5 Steps for a Winning Open Source Compliance Program

(1)

© Black Duck 2013

5 Steps for a Winning Open

Source Compliance Program

Kellan Ponikiewicz

Peter Vescuso

(2)

2 © Black Duck 2013

Speakers

Peter Vescuso

EVP of Marketing

Black Duck Software

Kellan Ponikiewicz

IP Counsel

(3)

3 © Black Duck 2013

Agenda

• Market Trends

• Open Source at Nuance

• 5 Steps for Open Source Compliance

• Automating Open Source Management

(4)

4 © Black Duck 2013

“Software is eating the world.”

(5)

5 © Black Duck 2013

…and Open Source is increasing its

appetite

Black Duck

KnowledgeBase

(6)

6 © Black Duck 2013

Open Source is Ubiquitous

“By 2016, at least 95% of IT

organizations will leverage nontrivial

elements of open-source software

technology in their mission-critical IT

portfolios, including cases where they

might not be aware of it — an increase

from 75% in 2010.”

(7)

7 © Black Duck 2013

Open Source is Ubiquitous

“Open source makes

up 30% or more of the

code at major G2000

organizations”

(8)

8 © Black Duck 2013

Why is Open Source Important?

(9)

Open Source at

Nuance

(10)

• Approximately 12,000 full-time employees

• Worldwide headquarters in Burlington, MA

• FY 2012 non-GAAP revenue was ~$1.7 billion

• Nearly two-thirds of Fortune 100 companies rely on

Nuance solutions

• The 8 largest handset and 10 largest auto makers

use Nuance solutions

• Nuance solutions have shipped in more than 5 billion

mobile phones and 70 million cars

At Nuance, everything we

do is focused on

developing the most

human, natural, intuitive

ways to use your voice to

take command of

(11)

Open Source at Nuance

–

Development

–

Release of sample code

–

Integration with popular platforms

(12)

5 Steps to Follow for Putting a Program

in Place

1. Assess the business case for an open source program

2. Gain the support of upper level management

3. Determine the type of system needed

4. Outline a policy and general open source process

5. Communicate and train

(13)

The Business Case for Regulating

Open Source

Sales

Methods and

Product

Type(s)

Typical

Development

Practices

Industry Best

Practices

(14)

Getting Management Buy-In

Buy-In depends a large part on identifying the risks posed by not

acting

Sales Process

& Product Type

Customer

Indemnification

Requests

Customer Open

Source Usage

Requests

Development

Practices

Open Source

Platform

Development

Business

Requirement to

Contribute

Industry Best

Practices

Stringent

Security

Requirements

Reputation in the

Open Source

Community

(15)

Open Source and Security

Secure software development has many components, at least the

following can be accomplished in part through open source

governance

• Regular scans provide insight into code content

Understand your

Software

• Ensuring that developers follow open source

guidelines can protect company trade secrets

Protect Sensitive

Information

• Use of open source software may introduce

security issues

Develop Software

with Secure

Features

• Educating employees about open source can

improve compliance with policies and

procedures

Secure Software

Development

(16)

Determining the Appropriate System

–

Not every system is the same.

–

Putting in a manual system can be onerous.

–

Black Duck can assist in determining the right type of

system to put in place.

–

Considerations when determining the appropriate system.

–

Available personnel

–

IT infrastructure

–

Scope of proposed program

(17)

Policies and Process and

Communication and Training

Policies and

Procedures

• Black Duck

has services

that can help

with this

Communicate

New System

• Company-wide

communication

Train Relevant

Employees

• Typically employees

have pre-conceived

notions about open

source, it is often

important to address

this head on.

(18)

Policy Considerations

–

Business need to use particular components or develop

on particular platforms

–

Attractiveness of products having certain functionality

–

The propensity for open source projects to fork

Permitting code licensed under particular licenses is not a robust

open source strategy, other items to consider

(19)

19 © Black Duck 2013

Black Duck Helps Dev Teams Build Better Software

Faster with Open Source

SECURITY

MATCHING

SCANNING

ANALYSIS

ASSESSMENT

Discovery

CATALOGING

ACQUISITION

APPROVALS

AUDITING

MONITORING

Management

METRICS

COLLABORATION

VISIBILITY

OPTIMIZATION

INTEGRATION

Empowerment

(20)

Black Duck offerings rest on the world’s largest

database of project code information

Discovery

Management

Empowerment

1 MILLION PROJECTS

6000 SITES

2200 LICENSES

(21)

The Black Duck Suite provides a complete

solution for managing open source

Discovery

Management

Empowerment

1 MILLION PROJECTS

6000 SITES

2200 LICENSES

AUTOMATED GOVERNANCE

AND COMPLIANCE WITH

DEEP LICENSE DATA

(22)

The Black Duck Suite integrates with the

application development lifecycle

AUTOMATED GOVERNANCE

AND COMPLIANCE WITH

DEEP LICENSE DATA

BLACK

DUCK | SUITE

MONITOR

License,

Vulnerability, Version,

Approval

RISK

Assessment

CI + BUILD

e.g., Rational,

Git, Maven

M

AN

AG

EM

EN

T

D

EV

ELOP

M

EN

T

FULLY AUTOMATED COMPLIANCE

AUDIT

License,

Vulnerability, Version,

Approval

COMPLIANCE

Assessment

RELEASE

Internal / External

AQUIRE

Find, Evaluate, and Select

w/KnowledgeBase

APPROVALS

Who, When, and

How.

DEVELOP

(23)

Audit services - a quick, cost effective way to obtain

essential information for business decisions

1 MILLION PROJECTS

6000 SITES

2200 LICENSES

Open Source

•

• M&A

Internal

Code Quality

(24)

Questions?

Webinars

www.blackducksoftware.com/resources/webinars

@black_duck_sw