A blow-by-blow discussion of key open source software-related issues and deal points from the point of view of buyer/investor vs. seller/investee. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to speed and smooth negotiations, avoid protracted due diligence and get better deal terms, increasing overall value.
Tony Decicco, Shareholder and Leon Schwartz, Associate both from GTC Law Group & Affiliates presented "You've got your open source audit report, now what? Best practices for companies of all sizes." For more information, please visit our website at www.blackducksoftware.com
A number of interesting legal developments in open source took place in 2016. We’ll examine a few of the top legal news stories and the current real-world risk of open source use as well as a discussion of defensive and offensive uses of open source.
Adam Kessel, principal, Fish & Richardson, P.C. presented, "Patents and Open source Known and Unknown Risks." For more information, please visit our website at www.blackducksoftware.com.
Companies are constantly seeking ways to ensure their application code is secure and effectively managed. For example, M&A assessors conduct one-time code audits on companies they are buying to avoid legal, operational or security pitfalls. Other organizations are proactive, using an ongoing solution to make sure their application code is secure and well managed on a day-to-day basis. Increasingly, many companies are opting to use both approaches.Join Bob Genshaft, Director Strategic Programs at Wolters Kluwer, and Black Duck's VP and General Manager On-Demand Audits Phil Odence for a discussion that will address key open source security and management questions:
· When is it appropriate to conduct an audit?
When should your company consider an ongoing solution?
· What are the benefits of doing both?
. What does an effective Open Source Policy look like?
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...Black Duck by Synopsys
In this session you will learn effective and practical strategies to reap the benefits of software patents in an open source software environment. As open source software compliance litigation grows, patent holders have increasingly turned to open source software licensing strategies for their patented technologies
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
Tony Decicco, Shareholder and Leon Schwartz, Associate both from GTC Law Group & Affiliates presented "You've got your open source audit report, now what? Best practices for companies of all sizes." For more information, please visit our website at www.blackducksoftware.com
A number of interesting legal developments in open source took place in 2016. We’ll examine a few of the top legal news stories and the current real-world risk of open source use as well as a discussion of defensive and offensive uses of open source.
Adam Kessel, principal, Fish & Richardson, P.C. presented, "Patents and Open source Known and Unknown Risks." For more information, please visit our website at www.blackducksoftware.com.
Companies are constantly seeking ways to ensure their application code is secure and effectively managed. For example, M&A assessors conduct one-time code audits on companies they are buying to avoid legal, operational or security pitfalls. Other organizations are proactive, using an ongoing solution to make sure their application code is secure and well managed on a day-to-day basis. Increasingly, many companies are opting to use both approaches.Join Bob Genshaft, Director Strategic Programs at Wolters Kluwer, and Black Duck's VP and General Manager On-Demand Audits Phil Odence for a discussion that will address key open source security and management questions:
· When is it appropriate to conduct an audit?
When should your company consider an ongoing solution?
· What are the benefits of doing both?
. What does an effective Open Source Policy look like?
Strategies to Reap the Benefits of Software Patents in an Open Source Softwar...Black Duck by Synopsys
In this session you will learn effective and practical strategies to reap the benefits of software patents in an open source software environment. As open source software compliance litigation grows, patent holders have increasingly turned to open source software licensing strategies for their patented technologies
Open Source Insight: Who Owns Linux? TRITON Attack, App Security Testing, Fut...Black Duck by Synopsys
We look at the three reasons you must attend the FLIGHT Amsterdam conference; how to build outstanding projects in the open source community; and why isn’t every app being security tested? Plus, in-depth into the TRITON attack; why 2018 is the year of open source; how open source is driving both IoT and AI and a webinar on the 2018 Open Source Rookies of the Year.
Open Source Insight is your weekly news resource for open source security and cybersecurity news!
FLIGHT Amsterdam Presentation - Don’t Let Open Source Software Kill Your DealBlack Duck by Synopsys
Flight Amsterdam presentation by Anthony Decicco, Shareholder, GTC Law Group
Open source software is increasingly centric to transactions, whether licensing, mergers, acquisitions, financing, insurance, offerings or loans, and the deal landscape is changing with the prevalence of representation and warranty insurance, heightened focus on security vulnerabilities and increasing litigation. As such, it is important to understand and re-visit key open source software-related issues and deal points to accelerate your deal, avoid unnecessary due diligence and realize the most value from your open source software-related compliance efforts.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
Presented by Mark Radcliffe on October 12, 2016
This webinar examined the implications of recent developments in open source compliance and litigation. It touched on a series of Linux-related cases and stepped up compliance activity in Germany, in addition to current patent suits against Apache projects. The new litigation was discussed in the context of prior similar cases such as the Versata-Ameriprise case. Additionally, the webinar provided an overview of compliance best practices and how to reduce the risk of open source compliance and litigation.
Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.
David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Securing and automating your application infrastructure meetup 23112021 blior mazor
Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.
Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks. For more information, please visit our website at www.synopsys.com/open-source-audit
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…
This presentation from AppSec 2016 covers video game security and hacking video games including how to analyze your business risk, common attacks and protection, and specific tactics to lower your risk.
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
There are multiple reasons why Open Source Software OSS is a benefit for all organisations and in particular in Public Sector.
All of the organisations represented on this call will be tasked with delivering solutions for specific requirements and at great speed. Why create those solutions from generic platforms and be dependent on their long release cycles to evolve the solutions when you can develop just what is needed and then share that with other PS orgs who can modify to suit their requirements which makes for rapid development and lack of redundancy
Ultimately you will be able to control your own destiny and set your own pace for delivering exactly what is needed.
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
Presented by Mark Radcliffe on October 12, 2016
This webinar examined the implications of recent developments in open source compliance and litigation. It touched on a series of Linux-related cases and stepped up compliance activity in Germany, in addition to current patent suits against Apache projects. The new litigation was discussed in the context of prior similar cases such as the Versata-Ameriprise case. Additionally, the webinar provided an overview of compliance best practices and how to reduce the risk of open source compliance and litigation.
Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.
David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Open Source Insight:GitHub Finds 4M Flaws, IAST Magic Quadrant, 2018 Open So...Black Duck by Synopsys
A big news week for Synopsys and Black Duck as Gartner releases the 2018 Gartner Magic Quadrant for Application Security Testing and the 2018 Open Source Rookies of the Year are announced. More on these stories and the hottest open source security and cybersecurity news in this week’s Open Source Insight!
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Securing and automating your application infrastructure meetup 23112021 blior mazor
Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.
Virtually every organization uses open source software, and lots of it, to create efficiencies in software development. But left unmanaged, open source can introduce legal, IP, compliance, and other risks for the business. With over 2,500 different licenses in use, legal professionals and technical managers need to understand the license obligations associated with open source and how to mitigate risks. For more information, please visit our website at www.synopsys.com/open-source-audit
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Open Source Insight: AppSec for DevOps, Open Source vs Proprietary, Malicious...Black Duck by Synopsys
Welcome to the March 2nd edition of Open Source Insight from Black Duck by Synopsys! We look at places you’d never expect to find GDPR data, as well as answers to your most-frequently-asked GDPR questions. Synopsys Principal Scientist Sammy Migues explores why enterprises must have a software security program while Black Duck Technology Evangelist, Tim Mackey, takes a look at building application security into the heart of DevOps. Plus, a report that may give you nightmares on the malicious possibilities of AI. All the cybersecurity and open source security news fit to print lies ahead for your reading pleasure…
This presentation from AppSec 2016 covers video game security and hacking video games including how to analyze your business risk, common attacks and protection, and specific tactics to lower your risk.
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
BSIMM: Bringing Science to Software SecurityCigital
There is an old management adage that says “You can’t manage what you don’t measure.” The Building Security in Maturity Model (BSIMM) applies scientific principles to the field of software security to effectively measure security activities across industries and business units. The BSIMM enables experts like you to discover what exists in the application security universe, how those things work today, how they worked in the past and how they are likely to work in the future.
There are multiple reasons why Open Source Software OSS is a benefit for all organisations and in particular in Public Sector.
All of the organisations represented on this call will be tasked with delivering solutions for specific requirements and at great speed. Why create those solutions from generic platforms and be dependent on their long release cycles to evolve the solutions when you can develop just what is needed and then share that with other PS orgs who can modify to suit their requirements which makes for rapid development and lack of redundancy
Ultimately you will be able to control your own destiny and set your own pace for delivering exactly what is needed.
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
Anthony Decicco, shareholder, GTC Law Group presented at FLIGHT West 2018. His session description included:
A buyer and investor focused discussion of key open source software-related issues and deal points. Understanding the key legal and technical risks, as well as strategies for mitigating them, will help you to focus due diligence, speed and smooth negotiations and get better deal terms, increasing overall value and avoiding post-transaction surprises.
For more information, please visit us at www.blackducksoftware.com
Software audit for acquisition due diligence with nexBnexB Inc.
When you consider acquiring a company, you need to know about any software licensing risks associated with open source software product and how to mitigate them.
nexB is a trusted third-party who can quickly analyze products of any size and technology to support your acquisition due diligence process. We provide a turnkey service that minimizes the impact on both Buyer and Seller while you are both very busy with other activities.
A nexB software audits provide you with a comprehensive and actionable report of software IP issues supported by a detailed software inventory at the component and file level. We can tailor the depth of analysis to fit your concerns and schedule
For more information, please visit http://www.nexb.com/acquisition_due_diligence_audit.html.
Mohammad Rezaei, Goldman Sachs: Financial Services Open Source Participation.
Open source software has had a significant growth trajectory in financial services in the last decade. The ability to use, contribute to and own open source software is fast becoming a requirement for a healthy technology driven organization. Traditional financial services enterprises face potential legal, cultural and regulatory impediments when it comes to open source interaction. In this talk we’ll walk you through recipes to enable your enterprise to become a proper open source community member. We’ll point out common pitfalls and ways to avoid them. We’ll give you a way to evaluate your degree of openness, so you can measure and improve it.
Companies’ use of open source software has surpassed the occasional and solidified itself as the mainstream. Effectively identifying and managing the compliance and security risks associated with open source software can be a difficult task. Whether a company is acquiring another company, preparing for acquisition or simply wanting to manage their use of open source, the universal first step is to figure out the composition of the code, often via an audit. But what do you do once you have the audit report?
For more information, please visit our website at https://www.synopsys.com/open-source-audit
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Software has tremendous commercial potential that’s growing every day. So when you work in a federal lab, you need to know how to harness it! Our webinar will help you figure out how to make this underestimated intellectual property (IP) part of your T2 strategy.
This webinar will help you understand the basics of software protection and commercialization, and how they can fit into your T2 program, including:
Methods of protecting software
GOGO and GOCO processes and their differences
Various software distribution models and their merits.
Our panel features three T2 experts in thinking out–of–the–box, who have made software work for them—Barry Datlof, Army Medical Research and Materiel Command; Kathleen McDonald, Los Alamos National Laboratory; and Aaron Sauers, Fermilab.
The panelists will also use participants’ input and feedback to hone the “Software Topics” session they’re presenting at this year’s national meeting—tailoring it to your needs.
FLIGHT WEST 2018 Presentation - Continuous Monitoring of Open Source Componen...Black Duck by Synopsys
Basma Shahadat, Lead Research Engineer presented at Black Duck Flight West 2018. Security checking in the early stages of the SDLC is critical. This session will demonstrate how Proofpoint is taking proactive steps to reduce risk by integrating Black Duck into Proofpoint’s continuous integration pipeline to detect open source vulnerabilities during the product build. For more information, please visit us at https://www.blackducksoftware.com/
FLIGHT WEST 2018 Presentation - Integrating Security into Your Development an...Black Duck by Synopsys
Utsav Sanghani, Product Manager, Integrations and Alliance at Synopsys presented on how to "Black Duck your Code Faster with Black Duck Integrations." For more information, please visit www.blackducksoftware.com
Black Duck On-Demand-Audits von über 1.100
kommerziellen Anwendungen im Jahr 2017
verdeutlichen die ständigen Herausforderungen, vor
denen Unternehmen stehen, um Open Source effektiv
zu erkennen und zu sichern.
FLIGHT Amsterdam Presentation - Open Source, IP and Trade Secrets: An Impossi...Black Duck by Synopsys
At Flight Amsterdam, Fenna Douwenga, Associate, Bird & Bird provided practical tips on open source licenses, intellectual property rights, and trade secrets. During the presentation Fenna reviewed, everlasting conflict between patents, copyright and open source and how it can be overcome. Additionally, the new European Trade Secrets Directive was discussed and how some of the requirements therein may for instance conflict with the GNU General Public license. Furthermore, a quick outline of the influence of Brexit on licenses closed under UK law was given and how potential problems can be prevented.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
Flight Amsterdam Presentation by Daniel Hedley and Georgie Collins, Partners, Irwin Mitchell looked at the intersection of the GDPR and open source software management and the laws which govern how organisations must respond to data breaches (including GDPR and NISD), how to prepare for a data breach, and what to do if the worst happens.
