There are multiple reasons why Open Source Software OSS is a benefit for all organisations and in particular in Public Sector. All of the organisations represented on this call will be tasked with delivering solutions for specific requirements and at great speed. Why create those solutions from generic platforms and be dependent on their long release cycles to evolve the solutions when you can develop just what is needed and then share that with other PS orgs who can modify to suit their requirements which makes for rapid development and lack of redundancy Ultimately you will be able to control your own destiny and set your own pace for delivering exactly what is needed.

1. Protecode Inc. 2015 1
Leveraging Open Source Opportunity in the Public Sector
Without the Risk
February 27th 2015

2. Protecode Inc. 2015
Agenda
 Open Source Software
– Open source is a huge opportunity for the public sector
– The Benefits of Using Open Source
– Potential challenges
 Mitigating Risk
– Open source software adoption process (OSSAP)
– Establishing a baseline + a policy
 Optimising OSSAP
– When should worry about licence compliance?
– Crowdsourcing OSSAP
 Wrap up and Q/A
2
Tiberius Forrester,
Director, Solution
Architecture, Protecode
Martin Callinan,
Director,
Source Code Control

3. Protecode Inc. 2015
Opens Source Everywhere
 These companies have dedicated OSS Teams
3

4. Protecode Inc. 2015
Even Apple
4

5. Protecode Inc. 2015
OSS Opportunity in the Public Sector
 Create a market of Open Source Solutions
– Applications can be modified to suit individual requirement
 Faster time to market of solutions
 Efficiencies
– Pay for what is needed, use what you pay for
 Create a library of assets for re-use
 Ecosystem of communities
 Avoid individual vendor “lock-in”
5

6. Protecode Inc. 2015
Open Source Software
 Enables rapid software development
– Easy access to code
– Hundreds of thousands of projects
– Enables new business models
– The original crowd sourcing model (and most successful)
 The good:
– Faster, more functional
– Improves interoperability, adoption of standards
 The challenge:
– Uncertain ownership structure
• Intellectual property - copyright, license
• Maintenance and support
– Potential Security and quality vulnerabilities
– Requires due diligence – and a managed adoption process
6
Why OSS?

7. Protecode Inc. 2015
Copyright and Licences: It Matters!
 Copyrights are automatic – even when code is made public
– The person/organisation who wrote the code automatically owns the copyright
 Permission to use is contained in a license
– No Licence? Don’t use it
 Open source licences give you the right to use, modify and
(re)distribute, some with conditions, e.g.
– Reveal that you are using it
– Reproduce the full text of the license
– Disclose your entire source code
– Conditions may limit the combinations of licenses you
can use
– Some have bizarre obligations
 Choosing the right licences for the right types of use
– Distributed content and format, tools, etc.
7
Disclaimer: I am not a lawyer, and I don’t provide legal advice!

8. Protecode Inc. 2015
Security Vulnerabilities
8
 What is a security vulnerability?
“Weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited or
triggered by a threat source.”
Source: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
 Security Vulnerabilities are bound to occur
– In both OSS and proprietary software
 Known security vulnerabilities are tracked in the National
Vulnerability Data Base (NVD)

9. Protecode Inc. 2015
OSS Procurement Involves…
 Taking inventory of 3rd party components
 Clarification of IP ownership and licensing
 Ensuring licence models meet business expectations
 Compliance to license obligations
 Eligibility to export (encryption content)
 Minimising Security Risks
9

10. Protecode Inc. 2015
OSS Adoption Process (OSSAP)
Maturity Model
Voluntary policy
compliance with
Legal Advice
Manual search
and code review
In-house
Tools
Automated
Scanning with
Reference
Database
Integrated tool
suite within
Software
Development Cycle
10
A clearly defined and well communicated policy is essential in
maturing your OSS adoption processes

11. Protecode Inc. 2015
OSSAP
Open Source Software Adoption Process
11
Define a
Policy
Establish a
Baseline
Package
Pre-Approval
Scan in
Real-Time
Scan at
Regular
Intervals
Final Build
Analysis

