SlideShare a Scribd company logo

Modelling OSS Adoption Risks

Xavier Franch
Xavier Franch

First part of the presentation

Software
1 of 31
RISCOSS: modelling and reasoning
Examples of OSS adoption Risks  Component selection risks – Selection effort ill-estimation – Risk of wrong component selection  Component integration risks – Integration effort ill-estimation – Risk of component integration failure – Security risk  Legal risks – Intellectual property risk – Risk of license issues – Liability risk © RISCOSS Consortium 2
Examples of OSS Measures and Risk indicators in OSS ecosystems  Measures – Long bug fix time: Critical & Blocker – Long bug fix time: Total – Commit frequency per week & Number of Commits – Forum posts per day – …  Risk indicators – Timeliness of the community – Activeness of the community – … 3© RISCOSS Consortium
Modeling Risks: entities  Risk characterized by – Event(1); “the OSS component not maintained” Situation(2,3); “the community is not active”  Measures & Risk Indicators – Measure raw and derived evidences; “number of bug fixed” 4 Event Situation measure & Risk indicator 1. Yudistira Asnar, Paolo Giorgini, and John Mylopoulos. Goal-driven risk assessment in requirements engineering. Requir. Eng., 16(2):101–116, 2011. 2. Daniele Barone, Lei Jiang, Daniel Amyot, and John Mylopoulos. Reasoning with key performance indicators. In The Practice of Enterprise Modeling, volume 92 LNBP, pages 82–96. 2011. 3. Alberto Siena, Ivan Jureta, Silvia Ingolfo, Angelo Susi, Anna Perini, and John Mylopoulos. Capturing variability of law with Nomos 2. In ER’12, LNCS 7532, pages 383–396, 2012.
Modeling Risks: relationships  Relationships between situations and events – “expose”, “protect” Tell when a situation makes it possible (or impossible) an event – “increase”, “mitigate” Tell when a situation makes it critical (or not influential) an event  Relationship between risks events and goals / tasks – “Impact” to connect the strategic model with the risk model 5 expose impact mitigate © RISCOSS Consortium
Timeliness Difficulty in code refinement people on project expose expose measure of bug fixing time impact Maintain software OSS Adopter OSS Commu nity OSS component Actor Goal Resource RIsk events situation Risk driver Levels of representation: OSS ecosystems and risks together (in i*) 6 Layer 3 Business / Strategic actors and goals of the OSS Ecosystem Layer 2 Situations and risks events Layer 1 measures and risk drivers Timeliness Difficulty in code refinement people on project expose expose measure of bug fixing time impact Maintain software OSS Adopter OSS Commu nity OSS component Actor Goal Resource RIsk events situation Risk driver © RISCOSS Consortium
7 Statistical analysis of OSS projects and communities
Statistic: “Bug fix time” 8 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300  Study the “behavior” of the community in the project Statistical analysis of “Bug fix time” (in Xwiki OSS community) Date Range: August 6th 2012 to August 6th 2013 © RISCOSS Consortium
 Analysis of the “structure” of the OSS communities and of their “evolution” via Social Network Analysis – Centrality measures and Prestige measures to determine the “connectivity” of nodes  e.g., to infer possible “critical” events in the community (such as a fork, a decrease in the activity) Community network analysis 9
© RISCOSS Consortium 10 Risk and Business Models
License models  The license risk model was constructed basing on – literature review – available information on license properties Open Source Initiative (opensource.org), the copyfree initiative, the free software foundation (www.gnu.org, www.fsf.org), the github license finder (choosealicense.com) and from discussions with expert project partners (Cenatic, Xwiki)  Measures and Indicators are extracted – from the Fossology or Maven risk data providers • Number of different licenses, kind of licenses, … – From experts advices © RISCOSS Consortium 11