2018 is the Open Source Rookies report’s 10th anniversary, brought to you by Black Duck by Synopsys. This infographic shows the impressive number of projects started in 2017 and the distribution across the world and a wide range of categories. Narrowing them down was hard! The open source community continues to produce innovative and influential open source projects.
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
Open Source Insight: Big Data Breaches, Costly Cyberattacks, Vuln Detection f...Black Duck by Synopsys
This week’s Open Source Insight features a powerful visualization tool displaying the world’s biggest data breaches at name brands such as Ebay, Equifax, Anthem, and Target. The White House and British Foreign Office have condemned a cyber-attack launched by the Russian military on Ukraine and hint at reprisals. Black Duck brings open source vulnerability detection to Kubernetes, and Synopsys will host Elevate, an evening thought leadership event at Embedded World 2018 featuring an elite group of international cyber security experts leading a discussion about IoT and embedded systems security threats and solutions.
Read on for all the open source security and cybersecurity news you need to know this week.
Open Source Insight: Happy Birthday Open Source and Application Security for ...Black Duck by Synopsys
Opinions differ on exactly when, but open source turned twenty this year. Most security breaches in 2017 were preventable (you hear that, Equifax?), and it’s time to take a look back to prevent similar breaches in 2018. iPhone source code gets leaked (for a short time). And keeping medical devices, voting machines, automobiles, and critical infrastructure safe in a world of increasing application risk.
Read on for open source security and cybersecurity in Open Source Insight for February 9th, 2018.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
Principal engineer at MITRE, Bob Martin, examines the potential security issues introduced by the Internet of Things and proactive measures you can take to address those issues.
Open Source Insight:IoT Security, Tech Due Diligence, and Software Security ...Black Duck by Synopsys
A grab-bag of open source security and cybersecurity news is in this week’s edition of Open Source Insight. Is “many eyeballs” not enough? Some security researchers think Linus’ Law doesn’t work anymore. Black Duck by Synopsys kicks off a new video series with MITRE IoT expert, Bob Martin. Learn how open source tech due diligence helped one company close a deal securely. Should “Privacy Day” be renamed to “Lack of Privacy” day? Plus, an eye-catching infographic on how too little software security training is putting many companies at risk.
Open Source Insight:Banking and Open Source, 2018 CISO Report, GDPR LoomingBlack Duck by Synopsys
Cybercriminals are expected to extend their threat deeper into ransomware and IoT. In a just-released report, Synopsys examines the four “tribes” of CISOs, and the characteristics of each. A link to the complimentary report is below. And with the GDPR going into force in just four months, businesses are scrambling for compliance.
All these cybersecurity stories and more in the January 19th edition of Open Source Insight.
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
Lots of DevOps news this week, including why automation is critical for securing code, as well as balancing agility with security needs. Learn how to manage security in GitHub projects with CoPilot from Black Duck Software. Pre-GDPR, Carphone Warehouse gets hit with £400k fine over a 2015 hack. And why you should think like your attackers when developing your cybersecurity portfolio.
Read on for this week’s cybersecurity and open source security news in Open Source Insight!
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips from all three companies. During an interview with CNBC covered by Reuters, Intel’s chief executive noted that “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product.”
In other cybersecurity news, we look at 10 open source technologies you need to know about, cybersecurity predictions for 2018, and an interesting white paper published by the University of Michigan on identifying cybersecurity threats in connected vehicles.
Open Source Insight:2017 Top 10 IT Security Stories, Breaches, and Predictio...Black Duck by Synopsys
We’re winding up 2017 with the leading security stories of the year, as well as what 2018 might bring in terms of open source and cybersecurity. Several Black Duck and Synopsys’ bloggers weigh in with articles ranging from the need of SCA (software composition analysis), through how developers can navigate the sometimes stormy seas of software security, to addressing the issues of open source in tech contracts.
