Webinar recording available at the end of the slide deck.
Heather Meeker, partner at O'Melveny & Myers LLP and Philippe Ombredanne, founder at nexB Inc. discussed the latest open source software identification tools available for use in your compliance process.
Agenda
- Key Elements of a Policy for use of OSS
- Overview of OSS Identification
- Survey of open source and commercial tools for OSS Identification
- Rightsizing your OSS Identification Process and Tools.
If you are interested in open source scanning and open source compliance products, please visit http://www.nexb.com/, see also https://www.youtube.com/user/DejaCode/ for other webinar recordings.
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
Stephen Gillespie of Fenwick & West and Michael Herzog of nexB review the most common open source license obligations, highlight the challenges of fast paced component-based software development from a compliance angle and what you can do to better monitor this in your software inventories.
Open source software governance with DejaCodenexB Inc.
Dennis Clark, Product Manager, and Pierre Lapointe, Customer Care Manager, present DejaCode, nexB's product for Software Component License Management, including:
- How to implement effective policies for OSS license and component usage,
- How to set up efficient approval workflows for OSS license and component usage, and
- How to automate OSS Attribution Notice generation.
nexB - Software audit for product releasenexB Inc.
As the use of open source software components grows across all industry supply chains, more customers are asking their suppliers to:
- Provide detailed information about the open source content of supplier products, and
- Proactively fulfill all attribution or software redistribution obligations associated with the open source components.
nexB offers a wide range of professional services to help software organizations identify and comply with software license obligations for open source and other third-party components. See http://www.nexb.com/services.html
Introduction to Free and Open Source Software (FOSS) License by nexB.
You can see a list of most popular FOSS license in DejaCode, visit us at https://enterprise.dejacode.com/landing/
Managing Open Source Software License Compliance with DejaCodenexB Inc.
DejaCode is a software created by nexB that helps companies manage open source license compliance. It allows importing software component data from various sources, organizing data by product, and automating compliance with open source obligations. Key features include a product portfolio to record software inventories, a component catalog of third-party software, and a license library. DejaCode can be accessed as a cloud-based service or installed on-premises. nexB also offers identification services to scan source code and generate a bill of materials listing all open source components.
Attendees discovered how to set up Open Source Governance using nexB's DejaCode, including:
- How to implement effective policies for OSS license and component usage,
- How to set up efficient approval workflows for OSS license and component usage, and
- How to automate OSS Attribution Notice generation.
Software audit for acquisition due diligence with nexBnexB Inc.
When you consider acquiring a company, you need to know about any software licensing risks associated with open source software product and how to mitigate them.
nexB is a trusted third-party who can quickly analyze products of any size and technology to support your acquisition due diligence process. We provide a turnkey service that minimizes the impact on both Buyer and Seller while you are both very busy with other activities.
A nexB software audits provide you with a comprehensive and actionable report of software IP issues supported by a detailed software inventory at the component and file level. We can tailor the depth of analysis to fit your concerns and schedule
For more information, please visit http://www.nexb.com/acquisition_due_diligence_audit.html.
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
This document provides an overview of a software audit process conducted by nexB for acquisition due diligence. It discusses nexB's experience and services, common license violation risks found in audits, the audit process including preparation, analysis, review and reporting, tools used, reasons to choose nexB, and lessons learned from past acquisitions.
Managing Software Inventories & Automating Open Source Software CompliancenexB Inc.
Stephen Gillespie of Fenwick & West and Michael Herzog of nexB review the most common open source license obligations, highlight the challenges of fast paced component-based software development from a compliance angle and what you can do to better monitor this in your software inventories.
Open source software governance with DejaCodenexB Inc.
Dennis Clark, Product Manager, and Pierre Lapointe, Customer Care Manager, present DejaCode, nexB's product for Software Component License Management, including:
- How to implement effective policies for OSS license and component usage,
- How to set up efficient approval workflows for OSS license and component usage, and
- How to automate OSS Attribution Notice generation.
nexB - Software audit for product releasenexB Inc.
As the use of open source software components grows across all industry supply chains, more customers are asking their suppliers to:
- Provide detailed information about the open source content of supplier products, and
- Proactively fulfill all attribution or software redistribution obligations associated with the open source components.
nexB offers a wide range of professional services to help software organizations identify and comply with software license obligations for open source and other third-party components. See http://www.nexb.com/services.html
Introduction to Free and Open Source Software (FOSS) License by nexB.
You can see a list of most popular FOSS license in DejaCode, visit us at https://enterprise.dejacode.com/landing/
Managing Open Source Software License Compliance with DejaCodenexB Inc.
DejaCode is a software created by nexB that helps companies manage open source license compliance. It allows importing software component data from various sources, organizing data by product, and automating compliance with open source obligations. Key features include a product portfolio to record software inventories, a component catalog of third-party software, and a license library. DejaCode can be accessed as a cloud-based service or installed on-premises. nexB also offers identification services to scan source code and generate a bill of materials listing all open source components.
Attendees discovered how to set up Open Source Governance using nexB's DejaCode, including:
- How to implement effective policies for OSS license and component usage,
- How to set up efficient approval workflows for OSS license and component usage, and
- How to automate OSS Attribution Notice generation.
Software audit for acquisition due diligence with nexBnexB Inc.
When you consider acquiring a company, you need to know about any software licensing risks associated with open source software product and how to mitigate them.
nexB is a trusted third-party who can quickly analyze products of any size and technology to support your acquisition due diligence process. We provide a turnkey service that minimizes the impact on both Buyer and Seller while you are both very busy with other activities.
A nexB software audits provide you with a comprehensive and actionable report of software IP issues supported by a detailed software inventory at the component and file level. We can tailor the depth of analysis to fit your concerns and schedule
For more information, please visit http://www.nexb.com/acquisition_due_diligence_audit.html.
nexB: Software Audit for Acquisition Due DiligencenexB Inc.
