Security in the Age of Open Source

•

0 likes•32 views

This document discusses application security in the age of open source software. Some key points: - Open source software is now a major component of commercial applications, with some having over 90% open source code. However, open source software can contain vulnerabilities. - There are over 34,000 known open source vulnerabilities discovered since 2000. Automated tools are missing many potential vulnerabilities. - It is difficult for organizations to control how open source enters their code bases and to keep track of vulnerabilities over time in the various open source components used. - Automating processes like inventory, mapping vulnerabilities, license compliance, and alerts can help organizations gain visibility and control over open source security risks.

Technology

Application Security 
in the age of 
Open Source
© Black Duck Software 2017

But security investment is often not aligned with actual risks

Open Source Changed the Way Applications are Built
20% Open
Source
2005
50% Open
Source
2010
Up to 90%
Open Source
TODAY
Open Source is the modern architecture
10% Open
Source
1998
Custom & Commercial Code
Open Source Software

Open Source in Commercial Software
22% of
applications
had
>50% open
source
Open Source
Custom Code
Custom Code
Custom Code
36%
OSS

Over 34,000 known open source vulnerabilities since 2000
Over 9,000 new
vulnerabilities in open source
since 2014
Over 80,000 total
vulnerabilities in NVD, only
63 reference automated
tools
• 50 of those are for
vulnerabilities reported in
the tools
• 13 are for vulnerabilities that
could be identified by a
fuzzer
0
1000
2000
3000
4000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
NVD Black Duck exclusive

Timing is Opportunity
Taxes Due
April 30th
Site Shut Down
CVE-2017-5638
Reported by NVD
March 10th
Reported by
Nike Zheng
Patch available
March 5/6th
Public Exploit
March 7th
Introduced
v2.3.5
Fall, 2012 March 14th

Why Aren’t We Finding These in Testing?
• Static analysis
• Testing of source code or binaries for unknown
security vulnerabilities in custom code
• Advantages in buffer overflow, some types of SQL
injection
• Provides results in source code
• Dynamic analysis
• Testing of compiled application in a staging
environment to detect unknown security
vulnerabilities in custom code
• Advantages in injection errors, XSS
• Provides results by URL, must be traced to source
What’s Missing?
All possible
security vulnerabilities
FREAK!
Static
Analysis
Dynamic
Analysis

INTERNAL CODE
OUTSOURCED CODE
LEGACY CODE
REUSED CODE
SUPPLY-CHAIN CODE
THIRD PARTY CODE
OPEN SOURCE CODE
We Have Little Control Over How Open Source Enters The Code Base

Open Source is an Attractive Target
OPEN SOURCE IS USED EVERYWHERE
VULNERABILITIES ARE PUBLICIZEDEASY ACCESS TO SOURCE CODE
STEPS TO EXPLOIT READILY AVAILABLE

Who’s Responsible for Security?
DEDICATED SECURITY RESEARCHERS
ALERTING AND NOTIFICATION INFRASTRUCTURE
REGULAR PATCH UPDATES
DEDICATED SUPPORT TEAM WITH SLA
COMMERCIAL CODE
“COMMUNITY”-BASED CODE ANALYSIS
MONITOR NEWSFEEDS YOURSELF
NO STANDARD PATCHING MECHANISM
ULTIMATELY, YOU ARE RESPONSIBLE
OPEN SOURCE CODE

Automating Five Critical Tasks and Having a Bill of Materials Provide Distinct
Advantage
INVENTORY
Open Source
Software
MAP
Known Security
Vulnerabilities
IDENTIFTY
License
Compliance
Risks
TRACK
Remediation
Priorities &
Progress
ALERT
New Vulnerabilities
Affecting You
Visibility AND Control
1 2 3 4 5

What Can You Do Tomorrow?
Speak with your head of security or application development and find out:
• What policies exist?
• Is there a list of components?
• How are they creating the list?
• What controls do they have to ensure nothing gets through?
• How are they tracking vulnerabilities for all components over time?

8 of the top 10  
Software Companies
(70 of the top 100)
6 of the top 8 
Mobile Handset Vendors
6 of the top 10
Investment Banks
24Countries
350+Employees
2,000Customers
About Black Duck
4
0
Founded 
2002
Of The Fortune 
100

What's hot

How to assign a CVE to yourself?