License risk model © RISCOSS Consortium 12 M E A S U R E S SITUATIONS EVENTS
License risk model © RISCOSS Consortium 13 # files no lic. val. of exposure AND / OR / …
License risk model © RISCOSS Consortium 14
Result of the risk analysis © RISCOSS Consortium 15
Risk exposure  Contextual information © RISCOSS Consortium 16 Context of the Project in the organisation Value automatically retrieved or expert based
Licenses  Permissive License – BSD| MIT| EFL| CDDL| Apache| Python  Copyleft – GPL| AGPL| QPL| GFDL  Copyleft, linking permitted – LGPL| EPL| CPL| SPL| QPL| MPL| NPL| EUPL  No License – No license found| Unclassified License  Source Code Required – GPL| LGPL| CDDL| CPL| EPL| MPL| Sleepycat| Oracle-Berkeley- DB| OpenGroup| SISSL| Interbase-PL| NPL| MS-RL| ErlPL  Commercial license – BEA | IBM-EULA | RealNetworks-EULA | Adobe-EULA | MacroMedia | ATT-Source | Proprietary © RISCOSS Consortium 17
The XML representation © RISCOSS Consortium 18 …
Example: Risks analysis in model 1919 ACTORS RESOURCES, TASKS, GOALS © RISCOSS Consortium 19
Example: Risks analysis in model 2020 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures 20
© RISCOSS Consortium 21 Bayesian networks
Links between Measures and risks using Bayesian networks © RISCOSS Consortium 22 Bug Fix time Critical Bug Fix time Security Risk 1 day 10 days 100 days 1 day 3 days 10 days Not sec. risk Sec. risk Expert evaluation to train the Bayesian Networks Active community A B C Measures correlation
Scenario for expert assessment 23 Scenario 1 Scenario 2 Scenario N 15 21 … 3 3 … 15 23 … mostly morning mostly night … mostly weekdays mostly weekdays … never sometimes … ? ? ? Expert assessment: Evaluate how much the values of the Risk drivers in the scenario impact the Timeliness of the community (e.g., in the interval [1,5]) (Random) scenarios Risk drivers and value of the intervals of their distributions © RISCOSS Consortium
Links between Measures and risks © RISCOSS Consortium 24 Bug Fix time Critical Bug Fix time Security Risk 1 day 10 days 100 days 1 day 3 days 10 days Not sec. risk Sec. risk Expert evaluation to train the Bayesian Networks 75 % 20 % 5 % 60 % 30 % 10 % 65 % 35 % Active community A B C X % Y % Z % Measures correlation
Links between Measures and risks © RISCOSS Consortium 25 Bug Fix time Critical Bug Fix time Security Risk 1 day 10 days 100 days 1 day 3 days 10 days Not sec. risk Sec. risk Expert evaluation and measures to use the Bayesian Networks for predictions 55 % 40 % 5 % 60 % 10 % 30 % 45 % 55 % Active community A B C X % Y % Z % Measures Prediction correlation
Resulting Bayesian Network 26  Bayesian network (BN) – BN is a Directed Acyclic Graph (DAG) – Enable an effective representation and computation of the joint probability distribution over a set of random variables © RISCOSS Consortium
Example: Risks analysis in model 2727 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures 27
28 Reasoning on models
Risk and goal model reasoning  Risk and Goal model analysis – starting from the knowledge about values of properties of some nodes of the model (Risk events, Situations, Goals, Activities) infer knowledge about values of properties of other nodes Specification of models • Goal and risk models are specified Analysis of models • Logic based • Label prop. • … Analysis of results • Analysis of the possibility and severity of a risk © RISCOSS Consortium 29
Example: Risks analysis in model 3030 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures
Example: Risks analysis in model 3131 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures

Recommended

Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResiliencePhil Huggins FBCS CITP
 
Modern Security Risk
Modern Security RiskModern Security Risk
Modern Security RiskPhil Huggins FBCS CITP
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 

Recommended

Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResiliencePhil Huggins FBCS CITP
 
Modern Security Risk
Modern Security RiskModern Security Risk
Modern Security RiskPhil Huggins FBCS CITP
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 
Introduction to PolySwarm
Introduction to PolySwarmIntroduction to PolySwarm
Introduction to PolySwarmBlakeReyes
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Adequate securitynew1404.019
Adequate securitynew1404.019Adequate securitynew1404.019
Adequate securitynew1404.019Wivenhoe Management Group
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyCurious Geoff (Shively)
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...Skybox Security
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk Phil Huggins FBCS CITP
 
ARH ENR Oct 2015
ARH ENR Oct 2015ARH ENR Oct 2015
ARH ENR Oct 2015Philip Tunnah
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Wivenhoe Management Group
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeResilient Systems
 
Safety management and osha compliance
Safety management and osha complianceSafety management and osha compliance
Safety management and osha complianceGlobalCompliancePanel
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaPositive Hack Days
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 

More Related Content

What's hot

Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyCurious Geoff (Shively)
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...Skybox Security
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...David Sweigert
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Wivenhoe Management Group
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...WhiteSource
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeResilient Systems
 
Safety management and osha compliance
Safety management and osha complianceSafety management and osha compliance
Safety management and osha complianceGlobalCompliancePanel
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaPositive Hack Days
 

What's hot (20)

Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
Empirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package Managers
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
 
Adequate securitynew1404.019
Adequate securitynew1404.019Adequate securitynew1404.019
Adequate securitynew1404.019
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk
 
ARH ENR Oct 2015
ARH ENR Oct 2015ARH ENR Oct 2015
ARH ENR Oct 2015
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
 
Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...
 
Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)Security vulnerability assessment & liability(li)
Security vulnerability assessment & liability(li)
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response Imperative
 
Safety management and osha compliance
Safety management and osha complianceSafety management and osha compliance
Safety management and osha compliance
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 

Similar to Modelling OSS Adoption Risks

Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...Carolin Weisser
 
Open Risk Analysis Software - Data And Methodologies
Open Risk Analysis Software - Data And MethodologiesOpen Risk Analysis Software - Data And Methodologies
Open Risk Analysis Software - Data And MethodologiesChristakis Mina, PhD, ACIArb
 
Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...
Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...
Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...Project Controls Expo
 
OW2con'14 - Managing risks in OSS adoption: the RISCOSS approach
OW2con'14 - Managing risks in OSS adoption: the RISCOSS approachOW2con'14 - Managing risks in OSS adoption: the RISCOSS approach
OW2con'14 - Managing risks in OSS adoption: the RISCOSS approachOW2
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud ServicesFrans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud ServicesVNU Exhibitions Europe
 
Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...
Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...
Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...riscoss-eu
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software PlanningMuhammad Alhalaby
 

Similar to Modelling OSS Adoption Risks (20)

Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...
Lessons Learned from Implementing the Cybersecurity Capacity Maturity Model f...
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Open Risk Analysis Software - Data And Methodologies
Open Risk Analysis Software - Data And MethodologiesOpen Risk Analysis Software - Data And Methodologies
Open Risk Analysis Software - Data And Methodologies
 
Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...
Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...
Project Controls Expo, 18th Nov 2014 - "Schedule Risk Analysis for Complex Pr...
 
OW2con'14 - Managing risks in OSS adoption: the RISCOSS approach
OW2con'14 - Managing risks in OSS adoption: the RISCOSS approachOW2con'14 - Managing risks in OSS adoption: the RISCOSS approach
OW2con'14 - Managing risks in OSS adoption: the RISCOSS approach
 
CVSS
CVSSCVSS
CVSS
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Frans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud ServicesFrans van Leuven - The security aspects of Cloud Services
Frans van Leuven - The security aspects of Cloud Services
 
Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...
Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...
Managing Risks in Open Source Software adoption: the RISCOSS Approach, OW2con...
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automation
 
Cyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfCyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdf
 
Cyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfCyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdf
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
Risk
RiskRisk
Risk
 
Risk Based Software Planning
Risk Based Software PlanningRisk Based Software Planning
Risk Based Software Planning
 

More from Xavier Franch

RCIS 2020 tutorial DDRE
RCIS 2020 tutorial DDRERCIS 2020 tutorial DDRE
RCIS 2020 tutorial DDREXavier Franch
 
On the use of requirement patterns to analyse RfP documents - ER 2019
On the use of requirement patterns to analyse RfP documents - ER 2019On the use of requirement patterns to analyse RfP documents - ER 2019
On the use of requirement patterns to analyse RfP documents - ER 2019Xavier Franch
 