This document provides an overview of a software audit process conducted by nexB for acquisition due diligence. It discusses nexB's experience and services, common license violation risks found in audits, the audit process including preparation, analysis, review and reporting, tools used, reasons to choose nexB, and lessons learned from past acquisitions.
How to Manage Open Source requirements with AboutCodenexB Inc.
Presentation from nexB Inc. by Dennis Clark, Product Manager, and Pierre Lapointe, Customer Care Manager.
Attendees discovered how to manage open source (and third-party) software license requirements in their products with AboutCode, nexB's open source project available on GitHub.
The presentation included:
- How to document provenance (origin and license) and other important information about software components inside a codebase,
- How to automate OSS Attribution Notice generation.
More information on http://www.aboutcode.org/.
Managing Open Source Software in the GitHub EranexB Inc.
This document summarizes a presentation on managing open source software in the GitHub era. It discusses how open source development and distribution has evolved from centralized models to a decentralized model exemplified by GitHub. This shift has introduced new challenges for open source compliance, such as tracking the large number of dependencies between projects and properly attributing and licensing snippets of code. The presentation provides best practices for organizations to reduce risks, such as vetting dependency sources and embedding license information.
nexB Software Audit M&A: What to expect as a SellernexB Inc.
If your company is being acquired, the open source software due diligence is something you will have to deal with. nexB can help in this process. See http://www.nexb.com/services.html
Managing Open Source Software Supply ChainsnexB Inc.
Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management.
Agenda
• Legal issues for supply chain management
• Best practices to avoid claims and reduce risk
• Latest automation tools and projects for open source compliance management
IT due diligence, software audit and software quality standards are very important for startups that want to sell to or partner with large companies and corporates. In this invited talk the importance of quality is discussed from a startup perspective.
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
Presented at Sensors Expo and Conference 2015, this session covers: Trends in open source software (OSS); The open source audit and license identification; Developing an OSS process and policy; Compliance; and Legal implications.
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
Speakers from Fermi National Accelerator Laboratory, Idaho National Laboratory, and Black Duck discuss Open Source Software (OSS) issues from industry and government perspectives. The speakers also delve into the White House open-source policy directive and the impact that releasing federally funded software will have on technology transfer.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
Jeff Luszcz, Flexera Software: Managing the Software Supply Chain: Policies that Promote Innovation While Optimizing Security and Compliance.
Do you build software, sell software consulting services, or contribute to the open source community? Understanding your software supply chain and learning the best way to manage them is worth your time. As the consumption of open source and other third party software increases, companies who know how to manage and influence the supply chain have a competitive advantage over those who don’t do it as well. Developers, Architects, and IP attorneys need to understand the long term impact of leveraging Open Source and Third Party software in their enterprise software, internal tools and web services. Join Jeff Luszcz, VP of Product Management at Flexera, as he walks through best practices to manage OSS in the financial services world.
Learn how this Black Duck customer tracks the potential impact of open source security vulnerabilities in all its products while ensuring the SDLC remains fast and agile.
The document discusses the evolution of software documentation from simple readme files to a major component of modern software. It notes testers now must verify both code and documentation are correct. The document also provides a checklist for documentation testing, covering audience, terminology, content accuracy, examples, and more. It describes techniques for loosely-coupled documents like manuals and tightly-coupled documents integrated into software.
Black Duck Software provides solutions to automate the management, governance, and secure use of free and open source software at an enterprise scale. Founded in 2002, it has over 750 customers in 22 countries. Black Duck's products help developers search, select, and monitor open source components, while ensuring compliance and reducing security vulnerabilities. It competes with companies like Palamida and OpenLogic but differentiates itself through its comprehensive database of open source information and lifecycle adoption platform.
The document discusses open source software, intellectual property, and security. It notes that open source software use has increased dramatically in recent years. While open source can help organizations develop software faster and with smaller budgets, it also poses intellectual property and security risks if not properly governed. The document recommends that organizations establish an open source review board to review and approve policies around externally sourced software and conduct audits to evaluate compliance and risks.
This SlideShare will help you understand the shifting open source landscape and why open source security management is becoming more critical. You’ll also understand the high-level capabilities of the Black Duck Hub. You’ll also learn how, in just a few minutes, you can use your existing Protex Bill of Materials to uncover known open source security vulnerabilities lurking in your projects, how to monitor for newly discovered vulnerabilities, and how to take steps to remediate your open source vulnerability risk. Then you’ll be ready to get started by learning more about the integration in Black Duck Academy and using these tools on your own projects.
The document discusses the real costs of open source software for enterprises. While open source provides benefits like reduced costs, increased innovation, and improved quality, it also presents risks if not managed properly. These include a lack of documentation, unknown license obligations, slow response from communities, difficulty attaining expertise, and lack of commercial support. The document advocates managing these risks by conducting open source audits, identifying where support is needed, monitoring for security updates, and maintaining vigilance over open source software usage.
The document discusses the challenges of managing open source software at scale and introduces the Black Duck Suite as a solution. It summarizes the evolution of software development, the promises and challenges of open source, and risks of unmanaged code. The Black Duck Suite helps manage risks through an automated workflow that integrates with development tools to enable multi-source development across the application lifecycle. It addresses management, compliance, and security challenges.
Brandt - Superconductors and Vortices at Radio Frequency Magnetic Fieldsthinfilmsworkshop
Superconductors and Vortices at Radio Frequency Magnetic Fields (Ernst Helmut Brandt - 50')
Speaker: Ernst Helmut Brandt - Max Planck Institute for Metals Research, D-70506 Stuttgart, Germany | Duration: 50 min.
