OSS LOGISTICS: DRIVING INNOVATIVE SOFTWARE FROM DEVELOPER TO CUSTOMER Alex Bigmore Senior Architect & Open Source Governance Programme Manager SITA

(1)

OSS LOGISTICS:

DRIVING INNOVATIVE SOFTWARE FROM

DEVELOPER TO CUSTOMER

Alex Bigmore

Senior Architect & Open Source Governance Programme Manager

SITA

Phil Granof

EVP & Chief Marketing Officer

Black Duck Software

(2)

2 OVERVIEW

• Introduction

• Open Source Market Trends

• SITA Case study

• The OSS Logistics Framework

• Conclusions

(3)

3

(4)

4 OS CRITICAL ACROSS MANY NEW TECHNOLOGIES

CLOUD/

VIRTUALIZATION

CONTENT

MGMT

MOBILE

SECURITY COLLABORATION NETWORK

MGMT

SOCIAL

MEDIA

3D PRINTING ANALYTICS AND

BUSINESS

INTELLIGENCE

DRONES

GAMING

ERP

63%

57%

53%

_51%

49%

_48%

46%

27%

_26%

13%

_12%

10%

(5)

5 THE VIRTUOUS CYCLE

Participation

Proliferation

Foundation

(6)

6 OPEN SOURCE WINS ON QUALITY

80%

Choose based on

quality

(7)

7 OPEN SOURCE WINS ON FEATURES

80%

Choose based on

features

67%

(8)

8

(9)

9 ACCESS TO TECHNICAL FEATURES

#4

Reason for

adoption

#8

Reason for

adoption

(10)

10 CHOOSING BASED ON SECURITY

72%

Choose based on

Security

(11)

11 CHOOSING BASED ON SECURITY

(12)

12

(13)

13 OPEN SOURCE ADOPTION IS RISING

2007

2012

2017

5%

30%

XX% ???

Source: IDC Survey of G2000

Source: Black Duck audit results

(14)

SITA Case Study

Open Source Compliance

Alex Bigmore

(15)

(16)

First Steps to Compliance

• SITA developed an Intellectual Property software asset registry with

the objective of better understanding the composition of its software

in terms of IP ownership, applicable licensing terms and code used

to generate SITA’s revenue streams

• Together with developer surveys this revealed that software is mixed

IP, using internally developed, outsource developed, third party

proprietary and Open Source software

• Two questions emerged

• How much Open Source Software (OSS) was used as part of the

code base?

• What were the licensing details of each OSS component?

• The need to answer these questions was the first step toward

establishing an Open Source Governance (OSG) programme

(17)

Creating the Governance Programme

OSS usage revealed

Establish

Stakeholders

Governance

Programme

Do we need OSS?

Pilot – how much

OSS is really used?

17 | Open Source Compliance | Confidential | © SITA 2014

IP Asset Registry

created

(18)

Governance Objectives

• Ensure compliance with OSS licenses and distribution

requirements

• Enable greater use of OSS across the organization to

improve software development efficiency and quality

(19)

Achieving Governance Objectives

Strategy, policy,

process

License review

Discovery &

remediation

Approval

Communication &

training

19 | Open Source Compliance | Confidential | © SITA 2014

Compliance and OSS

Enablement

(20)

Compliance and OSS Enablement

• Approval before use

• Policy requires teams to request approval before OSS is used to

minimise remediation

• Black Duck® Code Center™ used to manage approval process

• Verification scanning

• Determines whether there is OSS present that has not been approved

• Reports on licence compliance

• Black Duck® Protex™ used for OSS scanning

• Automation wherever possible

• Impact the development teams as little as possible

• Automate responses to approval requests where possible

• SITA licence guidance rules implemented, others addressed manually

• Enable teams to trigger verification scans

• OSG team involved as needed

(21)

Summary

• OSG and supporting tools have enabled SITA to

• Ensure compliance with licences of OSS used

• Encourage and support greater use of open source in current

and future projects

• Notify project teams of vulnerabilities in OSS used

• Automate to minimise impact

• Self service OSS approvals

• Self service OSS scanning

(22)

Thank you

Alex Bigmore, OSG Programme Manager

[email protected]

www.sita.aero

(23)

23

(24)

24 OSS SHOULD BE MANAGED, NOT FEARED

“50% of companies

will face challenges

due to lack of FOSS

policy and

management”

(25)

25 CHALLENGES OF THE ARCHITECT

I want to know

what open

source I use.

