung
Â
Are you classifying your data in Microsoft 365? You can add data classifications using sensitivity and retention labels but they do two very different things. In this session I will break down what the label options are, how you can use them, and why you should deploy them in your organization to keep your content compliant and secure.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Recently Ansel Halliburton held a webinar to discuss the common pitfalls in open source licensing, and the best practices for avoiding them.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Topics:
⢠The most common sources of non-compliance with open source licenses
⢠The key differences between the most popular licenses
⢠The basis in intellectual property law for open source licensing
⢠How courts in the US and abroad have enforced open source licenses
These slides are from a webinar by attorney Ansel Halliburton on September 22, 2015.
Open source is gleefully rewriting the rules of IT development at all levels of industry and government. Adoption of open source in government is well underway, with success stories illustrating the benefits.
This decade we are going further - fostering a healthy, sustainable, working relationship between government and open source:
* This presentation digs into the flexibility of open source licensing and how government organizations can meet the challenges of developing with open source.
* We will look at the advantages of government participation in open source at the project, institutional, and foundation level.
Attend this talk to understand how your organization cannot only benefit from open source, but be open source.
Introduction to open source licensing, using examples from Boundless Suite and Boundless Desktop to illustrate how to build your own software using open source components.
Open source software for IoT â The devilâs in the detailsRogue Wave Software
Â
From Sensors expo & conference 2016.
Rogue Wave CTO Rod Cope presented on open source software for the IoT and will explain how the devil's in the details.
Open source software (OSS) is growing in software development today especially in the IoT space, driving technical innovation, enabling productivity gains, and touching everything from big data and cloud to mobile and embedded. The use of OSS is favorable, because it decreases the time to market and reduces cost. Despite its importance and reach, thereâs little understanding within the development community regarding OSS license obligations and what is requested for compliance.
While itâs free, easy to find, and pushes software to the market faster, itâs vital to understand how to use OSS safely.
Open source licenses can be more than a little confusing for those of us that just want to write a little bit of code. However, with open source components playing such a big part in the products that we create, open source licenses and compliance simply canât be ignored.
Weâve compiled the one stop resource guide for working compliantly with open source components, including answers to FAQs about the most popular licenses in 2018. Read all about the hottest licensing trends that you need to be following and some predictions for 2019.
Building Reliability - The Realities of ObservabilityAll Things Open
Â
Presented at the ATO RTP Meetup
Presented by Jeremy Proffit, Director of DevSecOps & SRE for Customer Care and Communications, Ally
Title: Building Reliability - The Realities of Observability
Abstract: Join me as we discuss true observability, learn what works and what doesn't. We'll not only discuss dashboards, monitoring and alerting, but how these can be built by automation or included in your IAC modules. We'll talk about how to properly alert staff based on priority to keep your staff and yourself sane. And even discuss architecture and how it impacts reliably and why serverless isn't always the best at being reliable.
Presented at the ATO RTP Meetup
Presented by Peter Zaitsev, Founder of Percona
Title: Modern Database Best Practices
Abstract: There are now more Database choices available for developers than ever before - there are general purpose databases and specialized databases, single node and distributed databases, Open Source, Proprietary databases and databases available exclusively in the cloud. In this presentation we will cover the best practices of choosing database(s) for your applications, best practices as it comes to application development as well as managing those databases to achieve best possible performance, security, availability at the lowest cost.
All Things Open 2023
Presented at All Things Open 2023
Presented by Deb Bryant - Open Source Initiative, Patrick Masson - Apereo Foundation, Stephen Jacobs - Rochester Institute of Technology, Ruth Suehle - SAS, & Greg Wallace - FreeBSD Foundation
Title: Open Source and Public Policy
Abstract: New regulations in the software industry and adjacent areas such as AI, open science, open data, and open education are on the rise around the world. Cyber Security, societal impact of AI, data and privacy are paramount issues for legislators globally. At the same time, the COVID-19 pandemic drove collaborative development to unprecedented levels and took Open Source software, open research, open content and data from mainstream to main stage, creating tension between public benefit and citizen safety and security as legislators struggle to find a balance between open collaboration and protecting citizens.
Historically, the open source software community and foundations supporting its work have not engaged in policy discussions. Moving forward, thoughtful development of these important public policies whilst not harming our complex ecosystems requires an understanding of how our ecosystem operates. Ensuring stakeholders without historic benefit of representation in those discussions becomes paramount to that end.
Please join our open discussion with open policy stakeholders working constructively on current open policy topics. Our panelists will provide a view into how oss foundations and other open domain allies are now rising to this new challenge as well as seizing the opportunity to influence positive changes to the publicâs benefit.
Topics: Public Policy, Open Science, Open Education, current legislation in the US and EU, US interest in OSS sustainability, intro to the Open Policy Alliance
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
Â
Presented at All Things Open 2023
Presented by Ashpak Shaikh & Lucy Shen - Intuit
Title: Weaving Microservices into a Unified GraphQL Schema with graph-quilt
Abstract: The magic of GraphQL is that it provides data access through a single endpointâclean and easy. But as the number of GraphQL microservices your tech stack depends on starts to grow, that single-endpoint purpose becomes a new multi-endpoint problem. Ideally, we would have an orchestrator that could aggregate schemas from multiple microservices into a unified GraphQL schema and route the requests to the appropriate microservice.
