SlideShare a Scribd company logo

Social Code Scanning

Download as PPTX, PDF
Symphony Software Foundation
Symphony Software Foundation

Social Code Scanning

Business
1 of 30
Social Code Scanning 2017-05-24 Barcelona Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation Analysing code, together
Social Code Scanning - our first event! ✓ What is it Hands-on-code Workshop to analyse quality, security and legal aspects of your code Quick intro on how to analyse and measure Networking, pizza and beers are on us ✓ Who’s behind Organised by the Symphony Software Foundation Hosted by CodeWorks Barcelona ✓ Requirements - none 1/23
The Symphony Software Foundation ✓ Non-profit organisation to foster an open source community and developer ecosystem for the financial services ✓ Leverages Symphony* and other open source platforms to drive inter-firm collaboration ✓ Open Governance - Board of Directors, Engineering Steering Committee Standards - Working Groups Source - github.com/symphonyoss 2/23
Today’s takeaways 1. Understand If/when to analyse your code Common scenarios 2. Try Analysing your code Commonly adopted tools 3. Ask Share doubts, questions 3/23
Why analyze code? 1. To know your codebase Your code is a puzzle, few tiles are actually made by you Code modularity constantly increases (more, smaller tiles) Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits Open source constitutes a massive tile repository, publicly available 2. Your customers (or consumers) deserve to know Nobody wants to consume unsecure/buggy code Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries cannot afford quality/security/legal exposure #dealbreaker 4/23
Security
Why measure security? 1. Protect your data #atrest #intransit 2. Protect your servers 3. ... 5/23
What to measure 1. Query CVE databases http://cve.mitre.org/ https://www.exploit-db.com/ #offsec #kalilinux #mrrobot https://nvd.nist.gov/ #usgov 2. Code patterns http VS https Hardcoded keys and passwords Anti-patterns 6/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 7/23
Quality
Why measure quality? 1. Know when quality lowers (and where) 2. Say bye to regressions 3. Focus on (new) code #boostproductivity 4. .... 8/23
What to measure 1. Project Activity Commits (codebase activity) Bugs - Opened VS Fixed Inter-firm collaboration #bus-factor Documentation User manual Installation manual Roadmap 9/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 10/23
Legal
Why care about legal compliance? 1. Respect the rights of open source contributors a. Appropriate attribution b. Reciprocal (copyleft) licensing requirements 2. Avoid intellectual property infringement a. Copyrights b. Patents 3. Demonstrate due diligence (aka build trust) a. Targeted for highly regulated industries #consumption #contribution 11/23
What to measure 1. Outbound - choose the right license a. Proprietary b. Open source i. Permissive ii. Copyleft iii. Weak copyleft iv. Public domain 2. Dependencies Inbound (for bundled software) 12/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries 2. Automated/continuous scanning BlackDuck / OpenHub Fossa WhiteSource VersionEye 13/23
Open source common misunderstandings 1. It’s public in github, no license is defined, ergo it’s open source ■ Quite the opposite, as no license defaults to "all rights reserved", including use and redistribution for personal and commercial purposes 2. No license is defined… contributions are welcome! ■ Without a contribution policy, license sets the terms for collaboration 3. I defined a LICENSE file, I’m fine ■ If you use dependencies, you must check their licenses and make sure it doesn’t conflict with your outbound license 4. I have 2 direct dependencies and their license is ok, I’m fine 14/23
Wrapping up
General remarks 1. Keep it simple 2. Understand requirements 3. Manage expectations 4. Use the right tool…. Useful resources symphonyoss.atlassian.net/wiki choosealicense.com 15/23
16/23
17/23
Let’s see some action!
Google Map Polygon Filter React component allows to draw a draggable polygon on a Google Map and extract locations within that area. 18/23
Google Map Polygon Filter Scanning with VersionEye 19/23
Google Map Polygon Filter bcrypt-pbkdf - upgrade to 1.0.1 20/23
Traffic Alarm ReactNative alarm that adapts to traffic situation 21/23
Traffic Alarm Scanning with VersionEye https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses 22/23
Traffic Alarm Reading GoogleMaps Terms of Service 23/23
Thanks! Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation

Recommended

Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
Bastian Feder
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
Shane Coughlan
 
Defensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters WebinarDefensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters Webinar
Patexia Inc.
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
Protecode
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 

Recommended

Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
Bastian Feder
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
Shane Coughlan
 
Defensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters WebinarDefensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters Webinar
Patexia Inc.
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
Protecode
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Open Source & Open Development
Open Source & Open Development Open Source & Open Development
Open Source & Open Development
Sander van der Waal
 
Introduction To Open Source
Introduction To Open SourceIntroduction To Open Source
Introduction To Open Source
Uchechukwu Obimma
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
Semen Arslan
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
dmgerman
 