Ramin Farajpour Cami

3/ Black Duck @ OPEN'16

Kangaroot

Open Source software is the foundation for application development today. Open source use is growing rapidly worldwide because of the development cost reductions and innovation it enables. Black Duck discovers open source in nearly every application it analyzes and finds that 35% of the average commercial software application is open source. Home-grown applications typically contain 50% or more open source. The dramatic growth in open source use has been accompanied by an array of security and management challenges related to a lack of visibility into and control of the open source in use. Leading organizations are aggressively pursuing ways to increase their use of open source and do so without compromising effective security or management.

Welcome & The State of Open Source Security

Jerika Phelps

Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...

Synopsys Software Integrity Group

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for Devops

Jerika Phelps

F-Secure Radar offers you complete control over vulnerability management. It lets you: - Map your true attack surface, before someone else does - Measure yourself against PCI compliance - Improve your security measures with easy management - Get customized reports that fit your company’s needs - Scale and adapt F-Secure Radar to your needs - Use seamless API integration with 3rd party solutions F-Secure Radar is a European solution that can be implemented on premise or be used from the cloud.

F secure Radar vulnerability scanning and management

F-Secure Corporation

In this presentation, we discuss about the trend on application, cloud and cyber security. We analyze surveys on several hundred of companies to show the trend on security concerns, threats, and what controls companies are looking to do. It also introduce Pactera's cybersecurity capabilities in providing end-to-end managed services for application security testing, secure code review, penetration testing, application security - secure coding practice training, third-party supplier security risk assessment, data governance and ISO 27001 based assessments.

Pactera - Cloud, Application, Cyber Security Trend 2016

Kyle Lai

Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems. (Source: RSA USA 2016-San Francisco)

The Seven Most Dangerous New Attack Techniques, and What's Coming Next

Priyanka Aash

All regulatory requirements (HIPAA, PCI, etc.) include a mandate for assessing vulnerabilities in systems that manage or store sensitive data. Organizations often opt to conduct vulnerability assessments on an annual, quarterly, or even monthly basis. But while vulnerability assessment tools can identify unpatched or misconfigured code bases, these tools overlook a large portion of an organization’s attack surface: known vulnerabilities in applications that are built in-house. These applications will not have public updates, nor will the thousands of open source components they utilize be included in public disclosures. This is concerning because over 6,000 vulnerabilities in open source projects have been reported since 2014. Register for this webinar to discover how to protect yourself.

PCI and Vulnerability Assessments - What’s Missing?

Black Duck by Synopsys

Keynote - Lou Shipley

Jerika Phelps

Kaspersky Lab, one of the world’s fastest-growing cybersecurity companies and the largest that is privately-owned, presents a short story about the company - its Values, Business, Solutions, i.e. what we think and strive for in our business, how we develop our technologies and solutions to protect our customers and people around the globe against cyberthreats, as well as the results we've managed to achieve.

Kaspersky Lab's Corporate Presentation - our Values, Business, Solutions

Kaspersky

Intercept X - Sophos Endpoint

DeServ - Tecnologia e Servços

Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...

Jerika Phelps

The first quarter of 2016 was a big one for new open source security vulnerabilities. The Glibc vulnerability was by far the biggest. It impacts nearly 900K of the 1 million different open source projects. In this webinar, we’ll dive into Glibc and the Q1 data to help you: - Understand latest trends in open source security threats and what it means to your organization in 2016 - Simple steps to quickly find and protect yourself from newly reported threats - Prepare your organization to respond to new vulnerabilities in open source projects

Q1 2016 Open Source Security Report: Glibc and Beyond

Black Duck by Synopsys

Secure coding presentation Oct 3 2020

Moataz Kamel

OWASP Day - OWASP Day - Lets secure!

Prathan Phongthiproek

Despite huge investments in anti-virus software, next-gen firewalls, and IPS platforms, companies are still getting hacked. The new generation of advanced targeted attacks bypasses traditional defenses and put sensitive data at risk. It takes just minutes from the time an organization is compromised to the exfiltration of sensitive data. What's needed is a security solution that can detect and block data center threats while allowing easy, appropriate access to the assets essential to running your business. This presentation from Imperva and FireEye addresses data center security requirements and solutions.

Detect & Remediate Malware & Advanced Targeted Attacks

Imperva

Automobiles are becoming increasingly intelligent, automated and most importantly, Internet-connected. This will exacerbate a problem that already exists. Much of the software that binds sensors and other car hardware together comes from third-parties. That software almost certainly contains open source components with security vulnerabilities. Vulnerabilities in open source are particularly attractive to attackers, providing a target-rich environment that may have disastrous implications to a moving vehicle.