Enter graph-quilt, an open source Java library that provides recursive schema stitching and Apollo Federation style schema composition. In this talk, weâll walk through our GraphQL journey and show you how to use graph-quilt to simplify your data orchestration needs. We will also share our open sourced reference implementation of a highly performant graph-quilt gateway currently being used in production here at Intuit, where weâve had incredible success in scaling the gateway with 50+ microservices and 150+ clients.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
The State of Passwordless Auth on the Web - Phil NashAll Things Open
Â
Presented at All Things Open 2023
Presented by Phil Nash - Sonar
Title: The State of Passwordless Auth on the Web
Abstract: Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfil to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision of how authentication could look in the future and a blueprint for how to build the best auth experience today.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
Â
Presented at All Things Open 2023
Presented by Phil Nash - Sonar
Title: Total ReDoS: The dangers of regex in JavaScript
Abstract: Regular expressions are complicated and can be hard to learn. On top of that, they can also be a security risk; writing the wrong pattern can open your application up to denial of service attacks. One token out of place and you invite in the dreaded ReDoS.
But how can a regular expression cause this? In this talk weâll track down the patterns that can cause this trouble, explain why they are an issue and propose ways to fix them now and avoid them in the future. Together weâll demystify these powerful search patterns and keep your application safe from expressions that behave in a way that is anything but regular.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
Â
Presented at All Things Open 2023
Presented by Karl Mozurkewich - Storj
Title: What Does Real World Mass Adoption of Decentralized Tech Look Like?
Abstract: We delve into the transformative potential of decentralized technology. Beginning with a brief overview of the rise of centralization with the advent of the internet and the counter-shift marked by blockchain we explore the intrinsic characteristics of decentralized and distributed systems, such as trustless operations, peer-to-peer networks, and enterprise application scalability. Various sectors, including finance, supply chains, media and entertainment, data science and cloud infrastructure are on the brink of disruption. The societal implications are vast, with the potential for greater individual empowerment, a greener planet and more viable resource utilization, but concerns about data security persist.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at All Things Open 2023
Presented by Anastasia Lalamentik - Kaleido
Title: How to Write & Deploy a Smart Contract
Abstract: In this talk, Anastasia Lalamentik, Full Stack Engineer at Kaleido, will walk through how Ethereum smart contracts work and go over related concepts like gas fees, the Ethereum Virtual Machine (EVM), the block explorer, and the Solidity programming language. This is vital to anyone who wants to build a blockchain app and is a great introduction to blockchain technology for newcomers to the space.
By the end of the talk, attendees will better understand how to:
- Write a simple smart contract
- Deploy their smart contract to an Ethereum test network through the latest tools like Hardhat and the MetaMask wallet
- Test interactions with their deployed smart contract and ensure that everything is working properly
Additionally, participants will get to interact with Anastasia's deployed smart contract at the end of the talk. Anastasiaâs past talks have attracted and have been attended by a diverse group of participants with a range of experience in the space.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
Â
Presented at All Things Open 2023
Presented by Paul Brebner - Instaclustr (by Spot by NetApp)
Title: Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Abstract: In this talk weâll build a Drone delivery application, and then use it to do some Machine Learning âon the flyâ.
In the 1st part of the talk, we'll build a real-time Drone Delivery demonstration application using a combination of two open-source technologies: Uberâs Cadence (for stateful, scheduled, long-running workflows), and Apache Kafka (for fast streaming data).
With up to 2,000 (simulated) drones and deliveries in progress at once this application generates a vast flow of spatio-temporal data.
In the 2nd part of the talk, we'll use this platform to explore Machine Learning (ML) over streaming and drifting Kafka data with TensorFlow to try and predict which shops will be busy in advance.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at the All Things Open 2023 Inclusion and Diversity in Open Source Event
Presented by Efraim Marquez-Arreaza - Red Hat
Title: DEI Challenges and Success
Abstract: In today's world, many companies and organizations have Diversity, Equity and Inclusion (DEI) communities. Red Hat Unidos is a DEI community focused on advocating for the Hispanic/Latine community. In this talk, we would like to share our challenges and success during the past 4-years and plans for the future.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at All Things Open 2023
Presented by Lydia Cupery - HubSpot
Title: Scaling Web Applications with Background Jobs: Takeaways from Generating a Huge PDF
Abstract: Do you need to perform time-consuming or CPU-intensive processes in your web application but are concerned about performance? Thatâs where background jobs come in. By offloading resource-intensive tasks to separate worker processes, you can improve the scalability of your web application.
In this talk, I'll share my experience of using background jobs to scale our web application. I'll discuss the challenges my team faced that led us to adopt background jobs. Then, I'll share practical tips on how to design background jobs for CPU-intensive or time-consuming processes, such as generating huge PDFs and batch emailing. I'll wrap up by going over the performance and cost tradeoffs of background jobs.
I'll use Typescript, Express, and Heroku as examples in this talk, but the concepts and best practices that I'll share are applicable to other languages and tools.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at All Things Open 2023
Presented by Robert Aboukhalil - CZI
Title: Supercharging tutorials with WebAssembly
Abstract: sandbox.bio is a free platform that features interactive command-line tutorials for bioinformatics. This talk is a deep-dive into how sandbox.bio was built, with a focus on how WebAssembly enabled bringing command-line tools like awk and grep to the web. Although these tools were originally written in C/C++, they all run directly in the browser, thanks to WebAssembly! And since the computations run on each user's computer, this makes the application highly scalable and cost-effective.