Leverage the power of Open Source in your company
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
Guillaume POTIER
 
GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
Suyati Technologies
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
Nuno Brito
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
Shane Coughlan
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Open source
Open sourceOpen source
Open source
Sahil Kajani
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
Lavan1997
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Open Source: What’s this all about?
Open Source: What’s this all about?Open Source: What’s this all about?
Open Source: What’s this all about?
Brad Montgomery
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
Aaron G. Sauers, CLP
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
Chris Aniszczyk
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
Stefano Fago
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
M. Antoinette Jerom
 
open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......
MohammedAnas871930
 
The Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron WilliamsonThe Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron Williamson
Symphony Software Foundation
 
Strangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial ServicesStrangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial Services
Symphony Software Foundation
 

More Related Content

Similar to Social Code Scanning

GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
Lavan1997
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
Chris Aniszczyk
 

Similar to Social Code Scanning (20)

Open Source & Open Development
Open Source & Open Development Open Source & Open Development
Open Source & Open Development
 
Introduction To Open Source
Introduction To Open SourceIntroduction To Open Source
Introduction To Open Source
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Leverage the power of Open Source in your company
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
 
GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Open source
Open sourceOpen source
Open source
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
 
Open Source: What’s this all about?
Open Source: What’s this all about?Open Source: What’s this all about?
Open Source: What’s this all about?
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
 
open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......
 

More from Symphony Software Foundation

More from Symphony Software Foundation (20)

The Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron WilliamsonThe Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron Williamson
 
Strangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial ServicesStrangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial Services
 
Community is a Positive Sum Game, Gabriele Columbro
Community is a Positive Sum Game, Gabriele ColumbroCommunity is a Positive Sum Game, Gabriele Columbro
Community is a Positive Sum Game, Gabriele Columbro
 
State of the Union, Gabriele Columbro
State of the Union, Gabriele ColumbroState of the Union, Gabriele Columbro
State of the Union, Gabriele Columbro
 
Open Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
Open Developer Platform: What Is It and Why Should I Care? Maurizio PillituOpen Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
Open Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
 
Building Productive & Predictable Community Engagement, Jono Bacon
Building Productive & Predictable Community Engagement, Jono BaconBuilding Productive & Predictable Community Engagement, Jono Bacon
Building Productive & Predictable Community Engagement, Jono Bacon
 
201704 - An Introduction to the Symphony Software Foundation
201704 - An Introduction to the Symphony Software Foundation201704 - An Introduction to the Symphony Software Foundation
201704 - An Introduction to the Symphony Software Foundation
 
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutesFinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
 
FinJS NYC: Open Source + Open Standards - The Dynamic Duo
FinJS NYC: Open Source + Open Standards - The Dynamic DuoFinJS NYC: Open Source + Open Standards - The Dynamic Duo
FinJS NYC: Open Source + Open Standards - The Dynamic Duo
 
Webinar: An introduction to the Symphony Software Foundation project life cycle
Webinar: An introduction to the Symphony Software Foundation project life cycleWebinar: An introduction to the Symphony Software Foundation project life cycle
Webinar: An introduction to the Symphony Software Foundation project life cycle
 
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
 
Symphony Software Foundation - Vision, Overview and how to engage with our Co...
Symphony Software Foundation - Vision, Overview and how to engage with our Co...Symphony Software Foundation - Vision, Overview and how to engage with our Co...
Symphony Software Foundation - Vision, Overview and how to engage with our Co...
 
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
 
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red DeerJune 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
 
OpenFin's Interoperability
OpenFin's Interoperability OpenFin's Interoperability
OpenFin's Interoperability
 
Symphony Product & Roadmap Update
Symphony Product & Roadmap Update Symphony Product & Roadmap Update
Symphony Product & Roadmap Update
 
Markit SymphonyOSS Update
Markit SymphonyOSS Update Markit SymphonyOSS Update
Markit SymphonyOSS Update
 
Symphony Software Foundation Knowledge Decision Services
Symphony Software Foundation Knowledge Decision Services Symphony Software Foundation Knowledge Decision Services
Symphony Software Foundation Knowledge Decision Services
 
Symphony Software Foundation Financial Objectives Standardization
Symphony Software Foundation Financial Objectives Standardization Symphony Software Foundation Financial Objectives Standardization
Symphony Software Foundation Financial Objectives Standardization
 
Symphony Software Foundation Desktop Wrapper Working Group Update
Symphony Software Foundation Desktop Wrapper Working Group UpdateSymphony Software Foundation Desktop Wrapper Working Group Update
Symphony Software Foundation Desktop Wrapper Working Group Update
 

Recently uploaded

Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
laloo_007
 

Recently uploaded (20)

joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
BeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdfBeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdf
 
Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance management
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030Over the Top (OTT) Market Size & Growth Outlook 2024-2030
Over the Top (OTT) Market Size & Growth Outlook 2024-2030
 
Falcon Invoice Discounting: Tailored Financial Wings
Falcon Invoice Discounting: Tailored Financial WingsFalcon Invoice Discounting: Tailored Financial Wings
Falcon Invoice Discounting: Tailored Financial Wings
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
 
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdfTVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 

Social Code Scanning

  • 1. Social Code Scanning 2017-05-24 Barcelona Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation Analysing code, together
  • 2. Social Code Scanning - our first event! ✓ What is it Hands-on-code Workshop to analyse quality, security and legal aspects of your code Quick intro on how to analyse and measure Networking, pizza and beers are on us ✓ Who’s behind Organised by the Symphony Software Foundation Hosted by CodeWorks Barcelona ✓ Requirements - none 1/23
  • 3. The Symphony Software Foundation ✓ Non-profit organisation to foster an open source community and developer ecosystem for the financial services ✓ Leverages Symphony* and other open source platforms to drive inter-firm collaboration ✓ Open Governance - Board of Directors, Engineering Steering Committee Standards - Working Groups Source - github.com/symphonyoss 2/23
  • 4. Today’s takeaways 1. Understand If/when to analyse your code Common scenarios 2. Try Analysing your code Commonly adopted tools 3. Ask Share doubts, questions 3/23
  • 5. Why analyze code? 1. To know your codebase Your code is a puzzle, few tiles are actually made by you Code modularity constantly increases (more, smaller tiles) Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits Open source constitutes a massive tile repository, publicly available 2. Your customers (or consumers) deserve to know Nobody wants to consume unsecure/buggy code Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries cannot afford quality/security/legal exposure #dealbreaker 4/23
  • 7. Why measure security? 1. Protect your data #atrest #intransit 2. Protect your servers 3. ... 5/23
  • 8. What to measure 1. Query CVE databases http://cve.mitre.org/ https://www.exploit-db.com/ #offsec #kalilinux #mrrobot https://nvd.nist.gov/ #usgov 2. Code patterns http VS https Hardcoded keys and passwords Anti-patterns 6/23
  • 9. How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 7/23
  • 11. Why measure quality? 1. Know when quality lowers (and where) 2. Say bye to regressions 3. Focus on (new) code #boostproductivity 4. .... 8/23
  • 12. What to measure 1. Project Activity Commits (codebase activity) Bugs - Opened VS Fixed Inter-firm collaboration #bus-factor Documentation User manual Installation manual Roadmap 9/23
  • 13. How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 10/23
  • 14. Legal
  • 15. Why care about legal compliance? 1. Respect the rights of open source contributors a. Appropriate attribution b. Reciprocal (copyleft) licensing requirements 2. Avoid intellectual property infringement a. Copyrights b. Patents 3. Demonstrate due diligence (aka build trust) a. Targeted for highly regulated industries #consumption #contribution 11/23
  • 16. What to measure 1. Outbound - choose the right license a. Proprietary b. Open source i. Permissive ii. Copyleft iii. Weak copyleft iv. Public domain 2. Dependencies Inbound (for bundled software) 12/23
  • 17. How to measure 1. One-off (manual) scanning Read your code Know your libraries 2. Automated/continuous scanning BlackDuck / OpenHub Fossa WhiteSource VersionEye 13/23
  • 18. Open source common misunderstandings 1. It’s public in github, no license is defined, ergo it’s open source ■ Quite the opposite, as no license defaults to "all rights reserved", including use and redistribution for personal and commercial purposes 2. No license is defined… contributions are welcome! ■ Without a contribution policy, license sets the terms for collaboration 3. I defined a LICENSE file, I’m fine ■ If you use dependencies, you must check their licenses and make sure it doesn’t conflict with your outbound license 4. I have 2 direct dependencies and their license is ok, I’m fine 14/23
  • 20. General remarks 1. Keep it simple 2. Understand requirements 3. Manage expectations 4. Use the right tool…. Useful resources symphonyoss.atlassian.net/wiki choosealicense.com 15/23
  • 21. 16/23
  • 22. 17/23
  • 23. Let’s see some action!
  • 24. Google Map Polygon Filter React component allows to draw a draggable polygon on a Google Map and extract locations within that area. 18/23
  • 25. Google Map Polygon Filter Scanning with VersionEye 19/23
  • 26. Google Map Polygon Filter bcrypt-pbkdf - upgrade to 1.0.1 20/23
  • 27. Traffic Alarm ReactNative alarm that adapts to traffic situation 21/23
  • 28. Traffic Alarm Scanning with VersionEye https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses 22/23
  • 29. Traffic Alarm Reading GoogleMaps Terms of Service 23/23
  • 30. Thanks! Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation