Best practices for using open source software in the enterprise

Marcel de Vries
Marcel de VriesCTO at Xpirit (Part of the Xebia group) à Xpirit Netherlands B.V.
Marcel de Vries CTO Xpirit Best Practices for Using Open Source Software in the Enterprise
About me: Marcel de Vries mdevries@xpirit.com @marcelv http://fluentbytes.comXpirit Also regional director
How software is built • 80% is based on components + your code + glue code => new product • Components dominantly are now open source • Build on the shoulders of giants by using free software components in your products
DEMO Awareness is key!
Look at average ASP.NET website • ASP.NET itself • Entity framework • JQuery • Angular • Bootstrap • … 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
The new Microsoft • Microsoft embraces open source in many areas now • Did you know Azure provides many different flavors of Linux distributions? • Did you know Microsoft open sourced important parts of their development platform? – ASP.NET MSBuild – SignalR .NET Core (CLR & FW) – Roslyn compilers WCF
The .NET Foundation .NET API for Hadoop WebClient .NET Compiler Platform ("Roslyn") .NET Map Reduce API for Hadoop .NET Micro Framework ASP.NET MVC ASP.NET Web API ASP.NET Web Pages ASP.NET SignalR Composition (MEF2) Entity Framework Linq to Hive MEF (Managed Extensibility Framework) OWIN Authentication Middleware Rx (Reactive Extensions) Web Protection Library Windows Azure .NET SDK Windows Phone Toolkit WnsRecipe Mimekit Xamarin.Auth Xamarin.Mobile Couchbase for .NET Miguel de Icaza (Xamarin) Laurent Bugnion (IdentityMine) Niels Hartvig (Umbraco) Anthony van der Hoorn (Glimpse) Paul Betts (GitHub) Nigel Sampson (Compiled Experience) http://www.dotnetfoundation.org Mailkit System.Drawing
Best practices in OSS for the enterprise • In the Microsoft eco system we are just getting started • How do you come up with best practices already? – Look at the eco systems that have been using OSS for a long time • E.g. Java ecosystem – My personal experience as Technology manager, CTO in terms of risk awareness • Experiences based on consulting engagements where I worked in heterogeneous environment
Challenge to the enterprise • Developers want freedom to use open source software – It is highly encouraged by modern development tools like Visual Studio – NuGet, NPM (node), Bower, Maven, etc. • How can I empower my developers, without bringing my company at risk? • I see my .NET developer use open source now, how can I cope with this and still keep them happy?
Open source software • What are the implications in the enterprise? What is open source? Publish open source software What are common business models? When can I publish Oss? What do I need to accept contributions? Consuming open source software What are the Licenses implications? Are there known Vulnerabilities? How well are these sources maintained? How can we keep that in control?
What is open source anyway? “Computer software with its source code made available under a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose” St. Laurent, Andrew M. (2008). Understanding Open Source and Free Software Licensing. O'Reilly Media. p. 4. ISBN 9780596553951
According to the Open Source Definition, the license must not: • Discriminate against persons or groups • Discriminate against fields of endeavour • Be specific to a product • Restrict other software http://opensource.org/osd What is a license?
COPYLEFT GPL LGPL AGPL Permissive Restrictive License spectrum
Copyleft License implications • Distribution triggers obligations – And in some cases using on a network also trigger obligations (AGPL) • Obligations are: • Disclosing the source code of your product; • Making your product available under that copyleft license; • Licensing your patents that read on the software. • Once your product is available under a copyleft license any recipient can use it and distribute it without charge.
Copyleft and Cloud • In general, using modified Copy left sources do not need to be published when used in cloud solution • Cloud service is in general not considered distribution, but use of the software – So does not trigger copy left obligations • Except for following licenses: – AGPL – European Union Public License – Common Public License
CONTRIBUTING TO OPEN SOURCE
OSS Contribution Funnel • Be able to understand what it does • Can easily pick it up and use • Download • Fork / Follow / FavouriteUse • Log bugs • Answer questions • Write blog posts • Fix / add documentation • Fix typos Contribute Time • Actually contribute code patches that fix bugs / improve test cases • Contribute entirely new features • Translate • Maintain platforms Contribute Code • Become a core committer (get write access) • Accept / validate code contributions • Nurture new people • Stick around • Influence the direction of the project Own