12. Protecode Inc. 2015
What is in the OSS Policy
 What’s the Strategy
– Why do we need OSS, and why do we need a policy?
 Who are the Stakeholders
– Legal, product management, R&D, Security
– Ownership and buy-in is essential to successfully implement
 What’s the Scope
– Who’s covered, what’s covered
– Different rules for different groups or business units sometimes
necessary
 How to Apply
– Guidelines, whitelists & blacklists, tools, checklists, etc.
 How to Communicate
– Obligations, contributions, public forums

13. Protecode Inc. 2015
Establishing A Baseline
 Objective: Identify all 3rd party content
and identify licensing attributes
 Tasks:
– Inspect all source code and build
ingredients
to create Bill of Materials (BOM).
– Key files:
• Build files (makefile, POM files, etc.)
• Text files containing license text
• Text files that may make reference to
licenses
• Any other documentation
– Determine the distribution method
• Source? Binary? Deployment?
13

14. Protecode Inc. 2015
Package Pre-Approval
 Request/Assess/Approve-Reject Process
 Information required for pre-approval
– Project Information
• Project name, URL, license, author(s), type, exportability, etc.
– Package Information
• Package name and version
• Source of package
• Package itself (for scanning)
• Security Vulnerabilities
– Usage Model
• Distribution model
– (binary, source, hosted, internal only, etc.)
• Types of derivatives
– (Modified? Linked? Loosely coupled?)
• Organization specific information
– Business unit
– Business justification
• Maintenance and support
14

15. Protecode Inc. 2015
Cost of Compliance At Different
Stages Of Development
15
License Management is most effective when applied early in
development life cycle
Development | Build/QA | In The Market
Real-Time
Preventative Measures
Periodic
Analysis
Build-Time & Pre-
Launch Analysis
Post-Launch
Correction
Software Package
Pre-Approval
C
O
S
T

16. Protecode Inc. 2015
Effort involved in fixing licensing issues at different stages in development
16
# of issues created
E
F
F
O
R
T
Issues are
created here…
…and resolved here
Issues are resolved
as they arise
Developers
Licensing
Team

17. Protecode Inc. 2015
Reporting Options
 Summary report
– High level view of the findings
– Highlight key findings, areas requiring attention
– Reference material on licenses found, best practices
 Detailed reports
– Detailed file-by-file
– CSV Export
– License obligations
– License incompatibilities
– Text of all licenses applicable to software packages
– Security vulnerabilities
– Export Control Classification Numbers (ECCN)
17
The first scan and review becomes a baseline. Subsequent scans are much
quicker since they leverage existing data.

18. Protecode Inc. 2015
Analyzer Raw Output
18

19. Protecode Inc. 2015
Summary Report
19

20. Protecode Inc. 2015
Licence Obligations Report
20

21. Protecode Inc. 2015
Security Vulnerability Report
21

22. Protecode Inc. 2015
Q&A
Please type your questions into the chat box to the right
22

23. Protecode Inc. 2015
• Software source code audits
• Legal risk/licence compliance
• OSS licence analysis, legal obligations as well as potential intellectual property (IP) risks
• Security vulnerabilities
• security vulnerabilities contained within components
• Operational risk
• evaluates if components meet your technical and architectural standards
• Community support
• Determines developer activity and resulting component viability based on commit history
• Ease the adoption of Open Source Software
• Create a structure to enable compliance with OSS licences requirements
• Enable greater use of OSS across the organisations
• Quality code
• Secure code
• Compliant code
• DevOps services
About Source Code Control Limited

24. Protecode Inc. 2015
About Protecode
 Open source compliance and security vulnerability management
solutions
– Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
 Accurate, usable and reliable products and services for organizations
worldwide
24

25. Protecode Inc. 2015
• Book an individual discussion : source@opensourcecontrol.com
• Managing existing OSS projects
• Planning for future OSS adoption
• Code reviews
• Meet us at UK-e-Health Week
• http://ukehealthweek.com/
• Useful resources
• European Commission OSS program
• https://joinup.ec.europa.eu/community/osor/home
• Open Source Initiative
• http://opensource.org/
• BCS Open Source Specialist Group
• http://ossg.bcs.org/
• For more information about Source Code Control Limited
• http://www.opensourcecontrol.com/
• Form more information about Protecode
• http://www.protecode.com/
Next Steps

26. Protecode Inc. 2015 26
info@protecode.com
www.protecode.com