Audience Level Intermediate Synopsis Today’s fast-paced development environment has changed the compliance landscape. Many software projects consist of more than 50% Open Source Software (OSS) components, but as much as 99% are undocumented, increasing the complexities of managing your company’s software compliance process. Of particular concern is “Zombie software”, or software that is outdated and contains vulnerable versions of certain components. Zombies can live in your code forever if you’re not aware of them. The acceleration of modern development lifecycles and the breakdown of an undocumented software supply chain have opened up new pathways for zombies to enter your software – leaving you exposed to security threats. This presentation discusses best practices for implementing an Open Source Software management strategy that covers common pitfalls and commercial licence issues as well as the optimal way to track and eliminate the risks associated with Zombies! Speaker Bio: Involved in and around IT development for over 20 years, starting as a web developer using NotePad in 1995 when the most exciting thing online was Sun’s animated Java coffee cup, through Numega Pre-Sales selling BoundsChecker and now into the brave, new World of Open Source and software composition analysis.

1. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential1
Attack of the Code Zombies II - The Lawyers’ Revenge
Peter Rowe
prowe@flexerasoftware.com
@SLO_Djinn

2. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential2
Disclaimer!
IANYL; // I am not _your_ lawyer;
IANYP; // I am not _your_ programmer;
Today’s session provides an introduction to managing Open Source Compliance and Vulnerabilities….
…But only your lawyers can tell you what you need to do!

3. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential3
Disclaimer!
IANYL; // I am not _your_ lawyer;
IANYP; // I am not _your_ programmer;
Today’s session provides an introduction to managing Open Source Compliance
and Vulnerabilities….
…But only your lawyers can tell you what you need to do!

4. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential4
Your Product Lives in a Deep Stack of OSS and Oh?$$
Web Services

5. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential5
A Typical Application is 50% Open Source
OSS Code You DON’T
Know About
Code You Wrote
OSS Code You DO Know About (2%)

6. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential6
Managing Vulnerabilities & Managing Compliance
Code Zombies Lawyers?

7. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential7
Managing Vulnerabilities & Managing Compliance
Code Zombies Lawyers?

8. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential8
What is a Code Zombie?
A ‘Zombie’ is an Open Source Component that lives on long after it was
declared dead!
Other terms you will hear are:
• Component with known vulnerabilities
• Stale component
Versions of components that have had security vulnerabilities reported against
them, and patches or updated versions available that fix these problems!

9. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential9
We must be OK…. We’re using a static analysis tool.....?
Static analysis is typically not used in a way to find these types of
vulnerabilities.
Licencing models for these tools often discourage scanning of large open
source libraries.
The number of hits and false positives is prohibitive even if used to scan
everything.
Vulnerabilities are not always caught via static analysis.
Wasted effort for components with known vulnerabilities!

10. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential10
So what can you do?
Review OSS components at lower levels to confirm compliance
with the company’s OSS policies and detect Vulnerabilities
Results from these reviews are used to:
–Help make USE / DON’T USE decisions
–Drive internal remediation activities to fix problems
–Create bug reports for the upstream project

11. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential11
And What About the Lawyers?

12. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential12
Open Source – Your Obligations
Open Source is commonly confused with “Free” as in no cost software!
Open source may be Free of Cost, but is not Free of Obligations!
“Free as in speech, NOT as in beer”
Open Source licences have a list of obligations that users must follow in order
to legally use the open source library under that licence
Your Compliance actions depend on how you are using these OSS
components and most licences have Multiple Obligations

13. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential13
Copyright law (in many places) means that all source is explicitly copyright
EVEN if is not marked!
You have no right to use someone else’s code without permission.
Open Source (and commercial) licences are the way of giving permission to
use source code.
Lack of licence may indicate a lack of maturity
for the OSS project?
It is not Open Source if you don’t have a licence
Why do you Need and Open Source Licence?

14. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential14
So What Does Compliance Look Like?
• You provide copyright notices in your About Box, Documentation etc.
• You pass along licence text to your users.
• You provide the source code for GPL, LGPL modules etc.
• You mark changes in source files.
• You pay required Patent licensing.
• You pay for commercial libraries as needed.
• You respect web service SLAs.
• You do this for every release.

15. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential15
And Your Compliance Depends on the Delivery Method
Embedded Linux vs Application running on Linux
– Are you shipping Linux or are your users bringing their own
Client / Server
– Some parts hosted, some parts distributed
Mobile applications
– Classic distribution with some possible Appstore implications
Web / JavaScript front ends
– JavaScript, HTML, CSS sent to users’ browsers
xaaS vs shipping product (e.g. a distribution)
– Most OSS licences only come into effect upon Distribution!

16. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential16
What’s different about xaaS?
Traditionally software was distributed to end users through physical means
– Classic open source and commercial licences were written with this in mind.
Many open source licences only come into effect with classic distribution
– Concerns about the GPL and the “ASP loophole”
xaaS projects are not distributed in the classic way
but instead run on a network server
– Users come to the software instead of the software
coming to the users.

17. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential17
So just what is the Affero GPL (AGPL)
The AGPL was designed to close the ASP loophole by treating network access
as similar to a distribution.
The basic intent is to require source code for the entire application to be
offered to the end users!

18. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential18
Common AGPL-Style Libraries
The most common AGPL style libraries we see are:
• iText PDF generation library (dual licenced AGPL or commercial)
• MongoDB (Dual licence AGPL w/ exception or Commercial)
• Berkeley DB/Sleepycat (now AGPL or Commercial)
• Funambol (AGPL or Commercial)
• Ghostscript (now AGPL or Commercial)
• Noe4J (GPLv3/AGPL or commercial)
• Magento (OSL – similar to the AGPL)
Many of these are dual licenced with commercial options!

19. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential19
xAAS Compliance – Top Concerns
The AGPL is the classic concern for xaaS vendors….
… but there are other “AGPL like” licences that include:
• Common Public Attribution licence
http://en.wikipedia.org/wiki/Common_Public_Attribution_licence
• Open Software licence
http://en.wikipedia.org/wiki/Open_Software_licence
Plus, ALL the other licences the require review and compliance!

20. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential20
Other xAAS Compliance Issues
Images, Icons, Fonts and Sounds
JavaScript and CSS
Patent licences
Private Installations
And…

21. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential21
Images, Icons, Fonts and Sounds
JavaScript and CSS
Patent licences
Private Installations
Untracked Libraries with Vulnerabilities – Old versions of OSS libraries
Other xAAS Compliance Issues

22. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential22
So what can you do?
Review OSS components at lower levels to confirm compliance with the
company’s OSS policies and detect Vulnerabilities.
Important components are looked at from a declared licence and
discovered subcomponent analysis perspective.
The declared licence may be compliant but the component may have
unacceptable subcomponent licences.
Results from these reviews are used to:
–Help make USE / DON’T USE decisions.
–Drive internal remediation activities to fix problems.
–Create bug reports for the upstream project.

23. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential23
But…..How to get Developers to “Buy-In”?
Developers want to ship and often route around processes….
…. Especially if it’s not clear why the process exists?
• Attribution - “We should give credit where credit is due”
• Legal / Audit / Good Practice – “We are required to!”
• Quality / Security – “War stories”
• The Open Source Ethos – “Help those who help us”

24. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential24
Create a Process That Works for Your Organisation…
Steps for Implementing
an Open Source
Management System
Audit Existing
Code Against
Policy
Develop New
Code
Comply
Use OSS
Fix Issues Create Policy
Review OSS
Request
Request Use of
OSS

25. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential25
… And make it EASY, EFFICIENT and AUTOMATED!
Steps for Implementing
an Open Source
Management System
Audit Existing
Code Against
Policy
Develop New
Code
Comply
Use OSS
Fix Issues Create Policy
Review OSS
Request
Request Use of
OSS

26. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential26
And Specifically for
If you use Openstack, protect against vulnerabilities and IP concerns as you
build your products.
Analyse open source materials you may are submitting to Openstack.
Analyse modules you get from Openstack and Openstack partners to validate
IP and security checkpoints.

27. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential27
And if You Find Things You Should Not be Using….?
Remove and Re-Write.
Get new OSS components.
Contact the author and ask for a licence.
Wait and see!

28. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential28
Disclaimer!
IANYL; // I am not _your_ lawyer;
IANYP; // I am not _your_ programmer;
Today’s session provides an introduction to managing Open Source Compliance and Vulnerabilities….
…But only your lawyers can tell you what you need to do!

29. © 2017 Flexera Software LLC. All rights reserved. | Company Confidential29
But here are a few suggestions….
Come and talk to us…..
…. And possibly win a prize.
Email: prowe@flexerasoftware.com
Twitter: @SLO_Djinn
Flexera Website: https://goo.gl/ZA2ecI