SlideShare a Scribd company logo

BlackDuck Suite

jeff cheng
jeff cheng

BlackDuck slide

Technology
1 of 34
The Black Duck Suite: Enabling Faster, Lower Cost Innovation with Open Source Software Black Duck Software
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Agenda  Market Dynamics and Challenges  Meeting the Challenges  Overview of the Black Duck Suite  Summary
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Evolution of Software Development Component-Based Development 1980’s 1990’s 2000’s Focus Code Design Individual Software Developer Scope Development Ecosystem Application Life Cycle Management Single Enterprise Project Team Collaboration
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Promise of Open Source The Promise The Challenges Significantly reduce development costs – up to 90% – and accelerate time to market Billions of lines of available code  Management  Compliance  Security Realize the promise while eliminating the challenges The Black Duck Solution...
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Enables Multi-Source Development YOUR COMPANY Software Application Open Source Software Internally Developed Code Outsourced Code Development Commercial 3rd - Party Code  Individuals  Universities  Corporate Developers Code Obligations
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Development Challenges Using Open Source at Scale Management  Leverage the right software from many sources  Increase productivity using component software  Encourage standardization of components & versions  Deliver timely support Compliance & Security  Comply with open source policies  Manage licensing and associated obligations  Complying with export regulations  Track security vulnerabilities Formal control of open source software lags adoption:  58% of companies surveyed do not have formal polices or guidelines for OSS Source: 451 Group, December 2009
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Risks of Unmanaged Code Loss of Intellectual Property Export Regulations Injunctions Security Vulnerabilities Software Defects License Rights and Restrictions Contractual Obligations Escalating Support Costs
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.Copyright © 2007 Black Duck Software, Inc. All Rights Reserved. Confidential and Proprietary. The Story of Cisco’s Software Supply-Chain Developers modified firmware turning a low-end ($60) device into a high-function router The story continues... embedded the code in one of its chipsets used GPL code to customize Broadcom’s standard Linux distribution bought for $500M in 2003 adopted this technology into its WRT54G wireless broadband router Source code made available by FSF accused Cisco of a license violation
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Infringement  Valuation  Negative publicity  New revenue  Support costs  Vulnerability Risks of Open Source and Other Cases (VOIP Phone) (Wireless Router) (GPS Navigation) (Network Attached Storage) (WiMax, other ) (iPhone WIP300) (Home Hub Router)
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Even Large, Well Run Software Companies Have Challenges : Microsoft Windows 7 GPL Violation The Windows 7 USB/DVD Tool Violated GPLv2 License • Code was “multi-source,” including code from an external supplier with OSS • Microsoft pulled the product from the Microsoft Store, then announced it is making the source code and binaries available Takeaways: • Even big companies make mistakes • OSS can enter from many sources • It’s difficult to manage OSS without both process and technology
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Google Security Flaws  These vulnerabilities discovered within 24 hours of release  Easily avoided with the right solution
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Pro-Active and Controlled Use of Open Source  Cost of defects – Minimal when issues are detected early in lifecycle – Grows 100-1,000X late in the lifecycle  Invest time and process to choose good code up front vs fixing problems later Capers Jones, Applied software measurement: assuring productivity and quality, 1999.
Meeting the Challenges
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Meeting the Challenges of Using Open Source  You could automate manual approval processes and empower team members to collaborate? – Bring together legal, development, executive staff, others  You could automate discovery and validation to manage risk and ensure compliance? – Know what’s in your code base – Validate software bill of materials (BoM) before shipping – Know origins of external code  Development had a catalog of pre-approved components? – Eliminate unnecessary, redundant requests and approvals – Know and track where components are used  Finding the right open source was fast and easy? – Quality, maturity – Version – Understanding license obligations – Dependencies What if...
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Helps Unleash the Potential of Open Source Software  Workflow and approval for multi-user team collaboration with role-based access control – Eliminate approval delays, enhance group productivity  Automatically scan code base to identify open source and uncover hidden license obligations – Ensure compliance and confidently manage software origins and obligations  Catalog of pre-approved components – Saves time and effort – Encourages standardization and re-use  Industry’s most comprehensive open source KnowledgeBase – Enables fast, easy, search and selection of open source software
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Case Study: InfoPrint Solutions “We chose Black Duck automation to improve productivity by supporting our software license approval processes, code validation and security alert processes. And more importantly, it gives us the highest confidence that we are in compliance with the licenses for the open source software embedded in our products.” – Mike Munger, Senior Technical Staff Manager InfoPrint Solutions Company Why InfoPrint chose Black Duck  Identify open source software  Automate approval process  Monitor security vulnerabilities on open source components Black Duck Code Center for approval automation Black Duck Protex servers validating BOM’s and performing license discovery  Manages legal risk  Enables collaboration around open source approvals  Streamlines processes Problem Solution Benefits
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Case Study: Intel Corporation “We selected Black Duck because its knowledge base of open source software and the maintenance of that knowledge base were more robust than other solutions—and the more robust the knowledge base, the lower the risk that licensed software will be used inappropriately.” Why Intel chose Black Duck  Identify open source software  Automate verification and compliance  Improve collaboration between functions (development, legal, management, etc.) Black Duck Protex servers deployed globally, integrated with development tools  Identifies software conflicts early  Reduces rework  Lowers risk of legal issues Problem Solution Benefits