Publishing open source • What do you need when you want to publish open source software? • You need to know who worked on the software – Each individual is a copyright holder! – If you don’t know, you are at risk going forward, you need to chase them down • How about I publish software on my blog? – You are still the copyright holder and need to set license terms for others to be able to use it!
A Contributor License Agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license. From Wikipedia, the free encyclopedia
Why would I publish my product as OSS? • Open source is a proven viable business model • Company builds and contributes to the open source software • Company builds premium components they sell • Company provides premium services – e.g. SaaS versions of the product, or consulting services
CONSUMING OPEN SOURCE
Consuming open source software Use of components creates a SOFTWARE SUPPLY CHAIN DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION
Licenses are one part of the story, but what about… HEARTBLEEDEverything was secure until, suddenly it wasn’t Introduced December 2011 Discovered April 2014 Lot of instances fixed, but still not all!
Consuming open source software If you’re not using secure COMPONENTS you’re not building secure APPLICATIONS DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION
You need to know what is used in your enterprise! How can we empower developers in using open source but be risk aware?
What can we learn from the Java space? • They use artifact repositories to pull their packages from and push their packages to – Provides a single point where you can ask questions about the software • In the Microsoft ALM tools, we are used to – Use Version control repositories for our sources – Use network drop locations for our build products – Use the web to pull our packages
Consuming open source software DEVELOPMENT BUILD AND PUBLISH PRODUCTION COMPONENT SELECTION
When you have a repo in place, you can…. • Scan for licenses in use • Scan for known vulnerabilities • Scan for popularity
Meet the artifact repository • There are different flavors out there – Alternatives are archiva, Artifactory, Nexus – You can look at a comparison at: http://docs.codehaus.org/display/MAVENUSER/Maven+Repository +Manager+Feature+Matrix • For my demos I am using Sonatype Nexus – The one I most commonly encountered in my engagements with customers – Supports the Microsoft Eco system with NuGet!
DEMO Show nexus PRO
Great but not all OSS comes from NuGet How can you know what is in your enterprise, because just using a proxy does not cut it?
How to publish to repo after build By publishing your product back to the artifact repository, you can now scan your software on use of OSS
Consuming open source software DEVELOPMENT BUILD AND PUBLISH PRODUCTION COMPONENT SELECTION
DEMO Publish to artefact repo
Great! Now I have an artifact repository, how does that solve my needs?
We need a way to scan my repository and answer my important questions
DEMO Health reports
Part of the puzzle • Artifact repositories can help you – Empower your developers to build on shoulders of giants – Analyze what is in use • Source code or binaries – Give insights in your exposure to known vulnerabilities in OSS components • There are things you need to figure out yourself – What OSS do we pick for certain parts of the system – How do you select the right component with an abundance of choice? – How do you engage with communities? – How to manage contributions to OSS?
What we not covered • Integrating license and vulnerability scans as part of your continuous delivery pipeline • Defining policies for what you allow – Component Lifecycle Management tooling – Can plug into your build system or your delivery pipelines • People and Perception – Developer bias – Developer satisfaction – Not looking at the other side of the fence
Summary • There is more to open source than sources • Understand licensing • Understanding the OSS ecosystem • OSS usage impacts your business • Set up a strategy to know what you are using • Artifact repository can help you solve parts of the puzzle – Make them part of your Continuous Delivery Pipeline
Questions? • Xpirit Magazine in your TechDays bag with cool articles on e.g: – Hololens programming – Azure Service Fabric – Application Insights http://fluentbytes.com @marcelv mdevries@Xpirit.com Need help? Contact us
1 sur 41

Best practices for using open source software in the enterprise

Télécharger pour lire hors ligne
Technologie

Most of us understand the benefits of using open source software (OSS) and libraries. Heck, even Microsoft embraces it, so why can’t you adopt it as well in your enterprise? Open source can be a blessing and a curse at the same time. We probably all remember incidents like the “heart bleed” vulnerability in a popular open source implementation of SSL. So, if open source becomes more and more prevalent, how can we cope with the challenges that lay at hand? We will be challenged with all sorts of questions in the enterprise: What are the license implications when I take a dependency on a library with a viral type of license? What version of open source libraries are we using and are they the choice of the generic public or did we select one we now need to maintain ourselves? Are there known vulnerabilities in the libraries we use, and if so, are we affected by that? In this session, we take a practical approach to using open source libraries in product development for the enterprise. We touch briefly on the license types and the ones to look out for. We show you how an artefact repository system can help you to answer a lot of the tough questions. Learn how to integrate a system that is very popular, called Nexus, in your continuous deployment strategy and ensure a frictionless experience for your developers. We show integration with NuGet and how to manage open source dependencies using proxy facilities so you can ensure only a curated set of libraries are used, and meet compliance requirements for your business.

Marcel de Vries
Marcel de VriesCTO at Xpirit (Part of the Xebia group) à Xpirit Netherlands B.V.

Recommandé

Architecting systems for continuous delivery par
Architecting systems for continuous deliveryArchitecting systems for continuous delivery
Architecting systems for continuous deliveryMarcel de Vries
3.8K vues56 diapositives
Using microsoft application insights to implement a build, measure, learn loop par
Using microsoft application insights to implement a build, measure, learn loopUsing microsoft application insights to implement a build, measure, learn loop
Using microsoft application insights to implement a build, measure, learn loopMarcel de Vries
3.5K vues32 diapositives
Testing Ajax, Mobile Apps the Agile Way par
Testing Ajax, Mobile Apps the Agile WayTesting Ajax, Mobile Apps the Agile Way
Testing Ajax, Mobile Apps the Agile WayClever Moe
7K vues16 diapositives
Implementing Test Automation: What a Manager Should Know par
Implementing Test Automation: What a Manager Should KnowImplementing Test Automation: What a Manager Should Know
Implementing Test Automation: What a Manager Should KnowSoftServe
582 vues18 diapositives
How to Reduce Time to Market Using Microsoft DevOps Solutions par
How to Reduce Time to Market Using Microsoft DevOps SolutionsHow to Reduce Time to Market Using Microsoft DevOps Solutions
How to Reduce Time to Market Using Microsoft DevOps SolutionsSoftServe
528 vues17 diapositives
Use Jenkins For Continuous Load Testing And Mobile Test Automation par
Use Jenkins For Continuous Load Testing And Mobile Test AutomationUse Jenkins For Continuous Load Testing And Mobile Test Automation
Use Jenkins For Continuous Load Testing And Mobile Test AutomationClever Moe
1.2K vues32 diapositives

Contenu connexe

Tendances

Salesforce AppExchange Superhero North England User Group 2nd july par
Salesforce AppExchange Superhero North England User Group 2nd julySalesforce AppExchange Superhero North England User Group 2nd july
Salesforce AppExchange Superhero North England User Group 2nd julyRichard Clark
777 vues31 diapositives
Continuous Integration, Deploy, Test From Beginning To End 2014 par
Continuous Integration, Deploy, Test From Beginning To End 2014Continuous Integration, Deploy, Test From Beginning To End 2014
Continuous Integration, Deploy, Test From Beginning To End 2014Clever Moe
1.1K vues32 diapositives
STARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test Automation par
STARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test AutomationSTARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test Automation
STARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test AutomationClever Moe
1.4K vues32 diapositives
Running JMeter Tests In Appvance PerformanceCloud par
Running JMeter Tests In Appvance PerformanceCloudRunning JMeter Tests In Appvance PerformanceCloud
Running JMeter Tests In Appvance PerformanceCloudClever Moe
2.4K vues4 diapositives
CloudBees Continuous Integration and Test with Appvance PerformanceCloud par
CloudBees Continuous Integration and Test with Appvance PerformanceCloudCloudBees Continuous Integration and Test with Appvance PerformanceCloud
CloudBees Continuous Integration and Test with Appvance PerformanceCloudClever Moe
691 vues16 diapositives
Neev QA Offering par
Neev QA OfferingNeev QA Offering
Neev QA OfferingNeev Technologies
1.8K vues49 diapositives

Tendances(20)

Salesforce AppExchange Superhero North England User Group 2nd july par Richard Clark
Salesforce AppExchange Superhero North England User Group 2nd julySalesforce AppExchange Superhero North England User Group 2nd july
Salesforce AppExchange Superhero North England User Group 2nd july
Richard Clark777 vues
Continuous Integration, Deploy, Test From Beginning To End 2014 par Clever Moe
Continuous Integration, Deploy, Test From Beginning To End 2014Continuous Integration, Deploy, Test From Beginning To End 2014
Continuous Integration, Deploy, Test From Beginning To End 2014
Clever Moe1.1K vues
STARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test Automation par Clever Moe
STARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test AutomationSTARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test Automation
STARWest: Use Jenkins For Continuous 
Load Testing And Mobile Test Automation
Clever Moe1.4K vues
Running JMeter Tests In Appvance PerformanceCloud par Clever Moe
Running JMeter Tests In Appvance PerformanceCloudRunning JMeter Tests In Appvance PerformanceCloud
Running JMeter Tests In Appvance PerformanceCloud
Clever Moe2.4K vues
CloudBees Continuous Integration and Test with Appvance PerformanceCloud par Clever Moe
CloudBees Continuous Integration and Test with Appvance PerformanceCloudCloudBees Continuous Integration and Test with Appvance PerformanceCloud
CloudBees Continuous Integration and Test with Appvance PerformanceCloud
Clever Moe691 vues
Neev QA Offering par Neev Technologies
Neev QA OfferingNeev QA Offering
Neev QA Offering
Neev Technologies1.8K vues
Splitting the Check on Compliance and Security par Jason Chan
Splitting the Check on Compliance and SecuritySplitting the Check on Compliance and Security
Splitting the Check on Compliance and Security
Jason Chan32.8K vues
Proactive Security AppSec Case Study par Andy Hoernecke
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke764 vues
From Gates to Guardrails: Alternate Approaches to Product Security par Jason Chan
From Gates to Guardrails: Alternate Approaches to Product SecurityFrom Gates to Guardrails: Alternate Approaches to Product Security
From Gates to Guardrails: Alternate Approaches to Product Security
Jason Chan3.4K vues
Resilience and Compliance at Speed and Scale par Jason Chan
Resilience and Compliance at Speed and ScaleResilience and Compliance at Speed and Scale
Resilience and Compliance at Speed and Scale
Jason Chan1.9K vues
SauceCon 2017: Making Your Mobile App Automatable par Sauce Labs
SauceCon 2017: Making Your Mobile App AutomatableSauceCon 2017: Making Your Mobile App Automatable
SauceCon 2017: Making Your Mobile App Automatable
Sauce Labs181 vues
From 0 to DevOps in 80 Days [Webinar Replay] par Dynatrace
From 0 to DevOps in 80 Days [Webinar Replay]From 0 to DevOps in 80 Days [Webinar Replay]
From 0 to DevOps in 80 Days [Webinar Replay]
Dynatrace958 vues
Continuous Delivery par Vishal Sahasrabuddhe
Continuous DeliveryContinuous Delivery
Continuous Delivery
Vishal Sahasrabuddhe1.2K vues
Making security-agile matt-tesauro par Matt Tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
Matt Tesauro1.4K vues
3 Tips to Deliver Fast Performance Across Mobile Web par Dynatrace
3 Tips to Deliver Fast Performance Across Mobile Web3 Tips to Deliver Fast Performance Across Mobile Web
3 Tips to Deliver Fast Performance Across Mobile Web
Dynatrace468 vues
Resilience and Security @ Scale: Lessons Learned par Jason Chan
Resilience and Security @ Scale: Lessons LearnedResilience and Security @ Scale: Lessons Learned
Resilience and Security @ Scale: Lessons Learned
Jason Chan4.8K vues
we45 - SecDevOps Concept Presentation par Abhay Bhargav
we45 - SecDevOps Concept Presentationwe45 - SecDevOps Concept Presentation
we45 - SecDevOps Concept Presentation
Abhay Bhargav1.2K vues
Continuous Everything @ dotnet cologne 2019 par Tobias Hoppenthaler
Continuous Everything @ dotnet cologne 2019Continuous Everything @ dotnet cologne 2019
Continuous Everything @ dotnet cologne 2019
Tobias Hoppenthaler132 vues
Hacker Proof web app using Functional tests par Ankita Gupta
Hacker Proof web app using Functional testsHacker Proof web app using Functional tests
Hacker Proof web app using Functional tests
Ankita Gupta2.6K vues
AppSec Pipeline - Velcocity NY 2015 par Matt Tesauro
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
Matt Tesauro2K vues

Similaire à Best practices for using open source software in the enterprise

Open Source Software[1] par
Open Source Software[1]Open Source Software[1]
Open Source Software[1]amckay1578
676 vues11 diapositives
Managing the Software Supply Chain: Policies that Promote Innovation While Op... par
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
87 vues38 diapositives
Advantages & Disadvantages (Open-Source vs. Proprietary Software) par
Advantages & Disadvantages (Open-Source vs. Proprietary Software)Advantages & Disadvantages (Open-Source vs. Proprietary Software)
Advantages & Disadvantages (Open-Source vs. Proprietary Software)Fleurati
3.8K vues36 diapositives
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ... par
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...WSO2
784 vues151 diapositives
Open soucre(cut shrt) par
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)Shivani Rai
431 vues20 diapositives
Open Source evaluation: A comprehensive guide on what you are using par
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are usingAll Things Open
21 vues31 diapositives

Similaire à Best practices for using open source software in the enterprise(20)

Open Source Software[1] par amckay1578
Open Source Software[1]Open Source Software[1]
Open Source Software[1]
amckay1578676 vues
Managing the Software Supply Chain: Policies that Promote Innovation While Op... par FINOS
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
FINOS87 vues
Advantages & Disadvantages (Open-Source vs. Proprietary Software) par Fleurati
Advantages & Disadvantages (Open-Source vs. Proprietary Software)Advantages & Disadvantages (Open-Source vs. Proprietary Software)
Advantages & Disadvantages (Open-Source vs. Proprietary Software)
Fleurati3.8K vues
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ... par WSO2
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
[Workshop] Building an Integration Agile Digital Enterprise with Open Source ...
WSO2784 vues
Open soucre(cut shrt) par Shivani Rai
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)
Shivani Rai431 vues
Open Source evaluation: A comprehensive guide on what you are using par All Things Open
Open Source evaluation: A comprehensive guide on what you are usingOpen Source evaluation: A comprehensive guide on what you are using
Open Source evaluation: A comprehensive guide on what you are using
All Things Open21 vues
Open Source & What It Means For Self-Sovereign Identity (SSI) par Evernym
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym103 vues
Intro to open source - 101 presentation par Javier Perez
Intro to open source - 101 presentationIntro to open source - 101 presentation
Intro to open source - 101 presentation
Javier Perez339 vues
Tracing The Evolution Open Source & Embedded Systems - Mr. Jayakumar Balasubr... par Lounge47
Tracing The Evolution Open Source & Embedded Systems - Mr. Jayakumar Balasubr...Tracing The Evolution Open Source & Embedded Systems - Mr. Jayakumar Balasubr...
Tracing The Evolution Open Source & Embedded Systems - Mr. Jayakumar Balasubr...
Lounge47828 vues
Tracing the evolution - Open source & Embedded systems par Emertxe Information Technologies Pvt Ltd
Tracing the evolution - Open source & Embedded systemsTracing the evolution - Open source & Embedded systems
Tracing the evolution - Open source & Embedded systems
Emertxe Information Technologies Pvt Ltd1.3K vues
Open Source Software in Libraries par Sukhdev Singh
Open Source Software in LibrariesOpen Source Software in Libraries
Open Source Software in Libraries
Sukhdev Singh13.6K vues
GoOpen 2010: Sandro D'Elia par Friprogsenteret
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret774 vues
Leverage the power of Open Source in your company par Guillaume POTIER
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
Guillaume POTIER1.4K vues
Open source . . . Open Road par Mazen Elsayed
Open source . . . Open RoadOpen source . . . Open Road
Open source . . . Open Road
Mazen Elsayed460 vues
Open Source Project Management par Semen Arslan
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
Semen Arslan317 vues
Open Source vs Proprietary par M. Antoinette Jerom
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
M. Antoinette Jerom3.9K vues
LINUX BASICS par RamjiChaurasiya
LINUX BASICSLINUX BASICS
LINUX BASICS
RamjiChaurasiya7 vues
OSS has taken over the enterprise: The top five OSS trends of 2015 par Rogue Wave Software
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015
Rogue Wave Software 715 vues
Open source par Sahil Kajani
Open sourceOpen source
Open source
Sahil Kajani201 vues
Open source software par jaimeacurry
Open source softwareOpen source software
Open source software
jaimeacurry798 vues

Plus de Marcel de Vries

Continuous delivery with Release Management for visual Studio par
Continuous delivery with Release Management for visual StudioContinuous delivery with Release Management for visual Studio
Continuous delivery with Release Management for visual StudioMarcel de Vries
2K vues24 diapositives
Release management with tfs 2013 par
Release management with tfs 2013Release management with tfs 2013
Release management with tfs 2013Marcel de Vries
537 vues25 diapositives
Cross platform native mobile app development for iOS, Android and Windows usi... par
Cross platform native mobile app development for iOS, Android and Windows usi...Cross platform native mobile app development for iOS, Android and Windows usi...
Cross platform native mobile app development for iOS, Android and Windows usi...Marcel de Vries
4.3K vues43 diapositives
Release management with tfs 2013 par
Release management with tfs 2013Release management with tfs 2013
Release management with tfs 2013Marcel de Vries
2.7K vues24 diapositives
Leveraging the azure cloud for your mobile apps par
Leveraging the azure cloud for your mobile appsLeveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsMarcel de Vries
447 vues38 diapositives
Developing i phone, android and windows phone 7 applications with c# par
Developing i phone, android and windows phone 7 applications with c#Developing i phone, android and windows phone 7 applications with c#
Developing i phone, android and windows phone 7 applications with c#Marcel de Vries
507 vues34 diapositives

Plus de Marcel de Vries(8)

Continuous delivery with Release Management for visual Studio par Marcel de Vries
Continuous delivery with Release Management for visual StudioContinuous delivery with Release Management for visual Studio
Continuous delivery with Release Management for visual Studio
Marcel de Vries2K vues
Release management with tfs 2013 par Marcel de Vries
Release management with tfs 2013Release management with tfs 2013
Release management with tfs 2013
Marcel de Vries537 vues
Cross platform native mobile app development for iOS, Android and Windows usi... par Marcel de Vries
Cross platform native mobile app development for iOS, Android and Windows usi...Cross platform native mobile app development for iOS, Android and Windows usi...
Cross platform native mobile app development for iOS, Android and Windows usi...
Marcel de Vries4.3K vues
Release management with tfs 2013 par Marcel de Vries
Release management with tfs 2013Release management with tfs 2013
Release management with tfs 2013
Marcel de Vries2.7K vues
Leveraging the azure cloud for your mobile apps par Marcel de Vries
Leveraging the azure cloud for your mobile appsLeveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile apps
Marcel de Vries447 vues
Developing i phone, android and windows phone 7 applications with c# par Marcel de Vries
Developing i phone, android and windows phone 7 applications with c#Developing i phone, android and windows phone 7 applications with c#
Developing i phone, android and windows phone 7 applications with c#
Marcel de Vries507 vues
Cross platform mobile developement introduction par Marcel de Vries
Cross platform mobile developement introductionCross platform mobile developement introduction
Cross platform mobile developement introduction
Marcel de Vries1.5K vues
Mobile en cloud wat is de impact op ons huidige it ecosysteem par Marcel de Vries
Mobile en cloud wat is de impact op ons huidige it ecosysteemMobile en cloud wat is de impact op ons huidige it ecosysteem
Mobile en cloud wat is de impact op ons huidige it ecosysteem
Marcel de Vries590 vues