Abstract
After an introduction to superconductivity and Abrikosov vortices, the statics and dynamics of pinned and unpinned vortices in bulk and thin film superconductors is presented. Particular interesting is the case of Niobium, which has a Ginzburg-Landau parameter near 0.71, the boundary between type-I and type-II superconductors. This causes the appearance of a so called type-II/1 state in which the vortex lattice forms round or lamellar domains that are surrounded by ideally superconducting Meissner state. This state has been observed by decoration experiments and by small-angle neutron scattering.
Also considered are the ac losses caused at the surface of clean superconductors, in particular Niobium, in the Meissner state, when no vortices have yet penetrated. The linear ac response is then xpressed by a complex resistivity or complex magnetic penetration depth, or by a surface impedance. At higher amplitudes, several effects can make the response nonlinear and increase the ac losses.
In particular, at sharp edges or scratches of a rough surface the magnetic field is strongly enhanced by demagnetization effects and the induced current may reach its depairing limit, leading to the nucleation of short vortex segments. Strong ac losses appear when such vortex segments oscillate. In high-quality microwave cavities the nucleation of vortices has thus to be avoided. Once nucleated, some vortices may remain in the superconductor even when the applied magnetic field goes through zero. This phenomenon of flux-trapping is caused by weak pinning in the bulk or by surface pinning.
The Hub builds on all the great technology developed in the Black Duck Suite over the past 10 years combined with a revamped UI and an integrated set of features. It's much easier than you would think to make the move from the Suite to the Hub. Learn how in this revealing session.
The document discusses the art and science of open source software compliance programs. It describes balancing the needs of legal, business, and community stakeholders. Elements of a successful compliance program include policy, process, guidelines, staffing, training, audits, tools, and handling inquiries. The speaker advocates a balanced approach using both systematic best practices and creative problem solving to scale compliance programs effectively.
How to Manage Open Source requirements with AboutCodenexB Inc.
Presentation from nexB Inc. by Dennis Clark, Product Manager, and Pierre Lapointe, Customer Care Manager.
Attendees discovered how to manage open source (and third-party) software license requirements in their products with AboutCode, nexB's open source project available on GitHub.
The presentation included:
- How to document provenance (origin and license) and other important information about software components inside a codebase,
- How to automate OSS Attribution Notice generation.
More information on http://www.aboutcode.org/.
Managing Open Source Software in the GitHub EranexB Inc.
This document summarizes a presentation on managing open source software in the GitHub era. It discusses how open source development and distribution has evolved from centralized models to a decentralized model exemplified by GitHub. This shift has introduced new challenges for open source compliance, such as tracking the large number of dependencies between projects and properly attributing and licensing snippets of code. The presentation provides best practices for organizations to reduce risks, such as vetting dependency sources and embedding license information.
nexB Software Audit M&A: What to expect as a SellernexB Inc.
If your company is being acquired, the open source software due diligence is something you will have to deal with. nexB can help in this process. See http://www.nexb.com/services.html
Managing Open Source Software Supply ChainsnexB Inc.
Heather Meeker and Michael Herzog discuss the latest trends in open source compliance for supply chain activities: the key legal issues for supply chain management as well as the latest automation tools and projects for open source management.
Agenda
• Legal issues for supply chain management
• Best practices to avoid claims and reduce risk
• Latest automation tools and projects for open source compliance management
IT due diligence, software audit and software quality standards are very important for startups that want to sell to or partner with large companies and corporates. In this invited talk the importance of quality is discussed from a startup perspective.
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
Presented at Sensors Expo and Conference 2015, this session covers: Trends in open source software (OSS); The open source audit and license identification; Developing an OSS process and policy; Compliance; and Legal implications.
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
Speakers from Fermi National Accelerator Laboratory, Idaho National Laboratory, and Black Duck discuss Open Source Software (OSS) issues from industry and government perspectives. The speakers also delve into the White House open-source policy directive and the impact that releasing federally funded software will have on technology transfer.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
Jeff Luszcz, Flexera Software: Managing the Software Supply Chain: Policies that Promote Innovation While Optimizing Security and Compliance.
Do you build software, sell software consulting services, or contribute to the open source community? Understanding your software supply chain and learning the best way to manage them is worth your time. As the consumption of open source and other third party software increases, companies who know how to manage and influence the supply chain have a competitive advantage over those who don’t do it as well. Developers, Architects, and IP attorneys need to understand the long term impact of leveraging Open Source and Third Party software in their enterprise software, internal tools and web services. Join Jeff Luszcz, VP of Product Management at Flexera, as he walks through best practices to manage OSS in the financial services world.
Learn how this Black Duck customer tracks the potential impact of open source security vulnerabilities in all its products while ensuring the SDLC remains fast and agile.
The document discusses the evolution of software documentation from simple readme files to a major component of modern software. It notes testers now must verify both code and documentation are correct. The document also provides a checklist for documentation testing, covering audience, terminology, content accuracy, examples, and more. It describes techniques for loosely-coupled documents like manuals and tightly-coupled documents integrated into software.
Black Duck Software provides solutions to automate the management, governance, and secure use of free and open source software at an enterprise scale. Founded in 2002, it has over 750 customers in 22 countries. Black Duck's products help developers search, select, and monitor open source components, while ensuring compliance and reducing security vulnerabilities. It competes with companies like Palamida and OpenLogic but differentiates itself through its comprehensive database of open source information and lifecycle adoption platform.
The document discusses open source software, intellectual property, and security. It notes that open source software use has increased dramatically in recent years. While open source can help organizations develop software faster and with smaller budgets, it also poses intellectual property and security risks if not properly governed. The document recommends that organizations establish an open source review board to review and approve policies around externally sourced software and conduct audits to evaluate compliance and risks.