Open Source: The Legal & Security Implications for the Connected Car

Jerika Phelps

Data Center Server security

xband

Detection and Response with Splunk+FireEye

Splunk

What's hot (20)

How to assign a CVE to yourself?

3/ Black Duck @ OPEN'16

Welcome & The State of Open Source Security

Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...

Software Security Assurance for Devops

F secure Radar vulnerability scanning and management

Pactera - Cloud, Application, Cyber Security Trend 2016

The Seven Most Dangerous New Attack Techniques, and What's Coming Next

PCI and Vulnerability Assessments - What’s Missing?

Keynote - Lou Shipley

Kaspersky Lab's Corporate Presentation - our Values, Business, Solutions

Intercept X - Sophos Endpoint

Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...

Q1 2016 Open Source Security Report: Glibc and Beyond

Secure coding presentation Oct 3 2020

OWASP Day - OWASP Day - Lets secure!

Detect & Remediate Malware & Advanced Targeted Attacks

Open Source: The Legal & Security Implications for the Connected Car

Data Center Server security

Detection and Response with Splunk+FireEye

Similar to Security in the Age of Open Source

Security in the Age of Open Source

Black Duck by Synopsys

September 13, 2016: Security in the Age of Open Source:

Black Duck by Synopsys

Secure development of code

SalomeVictor

At the Apache CloudStack Collaboration Conference in Montreal, Tim Mackey (Senior Technical Evangelist at Black Duck Software) presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.

Secure application deployment in the age of continuous delivery

Black Duck by Synopsys

Effective application security programs rely on multiple sources for vulnerability data – from traditional static and dynamic testing, interactive testing, to manual and 3rd-party testing. Unfortunately, many organizations fail to consider the impact of open source software use and reuse on their security posture. This webinar will demonstrate how Black Duck Hub can identify security issues associated with open source usage and how ThreadFix’s correlation engine can provide a comprehensive view of an organization’s application security posture. In addition, the webinar demonstrates how ThreadFix’s HotSpot detection technology identifies security issues created by internally developed components – providing a complete of both open source and proprietary component usage.

Create a Unified View of Your Application Security Program – Black Duck Hub a...

Denim Group

As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Black Duck by Synopsys

As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious. Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily. In this session we’ll present: - How known vulnerabilities can make their way into production deployments - How vulnerability impact is maximized - A methodology for ensuring deployment of vulnerable code can be minimized - A methodology to minimize the potential for vulnerable code to be redistributed

Secure application deployment in the age of continuous delivery

Tim Mackey

Realities of Security in the Cloud

Alert Logic

Black Duck & IBM Present: Application Security in the Age of Open Source

Black Duck by Synopsys

As delivered at Interop ITX 2017. The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.

Security in the age of open source - Myths and misperceptions

Tim Mackey

Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges. Black Duck conducts hundreds of open source code audits annually, primarily related to merger and acquisition transactions. For the 2017 analysis, our Center for Open Source Research & Innovation (COSRI) analyzed over 1,000 applications and found both high levels of open source usage — 96% of the apps examined contained open source — and significant risk to open source security vulnerabilities — more than 60% of the apps contained open source security vulnerabilities. All security professionals concerned about vulnerabilities and license compliance will want to review the report, which can be downloaded from the Black Duck website. Emphasizing the need to stay on top of software security vulnerabilities is the NVD CVE listing for the month of April 2017, which now exceeds 900 entries, including CVE-2016-4899, a high to critical flaw where the datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors. On to this week’s top open source and open source security news…

Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...