From Black Duck Software and Synopsys, we wish you a happy holiday season and will see you again in 2018!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
4. 4
• More than just open source software
• Typically any third party in-licensed software
• Commercial, freeware and open source
• In any form: Object code, binary code, source code, firmware,
microcode, drivers, libraries, routines and subroutines
• Extends to: APIs, SDKs, protocols, specifications and interface
definitions
• Not just embedded, but also for development and internal use
• Covers inbound SaaS offerings
• Sometimes applies to:
• Hardware
• Data
• Inbound content
Really any in-licensed software/service (or more) for
developing, maintaining, supporting and offering your
products and services
Background: Software+
5. 5
• Applies to all sorts of transactions
• Mergers & acquisitions
• Divestitures
• Financings, including VC/PE investments
• Loans
• IPOs
• Customer/license agreements
• Reps and warranties insurance
Background: Transactions
6. 6
• Applies to all sorts of business models
• Traditional distributed
• Hosting
• SaaS
• PaaS
• IaaS
• Internal use
• In support of professional services
Background: Business Models
8. 8
Agriculture
Banks and
Financial
Services
Automotive
- Parts
Design/Custom
Products
- 3D printing
- DNA sequences
Hardware
- Medical Devices
- Lab and Diagnostics
Equipment
- POS terminal/bar code
reader
Content
Provider
- Media Companies
- Publishing
Companies
- Universities
Consumer
Products
- TVs
- Appliances
- Internet of Things
- Wearables
- Toys
- Greeting Cards
- Locks
Mobile Apps; SaaS Platforms; Code on the Devices
Distributing and/or Hosting Code
Background: The Inadvertent Software Company
9. 9
Motivation: Why Should You Care About This?
• Licensing and Compliance Risk
• Security Risk
• Business and Operational Risk
• Remediation Risk
• Recent Enforcement and Litigation
10. 10
• Use beyond scope of license
• Breach of licenses; automatic termination since no materiality
• Copyright infringement
• ‘Viral’ infection of proprietary code
• Automatic grant of licenses to certain of your patents
• Defensive patent termination rights
• Transfer/assignment/change-of-control issues
• Under-licensing; not enough seats/licenses
• Combinations of components under incompatible licenses
• Notice and attribution non-compliance
• Failure to comply with licenses for “fourth party” components
Motivation: License and Compliance Risk
11. 11
• Avoid unknowingly using third party software with known security
vulnerabilities
• Traditional static and dynamic security analysis find few OSS
vulnerabilities
• No support; self-serve; pull vs. push model
• Risk profile changes over time
• Any vulnerabilities associated with the components?
• Which components? BOM
• What are the vulnerabilities? Cross-check databases
• Any patches available?
Motivation: Security Risk
12. 12
• Dependence on code from:
• Competitor/hostile party
• Orphaned/dead project
• Think ahead to integration and running the business or things can
become very difficult
• Changing the offering model
• Standardizing on certain components
• May be expensive or impossible to collect the key information later
Motivation: Business and Operational Risk
13. 13
Code Remediation
• Removing, rewriting or
replacing code
• Costs: Engineering,
time
Legal Remediation
• Amending/terminating
agreements, seeking
clarifications, seeking
waivers of past liability,
re-licensing components
and obtaining new
licenses
• Often hard to remedy
past non-compliance
• Costs: Legal, time, fees
to licensors
Risk
Mitigation/Allocation
• Additional
representations and
warranties
• Remediation-focused
closing conditions and
best efforts covenants
• Specific indemnities
• Additional escrows
Motivation: Remediation Risk
14. 14
Motivation: Recent Enforcement and Litigation
• Partick McHardy, Harald Welte, and Hellwig v. VMware
• Actions aimed at personal financial gain (McHardy) and GPL-compliance (Welte and Hellwig)
• McHardy uses aspects of German law to extract ever-increasing settlements from defendants
• Welte won a case against Fantec, where the court indicated that it is insufficient for a software
vendor to rely on the assurance of GPL license compliance of its suppliers
• Christoph Hellwig’s recently dismissed case against VMware (dismissed on procedural grounds)
claimed that VMware’s VMkernel is a derivative work of vmklinux, which is a derivative work of
the Linux kernel, and therefore is subject to the GPL
• Other recent cases:
Continuent v. Tekelec
• Alleged GPL violations, copyright
infringement; sued for “all profits”
• Settled in 2014 for undisclosed amount
• Remediation appears to have been trivial
• Oracle bought Tekelec prior to suit
XimpleWare v. Versata
• Alleged GPL violations, copyright
infringement; sued for $150m
• Settled in 2015 for undisclosed amount
• Remediation was trivial (patch released in 2
weeks)
• Trilogy bought Versata prior to suit
CoKinetic v. Panasonic
• Business dispute leads to GPL-related
claims by licensee
• CoKinetic demanded source code first
• Damage demands in excess of $300m
• Filed in March 2017
Artifex v. Hancom
• Alleged GPL violations, copyright
infringement; request for permanent
injunctive relief
• Hancom used GPL version of Artifex code;
could have used commercial license
• Filed in December 2016
15. 15
The Deal: Stages
• Pre-LOI/Before the Next Transaction
• LOI/Transaction Kick-Off
• Due Diligence Process
• Definitive Agreement
• Scheduling reps
• Substantive reps
• Covenants and closing conditions
• Indemnification and escrow
• Overall Impact/Open Source 2.0
16. 16
Pre-LOI/Before the Next Transaction
• Timing is… everything!