Along the way, I'll discuss how WebAssembly works and how to get started using it in your own applications. The talk will also cover more advanced WebAssembly features such as threads and SIMD, and will end with a discussion of WebAssembly's benefits and pitfalls (it's a powerful technology, but it's not always the right tool!).
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at All Things Open 2023
Presented by K.S. Bhaskar - YottaDB LLC
Title: Using SQL to Find Needles in Haystacks
Abstract: Database journal files capture every update to a database. A database of a few hundred GB can generate GBs worth of journal files every minute at busy times. Troubleshooting and forensices, especially of rare and intermittent problems, such as which process made what update and when, is an exercise of finding needles in haystacks. A similar problem exists with syslogs. A solution is to load the journal files and syslogs into a database, and use SQL to query the database. Bhaskar will present and demonstrate this with a 100% FOSS stack.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Configuration Security as a Game of Pursuit InterceptAll Things Open
Â
Presented at All Things Open 2023
Presented by Wes Widner - Automox
Title: Configuration Security as a Game of Pursuit Intercept
Abstract: In this session we will take a look at the emerging field of cloud security posture management and how we can approach the problem space using a class of board games known as pursuit/intercept. Using the game Scotland Yard as a visual illustration we'll explore the cognitive and technical limitations that all CSPM systems face and what you should look for when evaluating the strengths and weakness of CSPM vendors and approaches.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at All Things Open 2023
Presented by Carol Huang & Mike Fix - Stripe
Title: Scaling an Open Source Sponsorship Program
Abstract: ââWe already know this: the open-source ecosystem needs further monetary investment from the companies that benefit most from it. Likewise, companies say they want to participate in these initiatives, but find it hard to dedicate resources to open source funding when there isnât a clear ROI.
This talk discusses how the Open Source Program Office at Stripe built a scalable, sustainable open source sponsorship model that aligns internal company incentives with those of open source maintainers and the community at large. We go over the unique âplatformizationâ of our OSPO that allowed us to create multiple funding models, such as BYOB (Bring Your Own Budget), and share lessons learned from this experience as well as other OSPOs.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Build Developer Experience Teams for Open SourceAll Things Open
Â
Presented at All Things Open 2023
Presented by Arundeep Nagaraj - Amazon Web Services (AWS)
Title: Build Developer Experience Teams for Open Source
Abstract: Open Source has become the default strategy for many IT organizations and Enterprises. However, the constant challenge with Open Source leaders of these organizations has been -
How is my product's developer experience?
Is this the right metric to track?
How can I scale my team to support our products better?
How can I add automation to scale redundant workflows?
If my product involves working with developers, how can I scale to the complexity of the requests and reduce Engineering bandwidth?
The challenges within support of open source products continues to magnify depending on the end user persona whether they are consumers or contributors to your product. Consumers utilize your product, SDK's and API's and are blocked with using it or run into issues, whereas contributors are advanced users of your software that understands the codebase to provide a meaningful contribution back to the product.
The answer to the above is to look at Open Source support as a first-class citizen of your corporate support strategy. To employ the right level of developer focused support as opposed to traditional infrastructure based support is key to scale to the amount of developers using your product. Supporting customers in the open involves more than pure support - building customer / developer experiences (DX) in the open (across platforms and communities) that pivots over the ability of your product's users or developers to be focused on the end-to-end value add. This helps with your active developer growth and retention of users.
Key Takeaways:
- IT leaders of Open Source will learn to employ strategies to build a DX team that engages on multiple platforms
- Work on identifying accurate metrics for product and organization
- Innovate on platforms such as Discord to build a bot and a dashboard
- Ability to leverage customer feedback and iterate over the customer success flywheel
- Distinguish between DX and Developer Advocacy (DA)
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Presented at All Things Open 2023
Presented by Danny McCormick - Google
Title: Deploying Models at Scale with Apache Beam
Abstract: Apache Beam is an open source tool for building distributed scalable data pipelines. This talk will explore how Beam can be used to perform common machine learning tasks, with a heavy focus on running inference at scale. The talk will include a demo component showing how Beam can be used to deploy and update models efficiently on both CPUs and GPUs for inference workloads.
An attendee can expect to leave this talk with a high level understanding of Beam, the challenges of deploying models at scale, and the ability to use Beam to easily parallelize their inference workloads.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Sudo â Giving access while staying in controlAll Things Open
Â
Presented at All Things Open 2023
Presented by Peter Czanik - One Identity
Title: Sudo â Giving access while staying in control
Abstract: Sudo is used by millions to control and log administrator access to systems, but using the default configuration only, there are plenty of blind spots. Using the latest features in sudo let you watch some previously blind spots and control access to them. Here are four major new features, which arrived since the 1.9.0 release, allowing you see your blind spots:
- configuring a working directory or chroot within sudo often makes full shell access redundant
- JSON-formatted logs give you more details on events and are easier to act on
- relays in sudo_logsrvd make session recording collection more secure and reliable
- you can log and control sub-commands executed by the command run through sudo
Let us take a closer look at each of these.