Black Duck by Synopsys

Presented September 15, 2016 by John Steven, CTO, Cigital; Mike Pittenger, VP Security Strategy, Black Duck Today, open source comprises a critical component of software code in the average application, yet most organizations lack the visibility into and control of the open source they’re using. A 2016 analysis of 200 commercial applications showed that 67% contained known open source vulnerabilities. Whether it’s a SaaS solution you deliver to millions of customers, or an internal application developed for employees, addressing the open source visibility and control challenges is vital to ensuring proper software security. Open source use is ubiquitous worldwide. It powers your mobile phone and your company’s most important cloud application. Securing mission critical applications must evolve to address open source as part of software security, complementing and extending the testing of in-house written code. In this webinar by Cigital and Black Duck security experts, you’ll learn: - The current state of application security management within the Software Development Lifecycle (SDLC) - New security considerations organizations face in testing applications that combine open source and in-house written software. - Steps you can take to automate and manage open source security as part of application development

Managing Open Source in Application Security and Software Development Lifecycle

Black Duck by Synopsys

To keep pace with the increasing demands of software development and delivery, the need for developers to leverage open source components and third party libraries continues to grow. Coupled with the escalating number of vulnerabilities these practices introduce, the result is an increased number of vulnerable entry points for cyber-criminals to exploit. However, this does not mean that companies should or must stop using components in their development efforts. Any company that forbids the use of components would be putting itself at a severe disadvantage in the digital economy. Developers though do need to consider the security aspects of using open source libraries and components as part of their build and testing process.

Building Blocks of Secure Development: How to Make Open Source Work for You

SBWebinars

Automobiles are incorporating a sophisticated mix of connectivity, driver assistance, and consumer device integration. Capabilities for integrating smart devices and utilizing Wi-Fi connectivity for wide area connectivity on the road is proliferating. The mix of consumer device, infotainment, and critical driver assist and safety technologies present a myriad of time to market and security challenges for auto manufacturers. Join us as auto technology experts discuss the "Auto IoT" environment and the latest tools, technologies, and design considerations for implementation and delivery.

Autos, Wi-Fi, and IoT

Rogue Wave Software

This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices. The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks

(Isc)² secure johannesburg

Tunde Ogunkoya

Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck. Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things. While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers. Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about: • The evolving DevOps and software security assurance lifecycle in the age of open source • The software security considerations CISOs, security, and development teams must address when using open source • An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

Black Duck by Synopsys

RVAsec Bill Weinberg Open Source Hygiene Presentation

Black Duck by Synopsys

Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.

Continuous security: Bringing agility to the secure development lifecycle

Rogue Wave Software

Outpost24 webinar - Api security

Outpost24

Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/ How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools. What can development teams do to keep pace with rapidly-evolving application security threats? The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks. In this session, you will learn: - New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments. - Best practices for designing and incorporating an automated approach to application security into your existing development environment. - Future development and application security challenges organizations will face and what they can do to prepare.

Empowering Application Security Protection in the World of DevOps

Black Duck by Synopsys

Similar to Security in the Age of Open Source (20)

Security in the Age of Open Source

September 13, 2016: Security in the Age of Open Source:

Secure development of code

Secure application deployment in the age of continuous delivery

Create a Unified View of Your Application Security Program – Black Duck Hub a...

Secure application deployment in the age of continuous delivery

Realities of Security in the Cloud

Black Duck & IBM Present: Application Security in the Age of Open Source

Security in the age of open source - Myths and misperceptions

Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...

Managing Open Source in Application Security and Software Development Lifecycle

Building Blocks of Secure Development: How to Make Open Source Work for You

Autos, Wi-Fi, and IoT

(Isc)² secure johannesburg

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

RVAsec Bill Weinberg Open Source Hygiene Presentation

Continuous security: Bringing agility to the secure development lifecycle

Outpost24 webinar - Api security

Empowering Application Security Protection in the World of DevOps

More from FINOS

2019-03 - An introduction to FINOS

FINOS

Technology leaders (CTO, VP Infrastructure, etc.) at most organisations are always looking for better and more efficient ways to address business needs. Performance is one of the critical attributes leaders consider while making data center infrastructure decisions, but with limited budgets, cost efficiency becomes an important criteria as well. This talk will discuss both CapEx and OpEx advantages of open networking, combined with technical benefits that lead to easier automation, scaling and troubleshooting.

OSSF 2018 - Peter Crocker of Cumulus Networks - TCO and technical advantages ...