This SlideShare will help you understand the shifting open source landscape and why open source security management is becoming more critical. You’ll also understand the high-level capabilities of the Black Duck Hub. You’ll also learn how, in just a few minutes, you can use your existing Protex Bill of Materials to uncover known open source security vulnerabilities lurking in your projects, how to monitor for newly discovered vulnerabilities, and how to take steps to remediate your open source vulnerability risk. Then you’ll be ready to get started by learning more about the integration in Black Duck Academy and using these tools on your own projects.
The document discusses the real costs of open source software for enterprises. While open source provides benefits like reduced costs, increased innovation, and improved quality, it also presents risks if not managed properly. These include a lack of documentation, unknown license obligations, slow response from communities, difficulty attaining expertise, and lack of commercial support. The document advocates managing these risks by conducting open source audits, identifying where support is needed, monitoring for security updates, and maintaining vigilance over open source software usage.
The document discusses the challenges of managing open source software at scale and introduces the Black Duck Suite as a solution. It summarizes the evolution of software development, the promises and challenges of open source, and risks of unmanaged code. The Black Duck Suite helps manage risks through an automated workflow that integrates with development tools to enable multi-source development across the application lifecycle. It addresses management, compliance, and security challenges.
Brandt - Superconductors and Vortices at Radio Frequency Magnetic Fieldsthinfilmsworkshop
Superconductors and Vortices at Radio Frequency Magnetic Fields (Ernst Helmut Brandt - 50')
Speaker: Ernst Helmut Brandt - Max Planck Institute for Metals Research, D-70506 Stuttgart, Germany | Duration: 50 min.
Abstract
After an introduction to superconductivity and Abrikosov vortices, the statics and dynamics of pinned and unpinned vortices in bulk and thin film superconductors is presented. Particular interesting is the case of Niobium, which has a Ginzburg-Landau parameter near 0.71, the boundary between type-I and type-II superconductors. This causes the appearance of a so called type-II/1 state in which the vortex lattice forms round or lamellar domains that are surrounded by ideally superconducting Meissner state. This state has been observed by decoration experiments and by small-angle neutron scattering.
Also considered are the ac losses caused at the surface of clean superconductors, in particular Niobium, in the Meissner state, when no vortices have yet penetrated. The linear ac response is then xpressed by a complex resistivity or complex magnetic penetration depth, or by a surface impedance. At higher amplitudes, several effects can make the response nonlinear and increase the ac losses.
In particular, at sharp edges or scratches of a rough surface the magnetic field is strongly enhanced by demagnetization effects and the induced current may reach its depairing limit, leading to the nucleation of short vortex segments. Strong ac losses appear when such vortex segments oscillate. In high-quality microwave cavities the nucleation of vortices has thus to be avoided. Once nucleated, some vortices may remain in the superconductor even when the applied magnetic field goes through zero. This phenomenon of flux-trapping is caused by weak pinning in the bulk or by surface pinning.
The Hub builds on all the great technology developed in the Black Duck Suite over the past 10 years combined with a revamped UI and an integrated set of features. It's much easier than you would think to make the move from the Suite to the Hub. Learn how in this revealing session.
The document discusses the art and science of open source software compliance programs. It describes balancing the needs of legal, business, and community stakeholders. Elements of a successful compliance program include policy, process, guidelines, staffing, training, audits, tools, and handling inquiries. The speaker advocates a balanced approach using both systematic best practices and creative problem solving to scale compliance programs effectively.
Best Practices in Disaster Recovery Planning and TestingAxcient
Axcient and industry expert Paul Kirvan have put together this presentation on avoiding common disaster recovery mistakes and leveraging industry best practices to create a technology disaster recovery plan that works best for you.
This presentation gives you the many elements necessary of a well-executed disaster recovery plan, including:
- Guidelines for creating your own Disaster Recovery plan
- A checklist of key items to consider based on your business objectives
- The common mistakes and pitfalls to avoid
- Technology considerations for Disaster Recovery
- Tips for planning and executing a successful Disaster Recovery test
Whether you're in the process of creating a disaster recovery plan or you already have one in place, this presentation will guide you through the steps you need to follow to help ensure your plan is complete.
More than ever, open source software is at the heart of modern online businesses and technology companies. Open source is nearly everywhere: web browsers, smartphones, home wireless routers, databases, web servers, and countless components of free, commercial, and large enterprise software. But most open source software comes with strings attached, and if misunderstood, they can trip up the unwary.
Topics:
• The most common sources of non-compliance with open source licenses
• The key differences between the most popular licenses
• The basis in intellectual property law for open source licensing
• How courts in the US and abroad have enforced open source licenses
These slides are from a webinar by attorney Ansel Halliburton on September 22, 2015.
This session will present the 2 new projects initiated by HP around Open Source Governance:
● FOSSBazaar is a community Web site gathering all type of information around Open Source Governance (Policy examples, Workflow models, White Papers, Blogs of experts, References to related projects, ...)
● FOSSology is a tool helping in the evaluation of Open Source licenses really used in projects by doing code analysis, and pattern matching searches in it and reporting what had been found. A video of the Fossology Project Lead, Bob Gobeille, will be made extra for the fOSSa event.
In this talk, you’ll learn how you can use the AWS CLI to automate common administrative tasks in AWS. We’ll cover several scenarios including EBS snapshot management and S3 backups and see how to combine AWS CLI features to create powerful tools for automation. You’ll see how to develop, debug, and deploy these examples in several live, end to end examples.
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
This webinar focuses on the issues related to improper use of open source software and how this can impact M&A and other partnering opportunities. Attendees will learn techniques to uncover potential issues and the benefits of properly managing your software assets to minimize delays and risks. Russell Hartz of SAP’s Corporate Development organization discusses their strategy and perspective on the subject and how they approach this kind of technical due diligence.
This document discusses securing the software supply chain. It notes that 90% of services use third-party components which can increase security risks if not properly reviewed. The speaker recommends automating security and legal reviews of open source components used in software to address this issue, rather than relying on manual reviews. The benefits of automation include faster and more comprehensive reviews that can occur continuously rather than just during development phases. Automation is presented as key to effectively securing the modern software supply chain.
