OPEN SOURCE SOFTWARE COMPLIANCE AND SECURITY Black Duck Software, Inc. All Rights Reserved.

(1)

OPEN SOURCE SOFTWARE COMPLIANCE AND

SECURITY

(2)

SPEAKER SLIDE

Phil Odence

Vice President & General

Manager

Danielle Sheer

General Counsel

Carbonite

(3)

15 January 2015 3

Carbonite, Inc. (Nasdaq: CARB)

Vitals

• Founded: 2005

• IPO: 2011

• Corporate HQ: Boston, MA

• Customer Support Center: Lewiston, ME

• Data centers: Multiple locations in the U.S.

• Number of employees: 500+

• Files backed up: more than 300 billion

• Files recovered: nearly 20 billion

Key Acquisitions

•

Phanfare (2011)

•

Zmanda (2012)

•

MailStore (2014)

(4)

AGENDA

• Trends

• Open Source at Carbonite

• Managing Open Source

(5)

(6)

INCREASING ABUNDANCE

0 500,000

1,000,000

1,500,000

2007

2009

2011

2013

2015

Open Source Projects

Black Duck KnowledgeBase

(7)

OPEN SOURCE GROWS AS % OF CODE

2007

2012

2017

5%

30%

More % ???

Source: IDC Survey of G2000 Source: Black Duck audit results

By 2016, at least

95% of IT organizations will

leverage nontrivial elements of open-source

software

technology in their mission-critical IT

portfolios, including cases where they might not be

aware of it — an increase from 75% in 2010.

(8)

OSS IS RELIED ON BY COMPANIES IN EVERY

SECTOR

SOFTWARE ELECTRONICS

GOVERNMENT _MEDIA

FINANCIAL / SERVICES

(9)

BUT, OSS OFTEN ENTERS A CODE BASE

UNCHECKED

Code Base

Commercial

3

rd

_Party

Code

Purchasing

• Licensing?

• Security?

• Quality?

• Support?

Open Source

OPERATIONAL RISK

Which versions of code are being used, and how old are they

LEGAL RISK

Which licenses are used and do they match anticipated use of the code

SECURITY RISK

Which components have vulnerabilities and what are they

Through 2016, less than half of IT organizations will have

implemented an effective open-source governance program; that is, one that successfully minimizes risk and maximizes positive TCO and ROI opportunities”

(10)

OPEN SOURCE AT CARBONITE

Danielle Sheer, Esq.

Vice President and General Counsel

(11)

15 January 2015

What you need to know about your Open Source use

Along with the tremendous benefits of Open Source … • build better software, faster and more affordably

…Comes certain risks and obligations…. • Viral effect

• Notice and attribution

…And you can successfully manage and mitigate by implementing an Open Source Compliance Program

• Internal and external benefits

(12)

15 January 2015

Not All Licenses Are Created Equal

A significant amount of O/S can be used without restriction • MIT License

o Use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software…

o Other Examples

◦ BSD License

◦ Apache License

Some O/S could have undesirable Copyleft provisions – “Viral Risk” • GNU GPL:

o You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy

o This License will therefore apply… to the whole of the work, and all its parts, regardless of how they are packaged

o No permission to license the work in any other way

Notice and Attribution

(13)

15 January 2015

Acquiring Open Source

In October 2012, Carbonite acquired Zmanda, Inc. • Open source due diligence and audit required

o Ensure accurate valuation

o Understand the acquired technology o Quantify maintenance costs

In November 2014, Carbonite acquired MailStore Software GmbH • BlackDuck report can influence SPA negotiations

• Cultivates transparency between Buyer and Seller

Black Duck Audit

• Holistic O/S review

• Flag items to be addressed

• Practical solutions

(14)

15 January 2015

Open Source Compliance Program

Step One

• Determine where and how open source is used

• Define and assign responsibilities and processes for engineers

Step Two

• Record: o Name o Licensor o Version

o Local copy license o Business use(s) o Plans to modify? o Internal use? o Distributed? o Hosted? Step Three

• Create an approved/disapproved – white/black list for developer training tool reference

• Finalize an open source policy and review with outside counsel

Step Four

• Ongoing monitoring and maintenance

(15)

15 January 2015

Challenges and Benefits

15

Challenges

Benefits

Abundance of open source usage

Increased communication & cross-functional

teamwork

Version proliferation

Control / increased input

Fear of the unknown

Increased certainty regarding risk and

exposure

Achieving the right balance between

processes and product development

(16)

OSS SECURITY AND

LOGISTICS

(17)

OPEN SOURCE ADDS NEW DIMENSION TO SECURITY RISK

IT

Security

Risks

Open

Source

Challenges

Open Source

Component

Security

• What components?

• Where used?

• How secure?

• How to stay on top?

OWASP has added “Using

components with known

vulnerabilities” to Top 10

Risks.

(18)

RISK POSED BY OPEN SOURCE

• While Heartbleed, Bash & Poodle demonstrate the risk of

open source vulnerabilities, new open source vulnerabilities

outpace customers’ ability to cope.

(19)

OSS LOGISTICS TO MANAGE ALL THE RISKS

Choose

OSS Logistics

Approve Scan Inventory Secure Deliver

(20)

AUTOMATE VISIBILITY AND CONTROL – OSS LOGISTICS

Choose

OSS Logistics

Approve Scan Inventory Secure Deliver

NVD

OSVDB

(21)

SUMMARY

• Open source software is changing the world

• I

• But organizations need to be mindful of a range of risks

• Realizing the full benefits while managing the risks requires

a comprehensive program

(22)