ER 2019 tutorial - Data Driven RE
ER 2019 tutorial - Data Driven REER 2019 tutorial - Data Driven RE
ER 2019 tutorial - Data Driven REXavier Franch
 
CIbSE-RET 2019 keynote - The Road towards Data-Driven RE
CIbSE-RET 2019 keynote - The Road towards Data-Driven RECIbSE-RET 2019 keynote - The Road towards Data-Driven RE
CIbSE-RET 2019 keynote - The Road towards Data-Driven REXavier Franch
 
CIbSE-RET 2019 IREB FL syllabus study
CIbSE-RET 2019 IREB FL syllabus studyCIbSE-RET 2019 IREB FL syllabus study
CIbSE-RET 2019 IREB FL syllabus studyXavier Franch
 
REFSQ 2017 - Q-Rapids
REFSQ 2017 - Q-RapidsREFSQ 2017 - Q-Rapids
REFSQ 2017 - Q-RapidsXavier Franch
 
Priore 2017 - release planning and project management tools
Priore 2017 - release planning and project management toolsPriore 2017 - release planning and project management tools
Priore 2017 - release planning and project management toolsXavier Franch
 
RE 2015 ecosystems tutorial
RE 2015 ecosystems tutorialRE 2015 ecosystems tutorial
RE 2015 ecosystems tutorialXavier Franch
 
Istar15 dc-ll-xf.pres
Istar15 dc-ll-xf.presIstar15 dc-ll-xf.pres
Istar15 dc-ll-xf.presXavier Franch
 
A layered approach to risk management in OSS projects - presented at OSS 2014
A layered approach to risk management in OSS projects - presented at OSS 2014A layered approach to risk management in OSS projects - presented at OSS 2014
A layered approach to risk management in OSS projects - presented at OSS 2014Xavier Franch
 

More from Xavier Franch (13)

RCIS 2020 tutorial DDRE
RCIS 2020 tutorial DDRERCIS 2020 tutorial DDRE
RCIS 2020 tutorial DDRE
 
On the use of requirement patterns to analyse RfP documents - ER 2019
On the use of requirement patterns to analyse RfP documents - ER 2019On the use of requirement patterns to analyse RfP documents - ER 2019
On the use of requirement patterns to analyse RfP documents - ER 2019
 
ER 2019 tutorial - Data Driven RE
ER 2019 tutorial - Data Driven REER 2019 tutorial - Data Driven RE
ER 2019 tutorial - Data Driven RE
 
CIbSE-RET 2019 keynote - The Road towards Data-Driven RE
CIbSE-RET 2019 keynote - The Road towards Data-Driven RECIbSE-RET 2019 keynote - The Road towards Data-Driven RE
CIbSE-RET 2019 keynote - The Road towards Data-Driven RE
 
CIbSE-RET 2019 IREB FL syllabus study
CIbSE-RET 2019 IREB FL syllabus studyCIbSE-RET 2019 IREB FL syllabus study
CIbSE-RET 2019 IREB FL syllabus study
 
REFSQ 2017 - Q-Rapids
REFSQ 2017 - Q-RapidsREFSQ 2017 - Q-Rapids
REFSQ 2017 - Q-Rapids
 
Priore 2017 - release planning and project management tools
Priore 2017 - release planning and project management toolsPriore 2017 - release planning and project management tools
Priore 2017 - release planning and project management tools
 
NFR4MDD @ RE15
NFR4MDD @ RE15NFR4MDD @ RE15
NFR4MDD @ RE15
 
RE 2015 ecosystems tutorial
RE 2015 ecosystems tutorialRE 2015 ecosystems tutorial
RE 2015 ecosystems tutorial
 
Istar15 dc-ll-xf.pres
Istar15 dc-ll-xf.presIstar15 dc-ll-xf.pres
Istar15 dc-ll-xf.pres
 