A large company employing thousands of software developers worldwide faces many challenges to consistently manage its processes for using and releasing software under Free Software licenses. Open source knowledge and expertise often varies dramatically across business verticals, as does understanding of how open source communities function. The underlying compliance requirements of Free Software licenses, however, are the same for every organization, regardless of size. What can companies do to ensure certain degrees of cohesion and competency are reflected across their diverse open source offerings?
This presentation will present some of my experiences with developing and refining corporate-wide practices that are designed to be transparent, repeatable, and scalable. The lessons learned can be applicable to any entity dealing with Free Software.
The document discusses a new digital forensic data capture device called the Forensic Dossier launched by Logicube. The Dossier allows investigators to capture data from suspect drives at speeds of up to 6GB per minute. It supports capturing from RAID drives and various flash media. The Dossier features built-in support for many drive types and connections. It includes advanced authentication and other forensic features. The Dossier will be showcased at the 2009 International CES conference in Las Vegas.
FLIGHT WEST 2018 Presentation - Open Source License Management in Black Duck HubBlack Duck by Synopsys
This document provides an overview of open source license management best practices that have evolved over 16 years, from 2002 to 2018. It discusses how the risks have changed from lawsuits prompting code inspections to security vulnerabilities coming to the forefront. It also outlines the key functionality of Black Duck Hub for managing open source licenses, including predefined license groups, component usage settings, license risk modeling, policy management, license review workflows, and integrations. Finally, it proposes a suggested license management workflow involving license planning, policy creation, component reviews, attribution statements, and more.
This document provides an overview of open source software obligations and management. It discusses what open source software is, licensing types and compliance obligations, case studies on financial and M&A due diligence, and how to establish a baseline and gain approval for open source package usage. Automated tools are recommended for accurately tracking open source components, licenses, and security vulnerabilities across the development lifecycle. Presenters from legal and consulting firms discuss open source legal risk and best practices for adoption and compliance.
Open source software drives efficiency and innovation, but affects your application stacks and introduces new challenges to keeping them highly available and performing. Find out about the hottest open source options and how they can help your organization achieve better uptime and performance levels. We also explore the tradeoffs of using open source software, how to evaluate and assess the available types, and the potential effects on your applications and infrastructure.
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
This document discusses leveraging open source software opportunities in the public sector while mitigating risks. It begins with an agenda covering open source software benefits and challenges. It then discusses establishing an open source software adoption process (OSSAP) through defining policies, establishing baselines, and approval processes. The document outlines reporting options and demonstrates analyzer outputs. It emphasizes integrating license management early in the development cycle to reduce costs. The presentation aims to enable greater open source use while ensuring compliance, security, and quality.
Software audit strategies: how often is enough? Protecode
With the widespread use of open source software in proprietary software projects, organizations are looking for ways to mitigate licensing, security and quality vulnerabilities related to open source code. These organizations are increasing deploying software audits which involve scanning a software portfolio to uncover all software packages as well as their associated licensing and copyright obligations, security vulnerabilities and other code attribute information.
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...ActiveState
Greg Olson, Senior Partner at open source consulting firm Olliance Group and Bart Copeland, President and CEO of ActiveState, the dynamic languages company present an informative webinar to:
* Investigate legal, operational and market risks associated with open source
* Address common pitfalls with open source licensing
* Identify proven tips for creating an open source governance program
* Explore commercial open source options to mitigate open source legal and operational risks
* Share effective steps to protect your organization against costly infringements
Giving Everyone Access To Open Source Best Practices: The OpenChain CurriculumShane Coughlan
This talk will explain how the OpenChain Curriculum team assembled and released extensive compliance training material under CC-0 licensing. It will expand on how this material can be either used for generic in-company or cross-company training and how it helps to comply with the OpenChain Specification. A run through of the key material will be given to illustrate how it can support every company in the adoption and customization of best practices to suit their needs. The talk will conclude with a brief overview of how to engage with the OpenChain Curriculum, the broader OpenChain Project, and what can be expected around Open Source supply chain management in the coming year.
There are multiple reasons why Open Source Software OSS is a benefit for all organisations and in particular in Public Sector.
All of the organisations represented on this call will be tasked with delivering solutions for specific requirements and at great speed. Why create those solutions from generic platforms and be dependent on their long release cycles to evolve the solutions when you can develop just what is needed and then share that with other PS orgs who can modify to suit their requirements which makes for rapid development and lack of redundancy
Ultimately you will be able to control your own destiny and set your own pace for delivering exactly what is needed.
The document discusses several security-related topics including promoting the OWASP Orange Saft tool, outcomes from a security guidance stakeholder meeting, feedback for improving security guidance in IDEs, topics to cover in a new CISO guide, questions to include in the guide, securing GitHub integration, an incident response playbook, and a CISO round table discussion. It also summarizes outcomes from several breakout groups at an OWASP event on threat modeling, application security curriculum design, and infosec warranties and guarantees.
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
The document discusses prioritizing CVE research through automation. It begins by outlining challenges with manually researching the large number of CVEs, such as time consumption and human error. It then describes starting with a basic Python script to gather CVE data from sources and write it to a spreadsheet. The script evolved to incorporate more data sources and a scoring system to prioritize CVEs based on factors like availability of public proofs-of-concept, common affected products, and relevance to the organization. This developed into a full system with a dashboard interface to easily identify high priority CVEs for further study. The benefits of automated prioritization for security research are discussed.
This document discusses open source software and business intelligence software. It provides an overview of open source licensing, the costs and benefits of open source, and barriers to adoption. It also examines open source business intelligence vendors and includes an example financial analysis comparing open source and proprietary options.