Previously, there were quite a few situations where you had to give users full shell access through sudo. Typical examples include when you need to run a command from a given directory, or running commands in a chroot environment. You can now configure the working directory or the chroot directory and give access only to the command the user really needs.
Logging is a central role of sudo, to see who did what on the system. Using JSON-formatted log messages gives you even more information about events. What is even more: structured logs are easier to act on. Setting up alerting for suspicious events is much easier when you have a single parser to configure for any kind of sudo logs. You can collect sudo logs not only by local syslog, but also by using sudo_logsrvd, the same application used to collect session recordings.
Speaking of session recordings: instead of using a single central server, you can now have multiple levels of sudo_logsrvd relays between the client and the final destination. This allows session collection even if the central server is unavailable, providing you with additional security. It also makes your network configuration simpler.
Finally, you can log sub-commands executed from the command started through sudo. You can see commands started from a shell. No more unnoticed shell access from text editors. Best of all: you can also intercept sub-commands.
These are just a few of the most prominent features helping you to watch and control previous blind spots on your systems. See these and other possibilities in action in some live demos during our presentation.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
Â
Presented at All Things Open 2023
Presented by Christine Abernathy - F5, Inc.
Title: Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Abstract: As Artificial Intelligence (AI) and Machine Learning (ML) applications continue to surge, it is crucial to be aware of and address the security risks associated with these technologies. In this talk, Christine will explore AI/ML failure modes, threats, and mitigation strategies. She will guide you through the fundamentals of ML models then introduce you to key security challenges such as adversarial attacks, data poisoning, model inversion, model stealing, and membership inference attacks, using real-world examples to demonstrate their potential impact.
Christine will also discuss privacy and ethical considerations in ML, touching upon techniques like federated learning and shedding light on the current regulatory landscape surrounding security risks. If you are developing AI/ML applications or incorporating AI/ML components into your technology stack, check out this talk. You will walk away with a deeper understanding of the current AI/ML security landscape and a toolkit to help you address these risks, enabling you to build safer, more secure, and privacy-aware applications.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
Â
Presented at All Things Open 2023
Presented by Carlos Santana - AWS
Title: Securing Cloud Resources Deployed with Control Planes on Kubernetes using Governance and Policy as Code
Abstract: Are you concerned about the security of your cloud resources deployed on Kubernetes? Are you struggling to ensure compliance with regulatory requirements while managing your cloud infrastructure? If yes, then this talk is for you!
We will discuss how to secure cloud resources deployed with Crossplane on Kubernetes using Governance and Policy as Code. We will explore how to leverage Governance and Policy as Code tools like Rego, Kyverno, and OPA to ensure security and compliance.
By the end of this talk, you will have a better understanding of the challenges associated with securing cloud resources deployed with Crossplane or ACK on Kubernetes, the importance of Governance and Policy as Code in ensuring security and compliance, and why it is critical to use open source and open standards in these technologies.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Â
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder â active learning and UiPath LLMs for do...UiPathCommunity
Â
đĽ Speed, accuracy, and scaling â discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Miningâ˘:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing â with little to no training required
Get an exclusive demo of the new family of UiPath LLMs â GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
đ¨âđŤ Andras Palfi, Senior Product Manager, UiPath
đŠâđŤ Lenka Dulovicova, Product Program Manager, UiPath
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
Â
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more âmechanicalâ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Â
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
Â
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
Â
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties â USA
Expansion of bot farms â how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks â Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Â
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Â
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But thereâs more:
In a second workflow supporting the same use case, youâll see:
Your campaign sent to target colleagues for approval
If the âApproveâ button is clicked, a Jira/Zendesk ticket is created for the marketing design team
Butâif the âRejectâ button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
Â
Open Source Licensing: Types, Strategies and Compliance
1. OPEN SOURCE LICENSING:
TYPES, STRATEGIES AND
COMPLIANCE
Jeff Luszcz
@JeffLuszcz
https://ZebraCatZebra.comâ
This work is licensed under the Creative Commons Attribution 3.0 United States License.
2. A LITTLE ABOUT ME:
JEFF LUSZCZ
⢠Founded Palamida in 2004
⢠One of the first Scanning tools to manage
FOSS
⢠Designed compliance audit program and built
out Professional Services team to implement it
⢠Team helped everything from basic
compliance, M&A due diligence, and open
source project hygiene
⢠Worked with groups ranging from sole
proprietors to largest software companies
in the world
⢠Witnessed industry move from dozens of OSS
packages to 1000s of packages per application
3. TODAY'S AGENDA
Open Source
Licenses
â˘Why do we
have open
source
licenses?
â˘Open Source
License
History
â˘Types of Open
Source
Licenses
â˘Common
Obligations
Compliance
⢠Notices
⢠What are
others doing?
⢠Business
Models
⢠M&A
⢠OSS Releases
⢠Hot Topics
Security
⢠CVEs and
Vulnerabilities
⢠Fixing
Vulnerabilities
⢠Customer
Expectations
⢠Scanning and
Tooling
Best Practices
⢠Working with
Suppliers
⢠Becoming
Compliant
⢠Education
⢠Remediation
⢠Scanning Tools
⢠Open Chain
⢠Future
Thoughts
4. WHY DO WE NEED OPEN
SOURCE LICENSES?
Copyright law means that authors control their work (software).
You need explicit permission to use someone else's work
An author gives others permission using a license
A Commercial license typically gives permission for money
An Open Source License gives permission as long as certain obligations are
fulfilled
A license is a legal agreement which may be difficult to understand....
So we re-use COMMON open source licenses to make software re-use easier!
5. THERE IS A SPECTRUM OF
OBLIGATIONS
None Disclaim Notices
Weak
Copyleft
Copyleft
Network
Copyleft
Busines
Model
Restricti
A license may require one or more obligations
Some obligations are easier to comply with
than others
6. WHAT IS A LICENSE OBLIGATION?
Obligation AKA Description
Pay Money Commercial Pay money to use
Share Source Code Copyleft / Viral Bundle or share source code if
used
Share Credit Attribution / Notices Requires copyright or notice to
be shown in About Box /
Documentation / Webpage /
Source Code
Share Patents Patent Grant Provide free use of patents
required to use software
No Patent Lawsuits Patent Retaliation Clause Removes patent rights if user
sues for patent infringement
Restriction on Use Prevent use by certain industries
/ companies / governments /
military
Prevent use by military, nuclear
power plant, aviation, companies,
countries, business partners
Vanity License Obligation Requires some non-traditional
action
Buy me a beer if this helps you,
Do no evil, Get vaccinated
8. A HISTORY OF OPEN SOURCE
LICENSING ERAS
Workstations
and Desktops
â˘1985 X11/MIT license
â˘1988 GPL licenses for Emacs/Bison/etc.
â˘1988 BSD license
â˘1989 GPL v1
â˘1991 GPL v2 / LGPL v2
â˘1995 Apache 1.0
â˘2000 Apache 1.1
Corporate
Internet &
â˘2002 Affero GPL v1
â˘2004 Apache 2.0
â˘2007 GPL v3 / LGPL v3 / Affero GPL v3
Cloud Era
â˘2018 Commons Clause
â˘2018 Server Side Public License
⢠????
9. TWO (ORIGINAL) STYLES OF
OSS LICENSES
"Permissive" sometimes called Attribution or Notice licenses
Requires preserving or supplying copyright notices and
and/or license text
Copyleft (sometimes called Reciprocal or Viral) Licenses
Requires supplying some or all of the source code of a program under certain conditions
11. NOTICES
Many open source license requires copyright statements and/or
license text to be preserved and passed along to the end user.
These notices are often found in
â˘About Box
â˘Legal Info menu
â˘Documentation
12. COPYLEFT / RECIPROCAL /
VIRAL LICENSES
Copyleft (sometimes called Reciprocal or Viral) Licenses
Lesser General Public License (LGPL)
Requires supplying source all code from LGPL module if distributing a program using a LGPL
module
General Public License (GPL)
Requires supplying source for all linked code if distributing a program
Affero General Public License (AGPL)
Requires supplying source code if using a modified network application under the AGPL
13. LESSER GENERAL PUBLIC
LICENSE (LGPL)
LGPL
The LGPL is a Weak Copyleft license.
Only the source from the LGPL module needs to be shared
The LGPL does have some Linking requirements which complicates this obligation
The module should be dynamically linked though there are some other complex ways to
comply.
14. GENERAL PUBLIC LICENSE
(GPL)
LGPL
The GPL is a Strong Copyleft license.
The entire program's source needs to be shared if the program is distributed
15. AFFERO GENERAL PUBLIC
LICENSE (AGPL)
LGPL
The AGPL is a Network Copyleft license.
This means the entire program's source needs to be shared if access is given over a
Network (e.g. Software as a Service)
This license was designed to close the "ASP Loophole" in the GPL
16. COMMON COPYLEFT/VIRAL
LICENSES
Strong Copyleft:
ď Affero General Public License (AGPL)
ď General Public License (GPL)
ď Sleepycat
ď Creative Commons-Share Alike (CC-SA) - often used with Stackoverflow
code samples!
Weak-Copyleft:
ď Lesser General Public License (LGPL)
ď Eclipse Public License (EPL)
17. CORRESPONDING
SOURCE CODE
BUNDLE
Copyleft style licenses require some or all of your
source code to be shared
This is commonly through an included source
bundle (e.g. tarball or source zip) or a written
offer
Download links to source code are often
provided but may not be sufficient
It is important that the Corresponding Source is
provided, this could include build scripts,
makefiles, etc... in addition to the source code
18. POST AGPL NON-OSS LICENSES:
COMMONS CLAUSE, SERVER
SIDE PUBLIC LICENSE
The AGPL attempted to close what was perceived as a loophole for OSS license
obligations for Cloud applications
Some companies are building applications / databases and seeing others make
money off of selling access or hosting to those same applications
The Commons Clause, Server Side Public License and other similar licenses put
restrictions on certain business cases such as hosting builds of the original
software
These are not OSS licenses, but often mentioned in similar contexts
Often seen around Open Core projects!