Rcis2015tut
Rcis2015tutRcis2015tut
Rcis2015tut
 
Istar14 jpc-xf-pres
Istar14 jpc-xf-presIstar14 jpc-xf-pres
Istar14 jpc-xf-pres
 
A layered approach to risk management in OSS projects - presented at OSS 2014
A layered approach to risk management in OSS projects - presented at OSS 2014A layered approach to risk management in OSS projects - presented at OSS 2014
A layered approach to risk management in OSS projects - presented at OSS 2014
 

Recently uploaded

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Recently uploaded (20)

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

Modelling OSS Adoption Risks

  • 2. Examples of OSS adoption Risks  Component selection risks – Selection effort ill-estimation – Risk of wrong component selection  Component integration risks – Integration effort ill-estimation – Risk of component integration failure – Security risk  Legal risks – Intellectual property risk – Risk of license issues – Liability risk © RISCOSS Consortium 2
  • 3. Examples of OSS Measures and Risk indicators in OSS ecosystems  Measures – Long bug fix time: Critical & Blocker – Long bug fix time: Total – Commit frequency per week & Number of Commits – Forum posts per day – …  Risk indicators – Timeliness of the community – Activeness of the community – … 3© RISCOSS Consortium
  • 4. Modeling Risks: entities  Risk characterized by – Event(1); “the OSS component not maintained” Situation(2,3); “the community is not active”  Measures & Risk Indicators – Measure raw and derived evidences; “number of bug fixed” 4 Event Situation measure & Risk indicator 1. Yudistira Asnar, Paolo Giorgini, and John Mylopoulos. Goal-driven risk assessment in requirements engineering. Requir. Eng., 16(2):101–116, 2011. 2. Daniele Barone, Lei Jiang, Daniel Amyot, and John Mylopoulos. Reasoning with key performance indicators. In The Practice of Enterprise Modeling, volume 92 LNBP, pages 82–96. 2011. 3. Alberto Siena, Ivan Jureta, Silvia Ingolfo, Angelo Susi, Anna Perini, and John Mylopoulos. Capturing variability of law with Nomos 2. In ER’12, LNCS 7532, pages 383–396, 2012.
  • 5. Modeling Risks: relationships  Relationships between situations and events – “expose”, “protect” Tell when a situation makes it possible (or impossible) an event – “increase”, “mitigate” Tell when a situation makes it critical (or not influential) an event  Relationship between risks events and goals / tasks – “Impact” to connect the strategic model with the risk model 5 expose impact mitigate © RISCOSS Consortium
  • 6. Timeliness Difficulty in code refinement people on project expose expose measure of bug fixing time impact Maintain software OSS Adopter OSS Commu nity OSS component Actor Goal Resource RIsk events situation Risk driver Levels of representation: OSS ecosystems and risks together (in i*) 6 Layer 3 Business / Strategic actors and goals of the OSS Ecosystem Layer 2 Situations and risks events Layer 1 measures and risk drivers Timeliness Difficulty in code refinement people on project expose expose measure of bug fixing time impact Maintain software OSS Adopter OSS Commu nity OSS component Actor Goal Resource RIsk events situation Risk driver © RISCOSS Consortium
  • 7. 7 Statistical analysis of OSS projects and communities
  • 8. Statistic: “Bug fix time” 8 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300  Study the “behavior” of the community in the project Statistical analysis of “Bug fix time” (in Xwiki OSS community) Date Range: August 6th 2012 to August 6th 2013 © RISCOSS Consortium
  • 9.  Analysis of the “structure” of the OSS communities and of their “evolution” via Social Network Analysis – Centrality measures and Prestige measures to determine the “connectivity” of nodes  e.g., to infer possible “critical” events in the community (such as a fork, a decrease in the activity) Community network analysis 9
  • 10. © RISCOSS Consortium 10 Risk and Business Models