• Preparation matters
• Poor practices can be felt…
• In your pocket (financial)
• In your work (business)
• In your deals (terms / risk allocation)
• Buyers who know what to look for can find problems
• Sellers who know what’s in their code can reduce rep
burden
17. 17
Pre-LOI/Before the Next Transaction
• Buyer:
• Line up your team and advisors and
develop a game plan
• Prioritization plan
• By product
• By category of component
• By license or usage type
• Substantive plan
• Know what will and will not be
approved
• Update documents
• Diligence requests, reps and
warranties, etc.
18. 18
Pre-LOI/Before the Next Transaction
• Seller:
• Get your house in order
• Avoid the “no time for this crap” trap
• Third party software policy
• Implement (and be able to show that
you follow)
• Software bill of materials
• Using self-disclosure and code scans
• Notice and attribution files
• Prepare for diligence
• Consider industry practices
• Ready on both internal code and
transactions
• Know your likely buyer/investor
• Address any known issues;
remediation and explanations
20. 20
LOI/Transaction Kick-Off
• Buyer:
• Reference the code scan in the LOI
• Eliminates surprise, also allows to kick off the code scan
process as soon as possible
• Decide which product(s) and version(s) should be scanned;
prioritization
• Require simultaneous self-disclosure
• Push for Seller to disclose correct personnel
• Seller:
• Try to get a feel for what you are about to face
• Scope and depth of diligence
• Involve and prepare your internal team:
• High-level tech person (CTO or the like) to drive the process
internally
• Development resource (knows the code) to answer questions
• Line up legal to help in interpreting license provisions
• Have the materials prepared earlier available
• Consider providing code scan results (if recent)
21. 21
Due Diligence Process: Overview
• Identify
• Aim to identify all of the third party software (both commercial and open source) and hardware
embedded in or used in the development, maintenance, support and offering of products,
along with the applicable licenses and usage facts
• Analyze
• Understand incompatibilities between the described or proposed use of a given third party
component and the license terms for that component
• Analyze license terms which may be incompatible with current or proposed business
practices
• Plan / Remediate / Mitigate / Allocate
• Create a remediation plan to address identified issues
• Code remediation, legal remediation, notice and attribution
• Risk allocation through contract terms
• Additional representations and warranties
• Remediation-focused closing conditions and best efforts covenants
• Specific indemnities
• Additional escrows
DEVELOP A GAME PLAN TO IDENTIFY, QUANTIFY, MITIGATE AND ALLOCATE THIRD PARTY SOFTWARE-
RELATED RISKS
23. 23
Due Diligence Requests: Third Party Software Policy
• Buyer:
• Request copy of third party software policy
• Is it written?
• Date implemented
• What is the approval process?
• How is it documented?
• Ongoing compliance?
• Note how long it takes to obtain responses
• Seller:
• Have a good story ready if you do not have a written
policy
• Small development team
• Approval by single technical resource
• Informal policy
24. 24
Due Diligence Requests: List of Third Party Software
• Buyer:
• Cast a wide net: embedded/production, development
tools, infrastructure
• Consider prioritizing embedded/production
• Include requests for any APIs and/or data
• Collect usage information
• Collect complete copies of licenses
• Note how long it takes to obtain responses
• Seller:
• This is where the pre-LOI preparation really pays off
• But mind the reps!