19. WALKTHROUGH A COMMON
LICENSE (BSD)
Copyright <YEAR> <COPYRIGHT HOLDER>
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be
used to endorse or promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
20. WALKTHROUGH A COMMON
LICENSE (BSD)
Copyright <YEAR> <COPYRIGHT HOLDER>
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be
used to endorse or promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
Copyright statement
Redistribution and use permission
Retain copyright notice in source
Retain copyright notice and license in
binaries
Non-endorsement clause
Disclaimer
21. PATENT RELATED
OBLIGATIONS
Certain licenses imply or explicitly require patent grants
/ permissions for contributions
e.g. Apache 2.0 and the Mozilla Public License 2.0
Others forbid patent infringement suits via a Retaliation
clause (license terminates!)
e.g. Apache 2.0 and the Mozilla Public License 2.0
Some OSS packages may require a separate Patent
license to be paid to use legally
Especially common for Audio and Video Codecs!
22. DUAL LICENSING
It is common to see a software package licensed
under multiple licenses
(e.g. "GPL v3 or Commercial")
Two common reasons
1) As a business model forcing function ("scary" vs
"friendly")
Often (GPL or Commerical) or (AGPL or Commercial)
2) To allow a certain OSS community to use a library
with no license conflicts
This is why you'll see so many older "GPL or MIT" or
"MPL 1.1/GPL 2.0/LGPL 2.1" licenses
23. DUAL LICENSING EXAMPLES
MySQL: GPL v2 or Commercial
MongoDB: Server Side Public License (SSPL) or Commercial
iText: AGPL or Commercial
wolfSSL: GPL v2 or Commercial
Older versions of jQuery were GPL or MIT, now it's simply MIT
24. LICENSE
VERSIONS
As time goes on, OSS licenses may be updated
These changes are denoted with version number or
name changes
Most common examples are the
⢠General Public License v1, v2 and v3
⢠Apache Software License v1, v1.1 and v2.0
⢠BSD (0 clause, 1 clause, 2 clause, 3 clause)
Some licenses have many variants, but NO difference in
their names
Most common example of this is the MIT license which
has at least 23 variants!
⢠See https://fedoraproject.org/wiki/Licensing:MIT
25. DISTRIBUTION /
WHEN DO I NEED
TO CARE?
Many open source licenses ONLY
come into effect when software
is distributed
This might be as a downloaded
application, App, Container or on
a Device
26. DISTRIBUTION USE CASES
Products (or modules of products) can be used and distributed in many ways:
â˘Internal Use
â˘Binary/ EXE delivered to end user
â˘Container based
â˘Mobile applications
â˘Self-hosted Software as a Service (SaaS)
â˘SaaS Pushed to "The Cloud!" (AWS, Azure, Google Cloud Platform)
â˘Javascript files downloaded to local web browser as part of SaaS app
â˘"Private" cloud version for Marquee customer
Distribution models affect OSS License obligations!
27. WHAT LOOKS
LIKE OSS
BUT ISN'T!
Code marked "For Non-
commercial use" (aka NC)
Freeware
Click though EULAs
One-off licenses
"All Rights Reserved"
Code with no declared license
29. A LITTLE ABOUT ME:
JEFF LUSZCZ
⢠Founded Palamida in 2004
⢠One of the first Scanning tools to manage
FOSS
⢠Designed compliance audit program and built
out Professional Services team to implement it
⢠Team helped everything from basic
compliance, M&A due diligence, and open
source project hygiene
⢠Worked with groups ranging from sole
proprietors to largest software companies
in the world
⢠Witnessed industry move from dozens of OSS
packages to 1000s of packages per application
30. TODAY'S AGENDA
Open Source
Licenses
â˘Why do we
have open
source
licenses?
â˘Open Source
License
History
â˘Types of Open
Source
Licenses
â˘Common
Obligations
Compliance
⢠Notices
⢠What are
others doing?
⢠Business
Models
⢠M&A
⢠OSS Releases
⢠Hot Topics
Security
⢠CVEs and
Vulnerabilities
⢠Fixing
Vulnerabilities
⢠Customer
Expectations
⢠Scanning and
Tooling
Best Practices
⢠Working with
Suppliers
⢠Becoming
Compliant
⢠Education
⢠Remediation
⢠Scanning Tools
⢠Open Chain
⢠Future
Thoughts
31. LET'S TALK ABOUT THE
PUBLIC DOMAIN
Has a legal meaning, but often used as "Magic words" when discussing licensing
These words are often misused by developers when releasing software
"This code is licensed to the public domain under the GPL license" (NO!)
Or
"This code is Public Domain" when they mean "It's Open Source"
Some countries do not recognize the "Public Domain"
Creative Commons Zero (aka CC0) have been created to give similar permissions
32. WHEN DONâT WE KNOW
ENOUGH?
Something is licensed under a "Creative Commons license"! (CC is a
family of licenses, if something is CC-licensed you need to know
more)
"The Code is on Github" (What is it license?)
I got the code from our supplier / Part of a SDK (Is is OSS or
Commercial?)
We bought a license! (When does it expire?)
33. HOW HAS OSS USE
CHANGED OVER THE
YEARS?
2020 MEAN / Microservices
[5000 components]
2010 Cloud /
[500 components]
2000 LAMP
components]
34. HOW DO YOU
GET OPEN
SOURCE?
Using a repository manager like Maven,
NPM, pip, etc...
Direct download of source archive from
web
Some magic shell script!
Cut and Paste of snippets
Copied from a Pastebin / Gist
Download from a Content Delivery
Network (CDN)
Bundled with other projects (OSS and
Commercial!)
As part of your infrastructure (OS, DB,
etc...)
From a vendor / supplier
35. WHAT IS THE SOFTWARE
SUPPLY CHAIN
The Software Supply Chain is similar to the physical product supply chain
Often contains hundreds of suppliers (thousands in the case of Automotive
products!)
Has layers of complexity and layers of suppliers.
Mixture of OSS, Commerical and "free"
Contains software components, tool chains and documentation
You may have no access or contact with many of your suppliers
You may not even know who they are!
36. OPEN SOURCE LICENSE
POLICIES
https://opensource.google/docs/thirdparty/li
censes/
Not all licenses are appropriate for your use
case
Open Source License Policies are how you can
define what licenses are acceptable for your
organization or product.
Often based on distribution model
It is important to make a clear license policy
and have all developers understand what is
expected.
Need to be updated periodically
It is VERY expensive to rip out unacceptable
40. OSS SECURITY: WHAT IS A
CVE?
All software bugs, some are well known and even have names and
webpages!
The CVE list is a list of public software vulnerabilities (OSS and
Commercial)
https://cve.mitre.org
Each defect is given a number CVE-2020-0001 (label-year-id)
MANY other security defects don't get this level of visibility. They live
in the project defect tracker, are not named, and are hard to identify.
42. OSS SECURITY: FIXING
VULNERABILITIES
One big danger with OSS vulnerabilities is that attacks can be scripted and
attempted across multiple applications. They don't have to be targeted.
Components "age like milk, not like wine" have vulnerabilities found over
time
The simple fix for OSS vulnerabilities to upgrade to the latest "safe" release
This may close the security issue, but may introduce others
ď License Changes
ď Incapability
ď Unwanted features / memory bloat / etc...
Blocking attacks through turning off features, firewall rules or shim layers can buy time
You need to have a plan!
43. OSS SECURITY: CUSTOMER VISIBILITY
OF VULNERABILITIES
Customers (and potential customers) often will run your product through a series of scanners or
security teams
DAST (Dynamic Application Security Testing) used to discover common defects in a running
application. Often identifies SQL injection and cross site scripting issues.
SCA (Software Composition Analysis) discovers OSS components and associates them with known
vulnerabilities (like CVEs, etc..)
Human Teams used to examine the architecture, passwords at rest, APIs etc...
They will expect you fix the most egregious issues.
They will make OSS disclosures part of the contract
RED flags will make them walk away!
44. REMEDIATION ($500 WORD
MEANING FIX!)
It's always better to build in OSS management in new products
Fixing an existing product is often difficult and expensive (but so is
doing nothing)
Legal concerns sometimes get in the way of technical analyses
Oddball licenses lead to large legal bills
GPL-violations can be very expensive to fix
Commerical violations can be VERY VERY expensive to fix
Your suppliers don't have to respect YOUR timetables (and often can't)
45. BEST PRACTICES: WORKING
WITH SUPPLIERS
Try to select vendors who:
⢠Can provide a current Bill of Materials
⢠Are Openchain certified
⢠Have a service level agreement (SLA) for security fixes / alerts
⢠Willing to get make these contract terms
Do validation tests on code from vendors using SCA & DAST tools as
possible
Remember: The Buck stops with you
46. HOW TO BECOME
COMPLIANT
Build a team of OSS Experts
Create a Bill of Materials (BOM â pronounced like bomb)
Generate SPDX reports
Education (e.g. Linux foundation IP and licensing Courses)
Become Openchain conformant
48. BEST PRACTICES:
EDUCATIONSoftware developers lack training regarding licensing and security
OSS Policies are missing, neglected or impossible to find
Legal can be scared to look for problems
Cost to fix goes up with every layer built upon a mistake
Discovering problems at "Sales time" become red alerts and can destroy
roadmaps and deals
No excuse not to Have EVERYONE get a basic training, good free training
exists
https://training.linuxfoundation.org/training/open-source-licensing-
basics-for-software-developers/
49. REMEDIATION STRATEGIES
A fancy word for fixing!
Rewind: remove a feature to resolve IP problem
Replace: rewrite code to remove and resolve an IP problem
Resolve: pay money or request new licensing
You will sometimes hear the term "shim" used to represent a piece of
code whose job it is to provide a firewall between commercial and
GPL code
50. OSS IN MERGERS AND
ACQUISITIONS
If you are buying or selling a company it is very common to perform OSS Due
Diligence using a third party expert
This typically involves
â˘Sell side providing "Disclosures" of the OSS they depend on
â˘Sell side providing access to source code to the independent third party
â˘Buy side may respond with a list of requested Remediations
â˘Buy side may require financial hold backs due to IP risk
Time frame for this is typically 2 weeks for first report, a few more weeks for
remediation
51. RELEASING SOMETHING
UNDER AN OSS LICENSE
Pick a license that works for your use case
Remove commercial code (as necessary)
Review use and license of multimedia, images, fonts, sounds, etc..
Review OSS usage and compliance with selected license
Review of Source Code Snippets may be warranted!
Remediate OSS as necessary, sometimes this means changing YOUR license
Generate License Notices
Decide on a Contributor Licensing Agreement, Developer Certificate of
Origin and/or Code of Conduct, etc...