FINOS

This talk focuses on how Financial Services companies prepare for the next big technology step change while running a heterogeneous infrastructure environment (edge, fog, colo, primary data centre, etc). Financial Services companies are looking for best practices gleamed from hyper-scale companies like Facebook, Microsoft and Google who run highly efficient private and public clouds. The sharing of open hardware and data centre designs is a core strategy for these companies and the basis for the Open Compute Project (OCP). The Open Compute Project (OCP) was started by Facebook in 2011 with the idea of delivering the most efficient designs for scalable computing through an open source hardware community. We believe that openly sharing ideas, specifications, and other intellectual property is the key to maximizing innovation and reducing complexity in technology components. Goldman Sachs (a current board member of OCP) is one example of a company who is leveraging these designs. OCP designs are more efficient at the ingredient level (server, storage, networking) compared to traditional gear yielding energy savings of 15% + and reduced service costs of ≈ 50%. Also, OCP data centres achieve PUE's better than 1.1 (definition). In fact, IDC forecast that by 2020 OCP Servers are expected to represent 50% of the global market. In this session we would discuss the key strategies Financial Services companies need to consider now to simplify the migration and data centre transformation from conventional gear to OCP and open source. We would provide specific examples of how other Financial Services companies and large enterprises have made this transition. Additional goals would include: • Research findings – share results comparing OCP with legacy infrastructure from large enterprises who have tested OCP gear in their local facilities. • Facebook and Microsoft – help the audience understand which OCP designs from hyper-scale companies can be used for each environment (colo, edge, etc.)

OSSF 2018 - Steve Helvie of the Open Compute Network - Rethinking Infrastruct...

FINOS

The scale of modern software systems is growing beyond the capability of individuals and teams to keep track of them. This is caused by new software development and deployment technologies, DevOps automation, increasingly powerful hardware and massive use of open source. Traditional proprietary Software Composition Analysis (SCA) products, which were developed to help mitigate Open Source licensing and vulnerability risks, and ensure software is within company policy and industry compliant, have struggled to keep up with this new scale and its modern methods like continuous integration, continuous package updates and agile releases. Because proprietary solutions are unable to keep up, companies are working to build their own internal systems to plug the gaps, which takes away from their core business needs. The Eclipse Foundation recently announced a new project, OSCAR, to solve the problem of scaling SCA to modern needs with an Open Source approach. OSCAR, which stands for Open Software Composition Analysis Reinvented, aims to integrate the new building blocks into a complete installable SCA solution and act as an industry forum to coordinate coherent further development. Different from other “community driven” OSS projects, OSCAR is built around an industry consortium of supporters, which fund and contribute to the project, in an Eclipse Working Group (OpenSCA). Foundation of a Steering Committee, decision meetings on first milestone goals to build as well as first contributions are underway. The talk will explain why SCA is vital for any organization who works with Open Source, the OSCAR’s “hybrid” approach, and give an outlook on what to expect from OSCAR

OSSF 2018 - Stefan Just of Codescoop - OSCAR - a new approach to Software Com...

FINOS

OSSF 2018 - Nick Kolba of OpenFin - FDC3 and the Legacy of Web Intents

FINOS

Banks have been users of open source software for a long time, but now they are thinking seriously about giving back. A lot of internal resistance needs to be overcome, and lots of individuals within a large investment bank truly believe their piece of custom built software provides a competitive advantage. At Adaptive, we have seen a lot of very similar internal projects at various institutions, and have formed a view about what truly constitutes competitive advantage. What is good for the organisation may not be good for a given development manager. Further to the issues around over jealously guarding specific development efforts is the problem that what is open sourced is often far too coupled to a bank's non-open sourced tech stack. Causing more subtle difficulties in working with another bank's open sourced technology stack is that it is often implicitly coupled to their culture, processes or business model. Picking what to open source is a huge part of the challenge. In this talk, I will give Adaptive's view on what is competitive advantage, what to open source so that it is picked up by the wider community, and actual benefits are seen.

OSSF 2018 - Matt Barrett of Adaptive - Open sourcing a bank's software: exact...

FINOS

In this talk Jamie Jones, GitHub’s Principal Architect, Diane Mueller is Director, Community Development at Red Hat, and Maurizio Pillitu, FINOS DevOps Director, present what are the most common barriers and technical frictions that prevent financial institutions to fully embrace open source. The FinsServ Developer Experience is a new FINOS Program that aims to consolidate a safe, accessible and shared workflow for developers in the financial world, who are welcome to join the talk and share their experiences. The program leads will be on stage to present charters, updates and to call for the participation of developers and software vendors wanting to plug their build automation tools and data APIs inside the FINOS Developer Experience.

OSSF 2018 - Overcoming Compliance Barriers to Open Source Collaboration Infra...

FINOS

This training session will cover some of the topics from the OpenChain curriculum, including: introduction to intellectual property law as related to open source introduction to open source licenses overview of using open source software in products and open source license compliance considerations for open source contributions and projects The goal of this session is to provide basic foundation knowledge of open source software upon which to start building policy, process and practices within your organization.

OSSF 2018 - Jilayne Lovejoy - Training: Intro to Open Source

FINOS

The draw for financial services' use of open source in today's competitive environment is certainly built on the need to manage costs, but equally as important, to innovate and help solve business challenges. Implementing open source policies, processes and tools the right way could mean the difference between being a leader in the industry and costly mistakes that impact your reputation and bottom-line. In this session, Jeff Luszcz, Vice President of Product Management at Flexera, takes a deep dive into some of the common--and not so common--concerns and best practices surrounding using open source. Jeff will discuss the needs of the different open source culture types including compliance and security, how to manage commercial suppliers and compliance artifacts (third party notices, 'About' boxes, source bundles, etc.), and industry standards such as OpenChain and SPDX. Jeff will address lessons learned from deploying software composition analysis (SCA) scanning tools across the enterprise, the importance of developing processes that enhance the value of engineers and developers versus making their jobs harder, and how legal, engineering, and security work together to develop remediation policies that make sense. Jeff will also discuss how to work best with Open Source projects in order to give back to the community. Join Jeff for this talk if you are involved in open source use, compliance and security and want an in-depth look at both the expected and unexpected issues you could face in your open source efforts.

OSSF 2018 - Jeff Luszcz of Flexera - Day 2 - Open Source Culture, Standards, ...

FINOS

In this talk Jeff Luszcz, Vice President of Product Management at Flexera, explores the lessons learned over years of experience with Open Source consumption, the most common compliance and security issues, reasons for software component rejection, and tips and tricks for improving your compliance efforts. It is becoming common for open source compliance reviews to be performed both when a component is being first selected, or later on after the component has already been integrated into a system. This presentation will detail the most common reasons why an open source software component would be rejected for use or would be removed from an existing system due to compliance or security reasons. This talk will include a checklist of the most common compliance review failures as well as the differences in expectations between the creators of open source packages and their users. Common remediation tasks, go-no tests and documentation expectations will be discussed. The talk is for anyone involved with ensuring open source license compliance.

OSSF 2018 - Jeff Luszcz of Flexera - Common Open Source Intake Issues and How...

FINOS

Many firms first look to open source to lower the costs of their non-competitive technology, like back-office systems. This talk will show how open-sourcing software that is critical to an organization's competitive edge can create value by exploiting the network effects of collaborative development. Jared Broad, CEO of QuantConnect, will explore why his company open-sourced LEAN, its radically open source algorithmic trading platform, and how QuantConnect has attracted over 60,000 engineers with its professional-grade backtesting and live-trading system used by banks and funds globally.

OSSF 2018 - Jared Broad of QuantConnect - Motivations and Business Goals for ...

FINOS

Pull Requests? Upstream Remotes? Compact Discs? Understanding how to publish code developed inside your organization into the Open Source world can leave you with more questions than answers. In this talk, we will cover key strategies, as well as the workflows and tools that make it possible, for moving past merely consuming open source on GitHub to becoming contributors. Whether you are an IT Manager or Head of Open Source, you will walk away with tips to on how to contribute while staying compliant with legal, technical and security approvals within your organization.

OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...

FINOS

Today, open source dominates IT and communications infrastructure from the cloud to corporate data centers and the emerging edge. But open source with its rapid pace of development, frequent releases, and prolific patch set defies traditional practices and conditions for building mission- and business-critical software: stability, auditability and standards-compliance. This talk will examine how companies address this "impedance mismatch" in consuming, integrating and deploying open source in applications that demand predictability and sustainability. In particular, the presentation will cover (re)defining mission- and business-critical in the context of open source technology-centric and process-based approaches to OSS-derived product life-cycles forking and minimizing technical debt building community visibility to support derived product roadmaps

OSSF 2018 - Greg Olson of Open Source Sense - Building Mission- and Business-...

FINOS

Collaboration within open source projects is becoming increasingly important for most companies, but it can be difficult to strike the right balance between the needs of the company and the open source project. Dawn Foster works on open source software strategy at Pivotal and has 20+ years of experience leading open source software initiatives at companies like Puppet Labs, Intel, and Jive Software. Her talk will focus on how companies can develop a successful strategy for participation and collaboration in open source projects, including how to be a good corporate citizen.

OSSF 2018 - Dawn Foster of Pivotal - Open Source Collaboration: Finding the R...

FINOS

Innovation in the past decade has been been propelled by collaborative yet market-driven approaches to intellectual property rights. The standard setting process is a prime example of such a collaborative effort by incorporating the best intellectual property of a given field into a standard and insuring such standard essential patents (SEPs) are then licensed to adapters on fair, reasonable and non-discriminatory (FRAND) terms. This construct has resulted in groundbreaking technology in sectors ranging from telecommunications to autonomous vehicles. However, some have argued that SEPs are incompatible with open source licenses. Examining the historical record of open source development, the open source definition and relevant case law shows that open source and SEPs can and do work together to protect intellectual property rights and spur innovation.

OSSF 2018 - David Kappos of Cravath, Swaine & Moore - Accounting for Patents ...

FINOS

Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges. Over the past few years, we have seen a variety of open source vulnerabilities wreak havoc across the web (Heartbleed, Shellshock, and POODLE) which woke organizations up to the risks that come along with the convenience of using open source components. Join our session to: Learn how open source security vulnerabilities are found Learn how to address any open source security concerns within your organization Understand the difference between securing your open source components and your proprietary code Learn how to automatically detect vulnerable open source components and prioritize security alerts

OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101

FINOS

Inner source applies the lessons learned from open source way of developing software within organizations. This helps to scale organizations development strategy, break silos of developers, encourage internal collaboration, and be faster to market. If we think about why open source has been so successful, we have to consider attributes such as transparency, communication, collaboration, innovation or meritocracy. And this can be applied internally within the walls of each organization creating an 'internal open source' or the so called inner source. As more and more developers are becoming used to platforms such GitLab, GitHub, or Bitbucket, those are willing to use similar infrastructure and modern tools internally at their organizations. Thus, inner source is another way to modernize development teams, but at the same time, a way to be close to how open source is developed from a cultural point of view, process, and tooling. Inner source can be considered then as a pre-step to publicly release a project. Ideally, only a press-button-action is the difference between having that project as inner source within the organization, or as open source, available to everyone. Daniel will discuss best practices for innersourcing based on his participation in InnerSource Commons, a community of practitioners built for developing and sharing knowledge and patterns for successful innersourcing.

OSSF 2018 - Daniel Izquierdo of Bitergia / InnerSource Commons - Starting wit...

FINOS

Leading Fintech companies are bullish on Open Source, but most of them still don't know how to get involved in ways that harmonize with the Regulatory climate of the Financial Services industry. In this talk you'll learn how to maintain Security within transparently developed software assets and how to teach your internal developers to collaborate safely and sanely? You'll hear about the best pathways to building an Open Source program at your Fintech company without costly mistakes that can reflect badly on your brand. Lastly you'll learn about a community of practice that is perfectly suited to the needs of Fintech companies looking to get started in Open Source.

OSSF 2018 - Danese Cooper of NearForm - Getting the most out of Open Source i...

FINOS

The Developer (GrokOpen - Colin Charles) Your popular OSS project gets corporate-backing & widespread community adoption. You create an enterprise supported version as it's easier to sell an "enterprise spin-off with support" that is better than the currently "stable" community edition. It flourishes as the money starts rolling in. Is one version better than the other? The community gets annoyed but you need resources to keep the releases coming and the code maintained. Just because it’s open source doesn’t mean it’s free. Forking happens. Rewind. What works? What doesn’t work? How do you manage the split personality nature well to keep management as well as the community happy. Learn from other successful models as well as the many failed experiments.

OSSF 2018 - Colin Charles of GrokOpen - Community vs. enterprise how not to ...

FINOS

OpenChain is a scalable, flexible compliance programme, developed by the Linux Foundation. Based on well-understood compliance programmes such as ISO 27001, it maps existing supply-chain procurement and production practices from other sectors into software development. It provides a great foundation for businesses of all sizes to adopt appropriate practices and procedures in place to control development and supply chain risks, with particular emphasis on open source licence compliance. Already adopted by companies like Qualcomm, Siemens, Toyota and ARM, it’s rapidly becoming a procurement standard for open source and open-source-derived software. The speaker, Andrew Katz, has helped companies of all sizes to adopt open chain procurement practices, and presents case studies on the process and benefits.

OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...

FINOS

More from FINOS (20)