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Manage the risks and maximize the compelling benefits of multi-source development  Integrates with existing development tools and processes  Solves the three main challenges associated with multi-source development: Enabling Multi-Source Development Across the Application Lifecycle Management Compliance Security
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Management  Create and share a catalog of approved components  Configurable, role-based approval workflow  Authentication and role-based access control for individual enterprise users  Comprehensive code and component search and selection Compliance  Automate code discovery, validation, audit  Ensure compliance with regulations and company policies  Manage and control software versions, origins & obligations (open source and other code)  Monitor known security vulnerabilities  Automatic updates to catalog with real- time alerts; track “where used”  Ensure selection of most secure open source components Security
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Application Lifecycle Conceptualize Define Design Develop Build Test Deploy Search & Select Approve Validate Compliance Audit & Maintain Scan/Analyze Management, Compliance, Security
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  IT  Security  Legal  Management  Quality Approval Company Policies Build, Test Systems Software Bill of Materials Scan & Validate Production Systems Development Catalog Component Requests Audit & Maintain SCM Search &Select Approved Components  Open source  Code prints  Vulnerabilities  Binaries KnowledgeBase Automated Workflow
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Comprehensive Code Search Black Duck KnowledgeBase Internal Internal CatalogSCM Files Koders.com External Code Search  Find and re-use OSS and existing code across multiple repositories  Improve quality by more easily tracking down bugs/defects across the enterprise Source code Component Attributes
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Black Duck Suite - Architecture  Scalable enterprise architecture  Modular design  Customizable  Extensible  Browser-based for anywhere, any time access  Integrates with existing ALM infrastructure KnowledgeBase SDK Core Framework UI Framework 23
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Supporting Enterprise Collaboration
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Typical Deployment of the Black Duck Suite Code Code Code Code Code Code Code Code Approval Validation Approval Scanning Source CodeCode Centralized approval with decentralized scanning & validation Validation ValidationValidation
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Black Duck KnowledgeBase The Foundation of the Black Duck Suite The industry’s most comprehensive open source database Extensive metadata  Tens of billions of lines of code  From over 4,500 sites  Released under 1,800+ unique licenses  39,000+ security vulnerabilities  450+ cryptographic algorithms  Name, description, versions, URL  License, programming language, OS  National Vulnerability Database  Cryptography  Code Prints of source/binary  Other information Open Source Software  Uniquely addresses the “long tail” of OSS projects  Patented search & pattern-matching technologies  Continuously expanded  Custom Code Printing to add proprietary code  Daily security vulnerability alerts  Automated Metadata Updates issued ~2x month
Black Duck Suite - Management - Compliance - Security - Code Search Koders.com
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Developer Catalog  Faster and lower cost application development  Make better choices on the front-end of development process (100X less costly than fixing a defect later)  Increased reuse of good code – open source, licensed from 3rd parties  Authentication and access control for individual enterprise users  Avoidance of… – License problems – Version uncertainties – Security vulnerabilities KnowledgeBase  Developers  Security  IT  Legal  Management  Quality Approval Boards SourceForge RubyForge Eclipse.org Apache.org etc… Open Source Approval Flow Alerts OSS & Code Management
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Confidently manage software origins & obligations  Audit code base against approved components  Simplify code reviews and 3rd party licensing  Reduce costs while improving accuracy Application Server Projects Licenses Open Source Third Party Code Internal Code Compliance KnowledgeBase Review Board License Conflict Bill of Materials Developers Automated Workflow
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Find cryptographic code embedded in complex software  Automate compliance with encryption export policy and regulations  Simplify BIS/NSA notification and licensing  Generate audit and document compliance reports CryptoBase Developers Compliance Report Compliance: Encryption & Export Regulations
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Security Vulnerability Management  Make informed choices early in the process to ensure selection and use of most secure open source components  Catalog of approved components is automatically updated  Monitor security vulnerabilities – Daily security alerts routed to customers – Automatic alerts are sent to appropriate owner for all components based on “where used” e.g., Apache Tomcat, Struts, MySql Where Used KnowledgeBase Alerts Developer Catalog Approved Components Approval Flow Management Alerts
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Fast search and increased visibility  Integration with development tools / SCM’s  Proven scalability to billions of lines of code Enterprise Code Search for Software Developers Developers SCM Internal Code Index CVS File System Subversion Code Search
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Suite Summary Features Benefits Completeness  Covers key processes– search, select, approve, validate and monitor  Provides the industry’s most comprehensive knowledge base of OSS Automation  Improves efficiency and speed in development  Development and approval processes  Ensures compliance with company policies Collaboration  Enables stakeholders -- development, legal, security, IT, trade compliance and others -- to work together to achieve shared objectives Scalability  “Enterprise-class” scalability, configurability, extensibility, and access-controlled security  Meets the needs of the largest software development organizations Integration  SDK with web services API  Integrates with existing developer tools  Certified “Ready for Rational”
Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Why Black Duck Pioneered open source code analysis market in 2002 Leadership products and services for managing open source throughout the application life-cycle Most comprehensive KnowledgeBase of open source software in the industry Most experienced vendor with largest customer base Responsive 24X7 support, global presence

Recommended

Getting started with Appium 2.0
Getting started with Appium 2.0Getting started with Appium 2.0
Getting started with Appium 2.0Anand Bagmar
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...WhiteSource
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Detectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack Proxy
Detectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack ProxyDetectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack Proxy
Detectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack ProxyJeronimo Zucco
 

Recommended

Getting started with Appium 2.0
Getting started with Appium 2.0Getting started with Appium 2.0
Getting started with Appium 2.0Anand Bagmar
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...WhiteSource
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Detectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack Proxy
Detectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack ProxyDetectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack Proxy
Detectando Vulnerabilidades em seu Site utilizando OWASP ZAP - Zed Attack ProxyJeronimo Zucco
 
Introducing AWS Device Farm
Introducing AWS Device FarmIntroducing AWS Device Farm
Introducing AWS Device FarmAmazon Web Services
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Infrastructure as Code with Ansible
Infrastructure as Code with AnsibleInfrastructure as Code with Ansible
Infrastructure as Code with AnsibleDaniel Bezerra
 
DevOps and Build Automation
DevOps and Build AutomationDevOps and Build Automation
DevOps and Build AutomationHeiswayi Nrird
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Mobile Application Security Testing
Mobile Application Security TestingMobile Application Security Testing
Mobile Application Security TestingSpv Reddy
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
AWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshootingAWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshootingShiva Narayanaswamy
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge Abhijit Joshi
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
Weblogic
WeblogicWeblogic
Weblogicsudeeporcl
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningMichel Schildmeijer
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 

More Related Content

What's hot

CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Infrastructure as Code with Ansible
Infrastructure as Code with AnsibleInfrastructure as Code with Ansible
Infrastructure as Code with AnsibleDaniel Bezerra
 
DevOps and Build Automation
DevOps and Build AutomationDevOps and Build Automation
DevOps and Build AutomationHeiswayi Nrird
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Mobile Application Security Testing
Mobile Application Security TestingMobile Application Security Testing
Mobile Application Security TestingSpv Reddy
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge Abhijit Joshi
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningMichel Schildmeijer
 

What's hot (20)

Introducing AWS Device Farm
Introducing AWS Device FarmIntroducing AWS Device Farm
Introducing AWS Device Farm
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Infrastructure as Code with Ansible
Infrastructure as Code with AnsibleInfrastructure as Code with Ansible
Infrastructure as Code with Ansible
 
DevOps and Build Automation
DevOps and Build AutomationDevOps and Build Automation
DevOps and Build Automation
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Mobile Application Security Testing
Mobile Application Security TestingMobile Application Security Testing
Mobile Application Security Testing
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Security testing
Security testingSecurity testing
Security testing
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
AWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshootingAWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshooting
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Container Security
Container SecurityContainer Security
Container Security
 
Weblogic
WeblogicWeblogic
Weblogic
 
Oracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuningOracle WebLogic Diagnostics & Perfomance tuning
Oracle WebLogic Diagnostics & Perfomance tuning
 
Security testing
Security testingSecurity testing
Security testing
 

Similar to BlackDuck Suite

Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Black Duck by Synopsys
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Protecode
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementProtecode
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskSource Code Control Limited
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Sonatype
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRogue Wave Software
 
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...ActiveState
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with SparrowJason Sohn
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Open Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementOpen Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementSebastiano Cobianco
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareRogue Wave Software
 
Best practices for simplifying software audits
Best practices for simplifying software auditsBest practices for simplifying software audits
Best practices for simplifying software auditsTiberius Forrester
 

Similar to BlackDuck Suite (20)

Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
Technical Due Diligence for M&A: A Perspective from Corporate Development at ...
 
Software audit strategies: how often is enough?
Software audit strategies: how often is enough? Software audit strategies: how often is enough?
Software audit strategies: how often is enough?
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
Open Source ETL
Open Source ETLOpen Source ETL
Open Source ETL
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Optimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software ManagementOptimizing The Cost Of Open Source Software Management
Optimizing The Cost Of Open Source Software Management
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 
Leveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the RiskLeveraging Open Source Opportunity in the Public Sector Without the Risk
Leveraging Open Source Opportunity in the Public Sector Without the Risk
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
Lawyers and Licenses in Open Source-based Development: How to Protect Your So...
 
Rapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysisRapid software testing and conformance with static code analysis
Rapid software testing and conformance with static code analysis
 
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
Safeguarding Against the Risks of Improper Open Source Licensing - Valuable...
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
 
Open Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk ManagementOpen Source in the Enterprise: Compliance and Risk Management
Open Source in the Enterprise: Compliance and Risk Management
 
Top 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
 
Best practices for simplifying software audits
Best practices for simplifying software auditsBest practices for simplifying software audits
Best practices for simplifying software audits
 

Recently uploaded

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Recently uploaded (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

BlackDuck Suite

  • 1. The Black Duck Suite: Enabling Faster, Lower Cost Innovation with Open Source Software Black Duck Software
  • 2. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Agenda  Market Dynamics and Challenges  Meeting the Challenges  Overview of the Black Duck Suite  Summary
  • 3. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Evolution of Software Development Component-Based Development 1980’s 1990’s 2000’s Focus Code Design Individual Software Developer Scope Development Ecosystem Application Life Cycle Management Single Enterprise Project Team Collaboration
  • 4. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Promise of Open Source The Promise The Challenges Significantly reduce development costs – up to 90% – and accelerate time to market Billions of lines of available code  Management  Compliance  Security Realize the promise while eliminating the challenges The Black Duck Solution...
  • 5. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Enables Multi-Source Development YOUR COMPANY Software Application Open Source Software Internally Developed Code Outsourced Code Development Commercial 3rd - Party Code  Individuals  Universities  Corporate Developers Code Obligations
  • 6. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Development Challenges Using Open Source at Scale Management  Leverage the right software from many sources  Increase productivity using component software  Encourage standardization of components & versions  Deliver timely support Compliance & Security  Comply with open source policies  Manage licensing and associated obligations  Complying with export regulations  Track security vulnerabilities Formal control of open source software lags adoption:  58% of companies surveyed do not have formal polices or guidelines for OSS Source: 451 Group, December 2009
  • 7. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Risks of Unmanaged Code Loss of Intellectual Property Export Regulations Injunctions Security Vulnerabilities Software Defects License Rights and Restrictions Contractual Obligations Escalating Support Costs
  • 8. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.Copyright © 2007 Black Duck Software, Inc. All Rights Reserved. Confidential and Proprietary. The Story of Cisco’s Software Supply-Chain Developers modified firmware turning a low-end ($60) device into a high-function router The story continues... embedded the code in one of its chipsets used GPL code to customize Broadcom’s standard Linux distribution bought for $500M in 2003 adopted this technology into its WRT54G wireless broadband router Source code made available by FSF accused Cisco of a license violation
  • 9. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Infringement  Valuation  Negative publicity  New revenue  Support costs  Vulnerability Risks of Open Source and Other Cases (VOIP Phone) (Wireless Router) (GPS Navigation) (Network Attached Storage) (WiMax, other ) (iPhone WIP300) (Home Hub Router)
  • 10. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Even Large, Well Run Software Companies Have Challenges : Microsoft Windows 7 GPL Violation The Windows 7 USB/DVD Tool Violated GPLv2 License • Code was “multi-source,” including code from an external supplier with OSS • Microsoft pulled the product from the Microsoft Store, then announced it is making the source code and binaries available Takeaways: • Even big companies make mistakes • OSS can enter from many sources • It’s difficult to manage OSS without both process and technology
  • 11. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Google Security Flaws  These vulnerabilities discovered within 24 hours of release  Easily avoided with the right solution
  • 12. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Pro-Active and Controlled Use of Open Source  Cost of defects – Minimal when issues are detected early in lifecycle – Grows 100-1,000X late in the lifecycle  Invest time and process to choose good code up front vs fixing problems later Capers Jones, Applied software measurement: assuring productivity and quality, 1999.
  • 14. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Meeting the Challenges of Using Open Source  You could automate manual approval processes and empower team members to collaborate? – Bring together legal, development, executive staff, others  You could automate discovery and validation to manage risk and ensure compliance? – Know what’s in your code base – Validate software bill of materials (BoM) before shipping – Know origins of external code  Development had a catalog of pre-approved components? – Eliminate unnecessary, redundant requests and approvals – Know and track where components are used  Finding the right open source was fast and easy? – Quality, maturity – Version – Understanding license obligations – Dependencies What if...
  • 15. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Helps Unleash the Potential of Open Source Software  Workflow and approval for multi-user team collaboration with role-based access control – Eliminate approval delays, enhance group productivity  Automatically scan code base to identify open source and uncover hidden license obligations – Ensure compliance and confidently manage software origins and obligations  Catalog of pre-approved components – Saves time and effort – Encourages standardization and re-use  Industry’s most comprehensive open source KnowledgeBase – Enables fast, easy, search and selection of open source software
  • 16. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Case Study: InfoPrint Solutions “We chose Black Duck automation to improve productivity by supporting our software license approval processes, code validation and security alert processes. And more importantly, it gives us the highest confidence that we are in compliance with the licenses for the open source software embedded in our products.” – Mike Munger, Senior Technical Staff Manager InfoPrint Solutions Company Why InfoPrint chose Black Duck  Identify open source software  Automate approval process  Monitor security vulnerabilities on open source components Black Duck Code Center for approval automation Black Duck Protex servers validating BOM’s and performing license discovery  Manages legal risk  Enables collaboration around open source approvals  Streamlines processes Problem Solution Benefits
  • 17. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Case Study: Intel Corporation “We selected Black Duck because its knowledge base of open source software and the maintenance of that knowledge base were more robust than other solutions—and the more robust the knowledge base, the lower the risk that licensed software will be used inappropriately.” Why Intel chose Black Duck  Identify open source software  Automate verification and compliance  Improve collaboration between functions (development, legal, management, etc.) Black Duck Protex servers deployed globally, integrated with development tools  Identifies software conflicts early  Reduces rework  Lowers risk of legal issues Problem Solution Benefits
  • 18. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Manage the risks and maximize the compelling benefits of multi-source development  Integrates with existing development tools and processes  Solves the three main challenges associated with multi-source development: Enabling Multi-Source Development Across the Application Lifecycle Management Compliance Security
  • 19. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Management  Create and share a catalog of approved components  Configurable, role-based approval workflow  Authentication and role-based access control for individual enterprise users  Comprehensive code and component search and selection Compliance  Automate code discovery, validation, audit  Ensure compliance with regulations and company policies  Manage and control software versions, origins & obligations (open source and other code)  Monitor known security vulnerabilities  Automatic updates to catalog with real- time alerts; track “where used”  Ensure selection of most secure open source components Security
  • 20. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Application Lifecycle Conceptualize Define Design Develop Build Test Deploy Search & Select Approve Validate Compliance Audit & Maintain Scan/Analyze Management, Compliance, Security
  • 21. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  IT  Security  Legal  Management  Quality Approval Company Policies Build, Test Systems Software Bill of Materials Scan & Validate Production Systems Development Catalog Component Requests Audit & Maintain SCM Search &Select Approved Components  Open source  Code prints  Vulnerabilities  Binaries KnowledgeBase Automated Workflow
  • 22. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Comprehensive Code Search Black Duck KnowledgeBase Internal Internal CatalogSCM Files Koders.com External Code Search  Find and re-use OSS and existing code across multiple repositories  Improve quality by more easily tracking down bugs/defects across the enterprise Source code Component Attributes
  • 23. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Black Duck Suite - Architecture  Scalable enterprise architecture  Modular design  Customizable  Extensible  Browser-based for anywhere, any time access  Integrates with existing ALM infrastructure KnowledgeBase SDK Core Framework UI Framework 23
  • 24. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Supporting Enterprise Collaboration
  • 25. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Typical Deployment of the Black Duck Suite Code Code Code Code Code Code Code Code Approval Validation Approval Scanning Source CodeCode Centralized approval with decentralized scanning & validation Validation ValidationValidation
  • 26. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. The Black Duck KnowledgeBase The Foundation of the Black Duck Suite The industry’s most comprehensive open source database Extensive metadata  Tens of billions of lines of code  From over 4,500 sites  Released under 1,800+ unique licenses  39,000+ security vulnerabilities  450+ cryptographic algorithms  Name, description, versions, URL  License, programming language, OS  National Vulnerability Database  Cryptography  Code Prints of source/binary  Other information Open Source Software  Uniquely addresses the “long tail” of OSS projects  Patented search & pattern-matching technologies  Continuously expanded  Custom Code Printing to add proprietary code  Daily security vulnerability alerts  Automated Metadata Updates issued ~2x month
  • 27. Black Duck Suite - Management - Compliance - Security - Code Search Koders.com
  • 28. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Developer Catalog  Faster and lower cost application development  Make better choices on the front-end of development process (100X less costly than fixing a defect later)  Increased reuse of good code – open source, licensed from 3rd parties  Authentication and access control for individual enterprise users  Avoidance of… – License problems – Version uncertainties – Security vulnerabilities KnowledgeBase  Developers  Security  IT  Legal  Management  Quality Approval Boards SourceForge RubyForge Eclipse.org Apache.org etc… Open Source Approval Flow Alerts OSS & Code Management
  • 29. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Confidently manage software origins & obligations  Audit code base against approved components  Simplify code reviews and 3rd party licensing  Reduce costs while improving accuracy Application Server Projects Licenses Open Source Third Party Code Internal Code Compliance KnowledgeBase Review Board License Conflict Bill of Materials Developers Automated Workflow
  • 30. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Find cryptographic code embedded in complex software  Automate compliance with encryption export policy and regulations  Simplify BIS/NSA notification and licensing  Generate audit and document compliance reports CryptoBase Developers Compliance Report Compliance: Encryption & Export Regulations
  • 31. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Security Vulnerability Management  Make informed choices early in the process to ensure selection and use of most secure open source components  Catalog of approved components is automatically updated  Monitor security vulnerabilities – Daily security alerts routed to customers – Automatic alerts are sent to appropriate owner for all components based on “where used” e.g., Apache Tomcat, Struts, MySql Where Used KnowledgeBase Alerts Developer Catalog Approved Components Approval Flow Management Alerts
  • 32. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.  Fast search and increased visibility  Integration with development tools / SCM’s  Proven scalability to billions of lines of code Enterprise Code Search for Software Developers Developers SCM Internal Code Index CVS File System Subversion Code Search
  • 33. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Black Duck Suite Summary Features Benefits Completeness  Covers key processes– search, select, approve, validate and monitor  Provides the industry’s most comprehensive knowledge base of OSS Automation  Improves efficiency and speed in development  Development and approval processes  Ensures compliance with company policies Collaboration  Enables stakeholders -- development, legal, security, IT, trade compliance and others -- to work together to achieve shared objectives Scalability  “Enterprise-class” scalability, configurability, extensibility, and access-controlled security  Meets the needs of the largest software development organizations Integration  SDK with web services API  Integrates with existing developer tools  Certified “Ready for Rational”
  • 34. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved. Why Black Duck Pioneered open source code analysis market in 2002 Leadership products and services for managing open source throughout the application life-cycle Most comprehensive KnowledgeBase of open source software in the industry Most experienced vendor with largest customer base Responsive 24X7 support, global presence