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
Be sure to register for a demo, if you would like to see how Klocwork can help ensure that your code is secure, reliable, and compliant.
https://www.perforce.com/products/klocwork/live-demo
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
Presented at All Things Open 2023
Presented by Viral Chhasatia & Karan Marjara - Amazon
Title: Open Source evaluation: A comprehensive guide on what you are using
Abstract: What happens if an open source package your service relies on changes direction or shuts down? This talk provides a step-by-step approach that enables users to thoroughly assess open source software risks and rewards before making a final decision to use it in your product or service.
Find more info about All Things Open:
On the web: https://www.allthingsopen.org/
Twitter: https://twitter.com/AllThingsOpen
LinkedIn: https://www.linkedin.com/company/all-things-open/
Instagram: https://www.instagram.com/allthingsopen/
Facebook: https://www.facebook.com/AllThingsOpen
Mastodon: https://mastodon.social/@allthingsopen
Threads: https://www.threads.net/@allthingsopen
2023 conference: https://2023.allthingsopen.org/
Similar to Rightsizing Open Source Software Identification (20)
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
How MJ Global Leads the Packaging Industry.pdfMJ Global
MJ Global's success in staying ahead of the curve in the packaging industry is a testament to its dedication to innovation, sustainability, and customer-centricity. By embracing technological advancements, leading in eco-friendly solutions, collaborating with industry leaders, and adapting to evolving consumer preferences, MJ Global continues to set new standards in the packaging sector.
HOW TO START UP A COMPANY A STEP-BY-STEP GUIDE.pdf46adnanshahzad
How to Start Up a Company: A Step-by-Step Guide Starting a company is an exciting adventure that combines creativity, strategy, and hard work. It can seem overwhelming at first, but with the right guidance, anyone can transform a great idea into a successful business. Let's dive into how to start up a company, from the initial spark of an idea to securing funding and launching your startup.
Introduction
Have you ever dreamed of turning your innovative idea into a thriving business? Starting a company involves numerous steps and decisions, but don't worry—we're here to help. Whether you're exploring how to start a startup company or wondering how to start up a small business, this guide will walk you through the process, step by step.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.AnnySerafinaLove
This letter, written by Kellen Harkins, Course Director at Full Sail University, commends Anny Love's exemplary performance in the Video Sharing Platforms class. It highlights her dedication, willingness to challenge herself, and exceptional skills in production, editing, and marketing across various video platforms like YouTube, TikTok, and Instagram.
Best practices for project execution and deliveryCLIVE MINCHIN
A select set of project management best practices to keep your project on-track, on-cost and aligned to scope. Many firms have don't have the necessary skills, diligence, methods and oversight of their projects; this leads to slippage, higher costs and longer timeframes. Often firms have a history of projects that simply failed to move the needle. These best practices will help your firm avoid these pitfalls but they require fortitude to apply.
Discover timeless style with the 2022 Vintage Roman Numerals Men's Ring. Crafted from premium stainless steel, this 6mm wide ring embodies elegance and durability. Perfect as a gift, it seamlessly blends classic Roman numeral detailing with modern sophistication, making it an ideal accessory for any occasion.
https://rb.gy/usj1a2
The Genesis of BriansClub.cm Famous Dark WEb PlatformSabaaSudozai
BriansClub.cm, a famous platform on the dark web, has become one of the most infamous carding marketplaces, specializing in the sale of stolen credit card data.
3 Simple Steps To Buy Verified Payoneer Account In 2024SEOSMMEARTH
Buy Verified Payoneer Account: Quick and Secure Way to Receive Payments
Buy Verified Payoneer Account With 100% secure documents, [ USA, UK, CA ]. Are you looking for a reliable and safe way to receive payments online? Then you need buy verified Payoneer account ! Payoneer is a global payment platform that allows businesses and individuals to send and receive money in over 200 countries.
If You Want To More Information just Contact Now:
Skype: SEOSMMEARTH
Telegram: @seosmmearth
Gmail: seosmmearth@gmail.com
Call8328958814 satta matka Kalyan result satta guessing➑➌➋➑➒➎➑➑➊➍
Satta Matka Kalyan Main Mumbai Fastest Results
Satta Matka ❋ Sattamatka ❋ New Mumbai Ratan Satta Matka ❋ Fast Matka ❋ Milan Market ❋ Kalyan Matka Results ❋ Satta Game ❋ Matka Game ❋ Satta Matka ❋ Kalyan Satta Matka ❋ Mumbai Main ❋ Online Matka Results ❋ Satta Matka Tips ❋ Milan Chart ❋ Satta Matka Boss❋ New Star Day ❋ Satta King ❋ Live Satta Matka Results ❋ Satta Matka Company ❋ Indian Matka ❋ Satta Matka 143❋ Kalyan Night Matka..
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
Top 10 Free Accounting and Bookkeeping Apps for Small BusinessesYourLegal Accounting
Maintaining a proper record of your money is important for any business whether it is small or large. It helps you stay one step ahead in the financial race and be aware of your earnings and any tax obligations.
However, managing finances without an entire accounting staff can be challenging for small businesses.
Accounting apps can help with that! They resemble your private money manager.
They organize all of your transactions automatically as soon as you link them to your corporate bank account. Additionally, they are compatible with your phone, allowing you to monitor your finances from anywhere. Cool, right?
Thus, we’ll be looking at several fantastic accounting apps in this blog that will help you develop your business and save time.
Industrial Tech SW: Category Renewal and CreationChristian Dahlen
Every industrial revolution has created a new set of categories and a new set of players.
Multiple new technologies have emerged, but Samsara and C3.ai are only two companies which have gone public so far.
Manufacturing startups constitute the largest pipeline share of unicorns and IPO candidates in the SF Bay Area, and software startups dominate in Germany.
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
2. Agenda
Introduction
Key Elements of a Policy for use of OSS
OSS Identification: Why, What, How ?