• Nuanced approach to whittle down requests
• Narrow the scope of usage collection
• Try to avoid license collection
• Both of these are time-consuming at this stage
25. 25
Due Diligence Requests: Additional Requests
• Buyer:
• Request copy of notice and attribution files
• Request copies of open source contribution
policy/guidelines
• Any open-source products?
• Note how long it takes to obtain responses
• Seller:
• Notice and attribution files
• Make sure anything you provide is up-to-date
• Sometimes can be created very quickly
• Open source contribution
• Describe process and oversight (if any)
27. 27
Identify All In-Licensed
Software Components
• Incorporated, embedded or integrated
• Used to offer any Company
product/technology
• Sold with any Company
product/technology
• Otherwise distributed by Company
• Used or held for use by Company,
including use for development,
maintenance, support and testing
Definitive Agreement: Scheduling Reps
• Scope matches that of
diligence requests
• No duplication of effort
• No wasted time
28. 28
Information for Each
Component:
• Relevant version(s)
• Applicable license agreement
• How incorporated, embedded or
integrated
• How used internally
• How distributed or bundled;
distinguish source and binary
• Whether linked
• How modified
• How hosted; allow others to host
• Relevant Company
products/technologies
• Payment obligations
• Audit rights
Definitive Agreement: Scheduling Reps
• Buyer:
• Match rep to diligence
• Reliance on disclosures
• True, correct, and complete
• Seller:
• Hard to argue against repping to
diligence disclosures
• Materiality threshold
• Match rep to concessions won
• Possible carve-outs:
• Low-cost commercial off-the-
shelf software
• Fourth party code
• Non-development software
29. 29
List of Contracts
Pursuant to Which:
• Company has agreed to create or
maintain interoperability or
compatibility with any third party
software/technology
• Company has the right to access
any software as a service,
platform as a service,
infrastructure as a service, cloud
service or similar service
• Company has the right to access,
link to or otherwise use data or
content
Definitive Agreement: Scheduling Reps
• Additional scheduling reps
• APIs/interfaces
• Use of services/SaaS
• Data/content
31. 31
Company has not accessed,
used, distributed, hosted or
modified any third party software
in such a manner as to:
• Require disclosure or distribution of any
Company product/technology in source code
form
• Require the licensing of any Company
product/technology for the purpose of making
derivative works/modifications
• Grant the right to decompile, reverse engineer or
otherwise derive the source of any Company
product/technology
• Require distribution of any Company
product/technology at no charge or with limited
usage restrictions
• Limit in any manner the ability to charge fees or
seek compensation in respect of any Company
product/technology
• Place any limitation on the right of the Company
to use, host or distribute any Company
product/technology
The Company:
• Has no plans to do any of the
foregoing
• Is in compliance [in all material
respects] with the licenses
• Has not been subjected to an
audit, nor received any notice of
intent to conduct any such audit
• Has no payment obligations,
except as scheduled
Definitive Agreement: Substantive Reps
32. 32
Definitive Agreement: Substantive Reps
• Buyer:
• Standard reps; making sure no viral use
• Buyer should not take on Seller’s risk
• Current enforcement actions
• Financial risk
• Seller:
• Cannot avoid the bulk of these
• Can try to shift risk on some items
• Notice and attribution
• Hosting
• Fourth party components
• Do the prep, so you know what you need
33. 33
Definitive Agreement: Covenants and Closing Conditions
• Types:
• Commercially reasonable or best efforts covenant
• Actual closing condition
• Typically focused on:
• Code remediation
• Legal remediation
• On-going ability to perform code scans and continue diligence
34. 34
Definitive Agreement: Covenants and Closing Conditions
• Buyer:
• Remediate any non-compliant use
• Remediate security issues
• Clean code on day 1
• Argue for closing conditions
• Especially for high-risk items
• Seller:
• Clean code = less remediation
• Excessive/specific requests
• Industry practice
35. 35
Definitive Agreement: Indemnification and Escrow
• Specific indemnities
• Errors/omissions and breaches/non-compliance with in-licensed
software related reps
• In respect of certain agreements, licensors and components
• For simultaneous sign/close, include costs of remediation
• Often included in IP indemnity and pushes amount higher
• Additional escrows
• Set aside for specific issues and to back-stop specific indemnities