  • 11. License models  The license risk model was constructed basing on – literature review – available information on license properties Open Source Initiative (opensource.org), the copyfree initiative, the free software foundation (www.gnu.org, www.fsf.org), the github license finder (choosealicense.com) and from discussions with expert project partners (Cenatic, Xwiki)  Measures and Indicators are extracted – from the Fossology or Maven risk data providers • Number of different licenses, kind of licenses, … – From experts advices © RISCOSS Consortium 11
  • 12. License risk model © RISCOSS Consortium 12 M E A S U R E S SITUATIONS EVENTS
  • 13. License risk model © RISCOSS Consortium 13 # files no lic. val. of exposure AND / OR / …
  • 14. License risk model © RISCOSS Consortium 14
  • 15. Result of the risk analysis © RISCOSS Consortium 15
  • 16. Risk exposure  Contextual information © RISCOSS Consortium 16 Context of the Project in the organisation Value automatically retrieved or expert based
  • 17. Licenses  Permissive License – BSD| MIT| EFL| CDDL| Apache| Python  Copyleft – GPL| AGPL| QPL| GFDL  Copyleft, linking permitted – LGPL| EPL| CPL| SPL| QPL| MPL| NPL| EUPL  No License – No license found| Unclassified License  Source Code Required – GPL| LGPL| CDDL| CPL| EPL| MPL| Sleepycat| Oracle-Berkeley- DB| OpenGroup| SISSL| Interbase-PL| NPL| MS-RL| ErlPL  Commercial license – BEA | IBM-EULA | RealNetworks-EULA | Adobe-EULA | MacroMedia | ATT-Source | Proprietary © RISCOSS Consortium 17
  • 18. The XML representation © RISCOSS Consortium 18 …
  • 19. Example: Risks analysis in model 1919 ACTORS RESOURCES, TASKS, GOALS © RISCOSS Consortium 19
  • 20. Example: Risks analysis in model 2020 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures 20
  • 21. © RISCOSS Consortium 21 Bayesian networks
  • 22. Links between Measures and risks using Bayesian networks © RISCOSS Consortium 22 Bug Fix time Critical Bug Fix time Security Risk 1 day 10 days 100 days 1 day 3 days 10 days Not sec. risk Sec. risk Expert evaluation to train the Bayesian Networks Active community A B C Measures correlation
  • 23. Scenario for expert assessment 23 Scenario 1 Scenario 2 Scenario N 15 21 … 3 3 … 15 23 … mostly morning mostly night … mostly weekdays mostly weekdays … never sometimes … ? ? ? Expert assessment: Evaluate how much the values of the Risk drivers in the scenario impact the Timeliness of the community (e.g., in the interval [1,5]) (Random) scenarios Risk drivers and value of the intervals of their distributions © RISCOSS Consortium
  • 24. Links between Measures and risks © RISCOSS Consortium 24 Bug Fix time Critical Bug Fix time Security Risk 1 day 10 days 100 days 1 day 3 days 10 days Not sec. risk Sec. risk Expert evaluation to train the Bayesian Networks 75 % 20 % 5 % 60 % 30 % 10 % 65 % 35 % Active community A B C X % Y % Z % Measures correlation
  • 25. Links between Measures and risks © RISCOSS Consortium 25 Bug Fix time Critical Bug Fix time Security Risk 1 day 10 days 100 days 1 day 3 days 10 days Not sec. risk Sec. risk Expert evaluation and measures to use the Bayesian Networks for predictions 55 % 40 % 5 % 60 % 10 % 30 % 45 % 55 % Active community A B C X % Y % Z % Measures Prediction correlation
  • 26. Resulting Bayesian Network 26  Bayesian network (BN) – BN is a Directed Acyclic Graph (DAG) – Enable an effective representation and computation of the joint probability distribution over a set of random variables © RISCOSS Consortium
  • 27. Example: Risks analysis in model 2727 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures 27
  • 29. Risk and goal model reasoning  Risk and Goal model analysis – starting from the knowledge about values of properties of some nodes of the model (Risk events, Situations, Goals, Activities) infer knowledge about values of properties of other nodes Specification of models • Goal and risk models are specified Analysis of models • Logic based • Label prop. • … Analysis of results • Analysis of the possibility and severity of a risk © RISCOSS Consortium 29
  • 30. Example: Risks analysis in model 3030 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures
  • 31. Example: Risks analysis in model 3131 impact 300Bugs$Fix_time count 1000 200 250 1000 1250 0 300 measures