Survey of open source and commercial tools for OSS Identification
Rightsizing your OSS Identification Process and Tools
3. Open Source Policies
Most companies today have written open source policies
• Decrease risk of compliance claims
• Set policy for transactions with vendors, customers
• Manage unintended consequences to IP (for contributions)
TACTICS
STRATEGY
4. LET’S TALK ABOUT TACTICS
Policies mostly deal with compliance
• Substantive policy: license stop/go lists avoid engineering problems
(for GPL/LGPL)
• Procedural policy: keeping track of open source use
Compliance is mostly an information/process problem
• Open source circumvents business processes
• Most companies try to automate the management of information
• Most people managing this process in the trenches find the array of
tools confusing
5. Substance of Open Source Policies on Compliance
Use Cases
• Modification
• Internal use v. Distribution
o Product deployment
o Development tools
o Internal business use
Licenses
• Most companies triage by license, others by
project
6. Go Caution Stop
You do not need Legal approval to use code
licensed under these licenses for all use cases.
You must obtain Legal approval to
distribute code licensed under
these licenses.
You do not need Legal approval to
use code licensed under these
licenses internally.
You must obtain Legal
approval to use any code
licensed under these
licenses.
•Public Domain
•BSD
•MIT
•Apache 1.1 or 2.0 (not 1.0)
•Artistic License
•PHP License
•Python Software Foundation License
•zlib/libpng License
•Boost Software License
•OpenSSL/SSLeay License
•WTFPL
•CC0 (public domain dedication)
•Creative Commons Attribution-Only (“CC
BY”)
•Unlicense
•Any software licensed under a choice of
multiple licenses that include any of the
above.
GPL 2.0 (only when a standalone
process)
LGPL 2.1 (only when dynamically
linked)
Mozilla Public License 1.1 or 2.0
(“MPL”)
CDDL
CPL or IBM
Eclipse Public License
GPL 2.0 + plus exception (such as
linking, Classpath, or FOSS
exception)
Apache 1.0
GPL 3.0
LGPL 3.0
Affero GPL v1 or v3
Sleepycat
GNU Documentation License
Creative Commons
ShareAlike (“CC BY-SA”)
Open Software License
Academic Free License
Example – Stop/Go/Caution List
7. Why do you need to identify OSS Components?
Legal: You need to know the license and usage in order to comply
with the license terms
• Attribution
• Redistribution of source code
Business: You need to know the origin to assess the business
risks related to
• Quality
• Security
• Support (community or commercial)
• Project viability
8. OSS Identification
Create an inventory of OSS software components used in a
product, application or system where:
• A component can be a product, package, library, directory of code
files, a file or a snippet in a file
• The granularity of a component in an inventory is based on level of
detail you need to document origin and license
Categorize by primary usage:
• Development tools - e.g. compilers, editors, test tools
• Development code - components that are used to build some
version of a product (current, prior or future release)
• Deployed code - the subset of Development code
deployed/distributed for a particular product release
9. OSS Identification
For each component determine:
• The origin: who wrote it, who holds the copyright, where can it be
downloaded from?
• The license: what are the license terms (high level categorization
and specific licensing terms)
• The version being used
• How it is used:
o Modified or as-is?
o Standalone or in combination with other proprietary code or OSS code?
10. How do you perform OSS Identification?
Overall Process = Combination of Tools + (human) review
• Some identification can be fully automated
• Most requires interpretation
Goals
• Create a reasonably detailed Inventory of OSS components in a
codebase
• Identify and resolve license issues relative to your policies
• Prepare for outbound compliance
Primary Techniques
• Scanning - extract information directly from codebase files
• Matching - compare codebase files to a repository of OSS files
11. How does Scanning work?
Detect and discover “evidence” and “assertions” in the code
• Copyright statements
• License notices, mentions or texts
• Software package “manifests” (Java Jar, RubyGem, RPM, etc.)
• Email, URL, author and person names
• Other origin and license clues found in the code
• Data may be in source code, text files or binaries
Techniques
• Copyright “grammar”
• License text search and matching
• Specific “parsers” to extract package metadata, emails, etc.
12. How does Scanning work? [2]
High confidence for identification with scanning
• Evidence in the code itself is primary
• Will not detect two cases:
o Copyright or license notices intentionally removed (rare)
o Snippets where developer did not provide comments or clues about origin of the
snippet
Interpretation typically required to:
• Conclude overall license at component level when files have
different notices
• Research clues
The quality of identification depends on who interprets the data -
can often be performed by a developer who understands the
codebase
13. How does Matching work?
Find similarities between your code and an index of OSS code
• If your code is similar it “may” share a similar origin
Multiple levels
• Whole package, library or archive
• Files or snippet(s) of a few lines of code
Techniques
• File comparison, similar to comparing two documents (aka redlining
or blacklining)
• Create and compare digital “fingerprints”
o Single fingerprint for an entire package or archive or file
o Set of fingerprints for a set of files
o Set of snippet fingerprints within a file - e.g. every 10 lines
14. How does Matching work? [2]
All matches except an exact or string match at the package or
library level typically requires interpretation of the matching
pattern
The finer the matching (e.g.. snippets), the higher the risk of
irrelevant matches (false matches)
Code can be generated by tools, leading to fake similarities
Snippet matches typically require extensive (and costly) human
review
• Commonly re-used code may have hundreds of matches (or more)
• Snippet matches need to be evaluated in context of the type of code
and the domain to determine most likely match
15. How does Matching work? [3]
More coarse-grained matching has a risk of missing some
detection (false positives)
The quality of identification depends on:
• Who interprets the matches
• The quality of the origin and license data in the OSS repository used
to create the OSS index. Bigger is not always better.