Editor's Notes

  1. In the very early days of computing, product offerings seeking to improve developer productivity focused on tools for code design that could be used by the individual developer. For example, the first version of Turbo Pascal appeared in 1983. As the industry matured, the focus of innovation grew to facilitate the collaboration of groups of developers. For example, the (then revolutionary) revision management tool ClearCase was released by Atria software in 1992. Today, it’s the rare application that’s developed and coded from the ground up exclusively by internal resources. In the world of component-based development, where “reuse” is the mantra, developers are looking at a variety of sources of code; both internal and external. External sources of code are suppliers, partners and the open source community. We term the blending of the internal and external sources of code “the development ecosystem.” This brings us to the most recent (rightmost) stage in the history of innovation aimed at developer productivity which takes place in the era of component-based development.
  2. While Black Duck does not make open source software, we help our customers realize the promise it offers while minimizing or eliminating the challenges and risks associated with it.
  3. The challenges arise from mixing code from different sources: partner code, open source, internal code and vendor sourced. Each of these sources could be managing its own separate version of a code component. They could be incorporating conflicting software licenses into the code base. The code could have unexpected dependencies. The software ‘integrator’ is on the hook for robust and timely support, but the support model for open source code is an area that people must think about explicitly. Code from the development ecosystem could have varying levels of quality – some of it is great, some of it, not so great. If an organization implements compliance, it may involve many approval boards. The danger of thorough compliance is that it can be time consuming, slow to react and bureaucratic. Yet, it is a necessary part of software development in today’s complex and changing landscape.
  4. Many great companies have had bad things happen to them because they did not address the need for governance in their software supply chain. Loss of Intellectual Property: Cisco was forced to open source some code and ultimately lost control over a product line. Impact was probably millions in lost revenue. See the support slide on this. License rights and restrictions Contractual obligations Injunctions: When Monsoon Multimedia was sued by the software freedom law center, the suit requested an injunction (stop ship) on their product. This would be devastating for a business. Export regulations Security vulnerabilities Software defects Escalating support costs: Version proliferation
  5. Continuously Expanded (sub-bullets):Updated 9/9/08 Significant investment in automated tools Site mirrors for popular sites Open Source Licenses GPL LGPL Apache BSD CPL Creative Commons Eclipse Microsoft MIT Sun Open Source Sites Apache.org Eclipse.org Kernel.org Sun.com RubyForge.org Asterisk.com PlanetSourceCode.com Zope.org GNU.org CPAN.org MySQL.com SourceForge.net