Dernier

Five Things You SHOULD Know About Postman par
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
30 vues43 diapositives
handbook for web 3 adoption.pdf par
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdfLiveplex
22 vues16 diapositives
1st parposal presentation.pptx par
1st parposal presentation.pptx1st parposal presentation.pptx
1st parposal presentation.pptxi238212
9 vues3 diapositives
Perth MeetUp November 2023 par
Perth MeetUp November 2023 Perth MeetUp November 2023
Perth MeetUp November 2023 Michael Price
19 vues44 diapositives
Report 2030 Digital Decade par
Report 2030 Digital DecadeReport 2030 Digital Decade
Report 2030 Digital DecadeMassimo Talia
15 vues41 diapositives
Transcript: The Details of Description Techniques tips and tangents on altern... par
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...BookNet Canada
135 vues15 diapositives

Dernier(20)

Five Things You SHOULD Know About Postman par Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman30 vues
handbook for web 3 adoption.pdf par Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex22 vues
1st parposal presentation.pptx par i238212
1st parposal presentation.pptx1st parposal presentation.pptx
1st parposal presentation.pptx
i2382129 vues
Perth MeetUp November 2023 par Michael Price
Perth MeetUp November 2023 Perth MeetUp November 2023
Perth MeetUp November 2023
Michael Price19 vues
Report 2030 Digital Decade par Massimo Talia
Report 2030 Digital DecadeReport 2030 Digital Decade
Report 2030 Digital Decade
Massimo Talia15 vues
Transcript: The Details of Description Techniques tips and tangents on altern... par BookNet Canada
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...
BookNet Canada135 vues
Attacking IoT Devices from a Web Perspective - Linux Day par Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 vues
ChatGPT and AI for Web Developers par Maximiliano Firtman
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman187 vues
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... par Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker33 vues
Voice Logger - Telephony Integration Solution at Aegis par Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma31 vues
From chaos to control: Managing migrations and Microsoft 365 with ShareGate! par sammart93
From chaos to control: Managing migrations and Microsoft 365 with ShareGate!From chaos to control: Managing migrations and Microsoft 365 with ShareGate!
From chaos to control: Managing migrations and Microsoft 365 with ShareGate!
sammart939 vues
Data-centric AI and the convergence of data and model engineering: opportunit... par Paolo Missier
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier39 vues
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... par Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation25 vues
Igniting Next Level Productivity with AI-Infused Data Integration Workflows par Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software257 vues
The Research Portal of Catalonia: Growing more (information) & more (services) par CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya79 vues
Spesifikasi Lengkap ASUS Vivobook Go 14 par Dot Semarang
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang37 vues
Kyo - Functional Scala 2023.pdf par Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil298 vues
Case Study Copenhagen Energy and Business Central.pdf par Aitana
Case Study Copenhagen Energy and Business Central.pdfCase Study Copenhagen Energy and Business Central.pdf
Case Study Copenhagen Energy and Business Central.pdf
Aitana16 vues
Top 10 Strategic Technologies in 2024: AI and Automation par AutomationEdge Technologies
Top 10 Strategic Technologies in 2024: AI and AutomationTop 10 Strategic Technologies in 2024: AI and Automation
Top 10 Strategic Technologies in 2024: AI and Automation
AutomationEdge Technologies18 vues
Tunable Laser (1).pptx par Hajira Mahmood
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptx
Hajira Mahmood24 vues