I want to know

where I use

open source.

I want to

eliminate the

security risks

associated with

open source.

I want to reuse

code.

I want help

choosing open

source.

I want to

decrease the

amount of code

we need to

maintain.

I want more

control over the

open source my

developers use.

I want to

participate in

the open source

ecosystem.

(26)

26

(27)

27 OUR VALUE

• We help companies manage their use of open source code in

order to see enormous gains across fundamental competitive

dimensions.

(28)

28

(29)

29 WHAT IS OSS LOGISTICS?

(30)

30 CHOOSE OSS

• Choice begins with data. The Black Duck Knowledgebase™ is

the world’s most comprehensive database of open source project

information.

License

Vulnerability

Cryptography

Version

Maturity

Description

Black Duck

KnowledgeBase

(31)

31 CHOOSE OSS

• The Black Duck Knowledgebase is at the heart of OSS Logistics,

continually gathering data throughout the open source

community:

• Over one million projects

• From 6,000 sites

• For over 2,200 unique software licenses.

Approve

Scan

Open Source

Community

Inventory

Secure

Black Duck

Open Hub

Black Duck

KnowledgeBase™

(32)

32 CHOOSE OSS

• The Black Duck Open Hub provides a window into the world of

open source.

• Find reports about the composition and activity of project code bases

• Track the changing demographics of the FOSS world

• Follow developers and their contributions

• Search for code with Code Sight™

Black Duck

KnowledgeBase™

Approve

Scan

Open Source

Community

Inventory

Secure

Black Duck

Open Hub

(33)

33

(34)

34 APPROVE OSS

Empower developers with automated approval processes built on

the right policies for governing the use of open source.

• Eliminate uncertainty and re-work

• Speed identification of software components

• Mitigate risk without slowing developers down

• Collaborate seamlessly

Black Duck KnowledgeBase™

Approve

Scan

Inventory

Secure

Black Duck

Open Hub

Open Source

Community

(35)

35 SCAN OSS

Automatically scan, discover and identify what open source code is

used within specific applications.

• Understand code origin

• Identify licenses and support compliance

• Eliminate manual effort

• Increase reliability and visibility

Black Duck KnowledgeBase™

Approve

Scan

Inventory

Secure

Black Duck

Open Hub

Open Source

Community

(36)

36 INVENTORY OSS

Create a company-wide intelligent catalog of approved software that

grows smarter over time.

• Track where components are used in other applications.

• Encourage standardization and re-use.

Black Duck KnowledgeBase™

Approve

Scan

Inventory

Secure

Black Duck

Open Hub

Open Source

Community

(37)

37 SECURE OSS

Continuous monitoring ensures that future security vulnerabilities

associated with a specific component are quickly flagged for

resolution.

• Receive daily alerts

• Alter workflows in response to severity

• Quickly locate and remediate

Black Duck KnowledgeBase™

Approve

Scan

Inventory

Secure

Black Duck

Open Hub

Open Source

Community

(38)

38 DELIVER

We provide a license obligation report and an easily consumable bill

of materials (BOM) that you can deliver to your customers or

internal stakeholders.

Incoming

Code

Outgoing

Code

Black Duck

KnowledgeBase™

Automated Scanning

and Built-In

Approval Policies

(39)

39 DELIVER

Automatically discover encryption algorithms within a code base and

identify applicable export rules:

• Cryptography export compliance

• Government reporting

• Licensing requirements

• Policy management challenges

Outgoing

Code

(40)

40 CONCLUSIONS

• The open source debate is over. Mostly.

• Complexity and quality are colliding.

• Reaping the benefits requires management.

• Logistics provides the best conceptual model for see reaping the

benefits of open source.

(41)

41

41 QUESTIONS?