• Costs of remediation in simultaneous sign/close can significantly drive
up escrow amounts
• Often included in general transaction escrow and pushes amount higher
36. 36
Definitive Agreement: Indemnification and Escrow
• Buyer:
• General third party software indemnities
• Especially where seller does not know what’s in
the code
• Cover gray areas
• “Dollar one” coverage for riskier items and
remediation
• Seller:
• Clean shop = fewer indemnities
• Try to lower risk with narrowly-
tailored indemnities
• Split costs for remediation
• Buyer has skin in the game
37. 37
Overall Impacts on All Sides of the Transaction
Macro Impacts:
• Delay
• Signing
• Closing
• Price Uncertainty
• Due to expected cost of
remediation
• Due to estimate of past
non-compliance
• Plus a premium for the
unknown
• Deal certainty
• Due to conditions
• Dependence on third
parties
• Kill the deal
• Upset the build vs. buy
decision
Diligence/Scheduling
Impacts:
• Inability to provide basic
materials requested in
diligence and for
schedules
• List of in-licensed
software with license and
usage for each item
• Open source policy
• Surprises discovered
during diligence
• Inability to cleanly make
reps
Overall:
• Adds frustration
• Increases costs:
• Additional diligence
• Protracted negotiations
• Being prepared makes
transaction proceed
smoothly
• Lower the risk for everyone
APPLIES TO ALL IN-LICENSED SOFTWARE, ANY KIND OF TRANSACTION AND ANY BUSINESS MODEL
38. 38
Open Source 2.0: Strategic Use in a Transaction
• Go beyond compliance
• Create leverage
• Control the diligence process
• Create concessions
• Get better terms
40. 40
Takeaways
Use of open source software
is unavoidable and can have a
major impact on a transaction
Often
insufficient to
rely on reps
alone
The more you
look the more
you find
Almost
impossible to
undo the
impact of poor
practices
A little can go
a long way
41. 41
Anthony Decicco
Member
GTC Law Group
617.314.7892
adecicco@gtclawgroup.com
www.gtclawgroup.com
Thank You
Leon Schwartz
Associate
GTC Law Group
617.903.0352
lschwartz@gtclawgroup.com
www.gtclawgroup.com
Editor's Notes
With a transaction timing is everything
Preparation matters for both sides; helps things go smoothly both in everyday business and in transactions
The goal is to identify, analyze, and mitigate risks associated with the use of third party software (we will talk about this in more detail in a bit)
Poor practices (by either buyer or seller) can lead to:
Financial issues: you get sued or you make less at your exit
Business issues: injunctions (actual injunction rare)/stop-ships
Deal issues: unfavorable terms/risk in your deals
Work completed pre-LOI can impact your deal terms
Buyer knows what to look for to try to find problems
Seller knows what’s in their code (this is rare) and can try to reduce rep burden
Line up your team and advisors and develop a game plan
Internal team: Line up personnel from legal, business, and development groups to handle review and decision-making (sometimes this is one person wearing many hats)
Contracts in place with providers (e.g. Black Duck)
If want to complete a code scan, need to kick that off right after you sign the LOI; have your agreement in place in advance
Prioritization plan
What will be reviewed and when; can prioritize review by”
Product – by revenue or strategic importance
Category of component – embedded/production, dev tools, infrastructure
Category of third party license: less review for permissive licenses; pick out likely risky licenses first
Tailor the level of review and timing of review to the risk: what needs to be done pre-sign, pre-close, post-close, during integration
Why spend precious pre-signing time on reviewing low-risk components, when you can review those post-signing?
Allows you to spot deal-breakers early in diligence, so you can avoid high legal and other costs for transactions that will not close
Substantive plan
Know what will and will not be approved
Understand your approach to open source and inbound licenses on the substance, so you know going in what you will approve and not approve, so you are not determining all of this during ‘deal time’ when it could have been done in advance
Try to avoid issues of first impression on a deal (especially for well-known, common license types and/or use cases)
Documents
You will never get answers to questions you do not know to ask
Make sure that your diligence requests are up to date and capture all you would want to know
Include right to complete code scans in your documents (LOI, on-going right in license agreements)
Update your reps and warranties; always easier to have them in the first draft of the agreement than to try to introduce them at a later date