16. Completing the OSS Identification work
Expert technical and legal review is needed to confirm, validate (or
invalidate) the data from tools
• The level of effort is related to the technique used
Scanning and Component Matching require less review
• Scanning is about evidence
• Component Matching is also conclusive on its own
Snippet Matching require more review - More false matches and
larger volume of possible matches
Policy should balance risk and effort
• More frequent Scanning and Component Matching
• Less frequent Snippet Matching. Eventually not needed with trained
developer teams
17. Finding and Resolving Issues
Finding Issues
• An origin or license that does match your policy for a certain usage
context should be an issue trigger
• Non-compliance with license terms (missing attribution,
redistribution, etc..)
Resolving Issues
• Legal advisors need to research legal or policy implications of an
issue
• Use development team ticket system or similar to track each issue
to resolution
18. Rightsizing your OSS ID Process and Tools
Assess risk and define policies at appropriate level(s)
• Company-level
• Product-line or product-level
• Factor in business and technology domains
Evaluate your Risk Profile for use of OSS - considering:
• Internal vs. External Use
• Business or Consumer Customers or both
• Product Deployment modes - Distribution, SaaS, Resellers/OEMs
• Software Domains - Linux, Codecs
• Patent considerations
19. Rightsizing your OSS ID Process and Tools
Define the scope of data you need for/from OSS Identification
• License
• Knowing only the license may be sufficient for internal use
• Provenance
• Knowing the copyright holder is needed for Attribution
• Knowing details about the project is recommended for tracking
bugs, evaluating level of community support, etc.
• Usage
• Knowing where and how you use a component is needed for
compliance with Copyleft licenses
• Also helps you manage other risks – e.g. for a security alert such
as Heartbleed for OpenSSL you need to know quickly where you
a component version
20. Rightsizing your OSS ID – Scope
LICENSE
PROVENANCE
LICENSE
PROVENANCE
USAGE
PROVENANCE
LICENSE
Business criticality
Exposure
High
Low High
Your primary focus should be:
1
2 4
3
21. Business criticality
Exposure
High
Low High
Your primary focus should be:
1
2 4
3
IT mgt
systems
Desktop
Office suites
IT
Security
Financial
systems
Consumer
web site mobile
consumer
products
server-side
management
products
development
tools
CRM
systems
Rightsizing your OSS ID – Scope examples
22. Rightsizing your OSS ID Process and Tools
Define level of depth (precision) needed for OSS Identification
• The cost of OSS Identification is directly proportional to the depth of
analysis
• Easier to identify larger components – e.g. libraries
• Progressively harder to identify smaller components – e.g. files
and snippets
• The value of an OSS component is also typically proportional to size
• Product-level OSS projects or libraries provide significant
functional value
• Files or snippets from an OSS project may be useful, but
typically offer less functional value
o Depth of analysis may be variable across OSS ID processes
• More frequent Library-level analysis
• Less frequent File/Snippet-level analysis
23. Rightsizing your OSS ID – Depth
VALUE RISK
Product
Libraries
Files /
snippets
Files /
snippets
Libraries
Files /
snippets
COST
50%
50%
There is more
value in reusing a
whole open source
product or a library
Reporting reuse of
whole products is
straightforward
Risk of non-
compliance decreases
with files and snippets
Reusing single files
and snippets of code
is tactical
Detecting and reviewing
borrowed code snippets
requires a significant effort
Aligning cost with value
24. Insource or outsource OSS Identification process and tools
• Internal staff may be able to handle basic OSS Identification
• Engage external experts (retainer-style?)
• Plan for periodic audits ⇒ real audits, not OSS ID
Legal Role
• Define and communicate policies
• “Enforce” policies and guide issue resolution
Developer Role (or QA or Release Management)
• First level OSS Identification
• Maintain Software Inventory
Augment with outside resources where needed
Distributing the OSS ID workload
25. OSS tools for OSS Identification
Linux Foundation Tools
• http://www.linuxfoundation.org/programs/legal/compliance/tools
• SPDX Tools - https://github.com/spdx-tools
FOSSology
• http://www.fossology.org/projects/fossology
• Moving to Linux Foundation soon
nexB Projects
• AboutCode - https://github.com/dejacode/about-code-tool
• ScanCode - https://github.com/nexB/scancode-toolkit
26. • Free and Open Source license and copyright scanner (Commercial
Support available)
• Command line tool with interactive HTML reports or JSON.
• Available on GitHub at: https://github.com/nexB/scancode-toolkit/
Demo
27. Commercial tools for OSS Identification
Commercial
• Black Duck Protex
• Palamida
• Protecode
• OpenLogic (Rogue Wave) – SaaS based on FOSSology
• White Source - SaaS based on Ninka
28. Other online resources for OSS compliance
• LF Open Compliance Program -
http://www.linuxfoundation.org/programs/legal/compliance
• Open Source Initiative - http://opensource.org/
• Software Package Data Exchange - https://spdx.org/
• TLDRLegal - https://tldrlegal.com/
• DejaCode (public site) - https://enterprise.dejacode.com/
29. 29
Thank You!
• To receive CLE credit for your participation in today’s
program, please send an email to ikim@omm.com with
the following:
–Your name
–Bar jurisdiction
–Bar number
31. About nexB Inc.
Business is software component management
• Current focus on open source governance and compliance
• Primary product is an enterprise system for tracking all software
components in your products.
We offer
• DejaCode™- Open Data Platform for Managing Open Source -
http://www.dejacode.com/
• Open Source Scanning & Attribution Generation Tools -
https://github.com/nexB
• Open Source Software Expert Audit Services -
http://www.nexb.com/services.html
32. Contact
O’Melveny & Myers - http://www.omm.com/
• Heather Meeker - hmeeker@omm.com +1 650 473 2635
• Subscribe to news and events alert at
http://heathermeeker.squarespace.com/
nexB Inc. - http://www.nexb.com/
• Philippe Ombredanne - pombredanne@nexB.com +1 650 799 0949