52. WHY DO YOU NEED
AUTOMATED
SCANNING
For most systems we're now using hundreds to
thousands of components, way outside the
ability of humans to intimately be familiar with.
Dunbar's Number (pick one!) tells us a lot about
Human's ability to keep track of things!
"You" can manage 50 components
"We" can manage 500
"WHO" Can manage 5000?
53. BENEFITS OF SOFTWARE
COMPOSITION ANALYSIS
(SCA) SCAN TOOLS
Allows for the Automation of discovery of
OSS components, esp. those brought in
by repository manager tools like Maven or
NPM
Allows license policy to be set, enforced and
modified
Allows vulnerability policy to be set,
enforced and modified
Allows easy creation of up to date Bill of
Materials (BOM) reports
Allows for alerting on security or license
policy problems
55. HOW DOES SCA FIND THIRD
PARTY CODE?
Repository Artifacts (maven, npm, pip, etc..)
License Text
Copyright Statements
Exact Files
(sha1, md5)
Source Code
Fingerprints
56. SOURCE CODE
FINGERPRINTS / SNIPPETS
Pros:
Fingerprints allow for the detection of cut and pasted code
Can discover "License Laundering"
Cons:
Can require expert analysis to confirm code origin
Lots of work
"False positives" - though this is sometimes an excuse not to do the
real anaysis
57. SAST / DAST TOOLS
SAST and DAST tools are used to discover new defects in source code
SCA is used to find your BOM and known vulnerabilities
Tools can be run locally or on hosted repositories
Github and Gitlab (and others) pushing security integrations heavily
https://www.theregister.com/2020/10/06/gitlab_scans_customer_code_finds/
Often best results when used on your proprietary code due to difficulty resolving other people's code defects in
OSS
You may want to run SAST/DAST on very small or orphaned projects
59. COMPLIANCE BEST
PRACTICES
ďąUse a Software Composition Analysis (SCA) scan tool or tools to build your
BOM
ďąAutomatically generate License reports and NOTICES files
ďąCreate Source bundles (e.g. tarballs) of copyleft licensed code (GPL, LGPL,
etc..)
ďąTrack Commercial libraries and dependencies, keep track of payments /
EULAs
ďąTrack webservices
ďąTrack changes to OSS source files, mark them appropriately
ďąCheck patent issues esp. when dealing with codecs,
ďąReview Vulnerability Reports / CVEs
ďąRun SAST/DAST
ďąYou keep this current!
60. THINGS LEARNED ALONG
THE WAY
Compliance is still a personality driven process
ď When influencers leave, a companyâs compliance process often falls apart
ď Bus Factor=<1 at many companies
Experience levels vary greatly across the industry
BOM Inventory depends on who performed or what process was
followed.
Same project could report 10 or 1000 libraries depending on tool or
person.
Analysis Paralysis is a double edged sword
ď Initial reviews lead to either NO further reviews or FAR MORE reviews
Remediation is an ART not a Science
61. WHAT IS HARD FOR
COMPANIES?
New code is valued over âmaintenanceâ and few dev cycles are earmarked for
compliance*
ď (*outside of post M&A work)
Top level package licenses can be managed but inner-package licensing is
difficult to understand
The typical BOM undercounts by 99%!
Each layer (build, dev, deployed) is managed by different teams who all are
scared to call the lawyers
âHere be dragons issuesâ like Old code with non-standard licenses from dead
people
62. WHATâS ON THE HORIZON
The number of packages in a BOM has moved past where humans can easily
monitor using spreadsheets
The build environment and tool chain are being ignored by compliance teams at
the same time targeted Supply Chain Attacks are increasing
We need to start requiring accurate BOMS in contracts with real teeth
âInternal Auditâ is waking up to OSS issues
Pressure building for new FOSS licenses / models especially in the database
space
The history of licensing is very interesting
Licenses really reflect the time they are created in and are designed to solve that eras problems. In the mid 80s to early 90s the pressure around Unix and desktop workstations came to a head.
Two philosophies came out of this pressure. The first philosophy was of giving credit and the second philosophy was of giving source.
MEAN = MongoDB, ExpressJS, AngularJS and Node
PASS = Platform as a Service, AWS, etcc
LAMP = Linux, Apache, mysql, PHP
In terms of maturity We donât have this problem with financial compliance
Experience impacts trust
Still at the mercy of the right person being in the right place at the right time, affects the trustworthiness of a company
Analysis paralysis: can lead to either ignoring the problem and pushing off compliance OR calling in the experts to fix things ASAP
If we did a scan and everything was MIT or Apache 2.0 no one would have problems deciding to run a scan
In 2019 we are still not scheduling time for compliance
Old code with non-standard licenses from dead people: this is problem with some of our core infrastructure that I hope projects like Clearly Defined or similar can help fix
We all probably have âThat Fileâ or âThat Packageâ we wish could get cleared up
There are holes in which we are monitoring. The build environment. Iâm very concerned about this
Iâm still amazed that the level of quality in BOMs produced by companies is so large.
The company with the better BOM can sometimes be penalized and thatâs just wrong.
In my interactions with companies who are not on the open chain calls, there is growing awareness. They are happy to see this, even if they donât feel they can offer any help.