Best practices for using open source software in the enterprise

  • 1. Marcel de Vries CTO Xpirit Best Practices for Using Open Source Software in the Enterprise
  • 2. About me: Marcel de Vries mdevries@xpirit.com @marcelv http://fluentbytes.comXpirit Also regional director
  • 3. How software is built • 80% is based on components + your code + glue code => new product • Components dominantly are now open source • Build on the shoulders of giants by using free software components in your products
  • 5. Look at average ASP.NET website • ASP.NET itself • Entity framework • JQuery • Angular • Bootstrap • … 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
  • 6. The new Microsoft • Microsoft embraces open source in many areas now • Did you know Azure provides many different flavors of Linux distributions? • Did you know Microsoft open sourced important parts of their development platform? – ASP.NET MSBuild – SignalR .NET Core (CLR & FW) – Roslyn compilers WCF
  • 7. The .NET Foundation .NET API for Hadoop WebClient .NET Compiler Platform ("Roslyn") .NET Map Reduce API for Hadoop .NET Micro Framework ASP.NET MVC ASP.NET Web API ASP.NET Web Pages ASP.NET SignalR Composition (MEF2) Entity Framework Linq to Hive MEF (Managed Extensibility Framework) OWIN Authentication Middleware Rx (Reactive Extensions) Web Protection Library Windows Azure .NET SDK Windows Phone Toolkit WnsRecipe Mimekit Xamarin.Auth Xamarin.Mobile Couchbase for .NET Miguel de Icaza (Xamarin) Laurent Bugnion (IdentityMine) Niels Hartvig (Umbraco) Anthony van der Hoorn (Glimpse) Paul Betts (GitHub) Nigel Sampson (Compiled Experience) http://www.dotnetfoundation.org Mailkit System.Drawing
  • 8. Best practices in OSS for the enterprise • In the Microsoft eco system we are just getting started • How do you come up with best practices already? – Look at the eco systems that have been using OSS for a long time • E.g. Java ecosystem – My personal experience as Technology manager, CTO in terms of risk awareness • Experiences based on consulting engagements where I worked in heterogeneous environment
  • 9. Challenge to the enterprise • Developers want freedom to use open source software – It is highly encouraged by modern development tools like Visual Studio – NuGet, NPM (node), Bower, Maven, etc. • How can I empower my developers, without bringing my company at risk? • I see my .NET developer use open source now, how can I cope with this and still keep them happy?
  • 10. Open source software • What are the implications in the enterprise? What is open source? Publish open source software What are common business models? When can I publish Oss? What do I need to accept contributions? Consuming open source software What are the Licenses implications? Are there known Vulnerabilities? How well are these sources maintained? How can we keep that in control?
  • 11. What is open source anyway? “Computer software with its source code made available under a license in which the copyright holder provides the rights to study, change and distribute the software to anyone and for any purpose” St. Laurent, Andrew M. (2008). Understanding Open Source and Free Software Licensing. O'Reilly Media. p. 4. ISBN 9780596553951
  • 12. According to the Open Source Definition, the license must not: • Discriminate against persons or groups • Discriminate against fields of endeavour • Be specific to a product • Restrict other software http://opensource.org/osd What is a license?
  • 14. Copyleft License implications • Distribution triggers obligations – And in some cases using on a network also trigger obligations (AGPL) • Obligations are: • Disclosing the source code of your product; • Making your product available under that copyleft license; • Licensing your patents that read on the software. • Once your product is available under a copyleft license any recipient can use it and distribute it without charge.
  • 15. Copyleft and Cloud • In general, using modified Copy left sources do not need to be published when used in cloud solution • Cloud service is in general not considered distribution, but use of the software – So does not trigger copy left obligations • Except for following licenses: – AGPL – European Union Public License – Common Public License
  • 17. OSS Contribution Funnel • Be able to understand what it does • Can easily pick it up and use • Download • Fork / Follow / FavouriteUse • Log bugs • Answer questions • Write blog posts • Fix / add documentation • Fix typos Contribute Time • Actually contribute code patches that fix bugs / improve test cases • Contribute entirely new features • Translate • Maintain platforms Contribute Code • Become a core committer (get write access) • Accept / validate code contributions • Nurture new people • Stick around • Influence the direction of the project Own
  • 18. Publishing open source • What do you need when you want to publish open source software? • You need to know who worked on the software – Each individual is a copyright holder! – If you don’t know, you are at risk going forward, you need to chase them down • How about I publish software on my blog? – You are still the copyright holder and need to set license terms for others to be able to use it!
  • 19. A Contributor License Agreement (CLA) defines the terms under which intellectual property has been contributed to a company/project, typically software under an open source license. From Wikipedia, the free encyclopedia
  • 20. Why would I publish my product as OSS? • Open source is a proven viable business model • Company builds and contributes to the open source software • Company builds premium components they sell • Company provides premium services – e.g. SaaS versions of the product, or consulting services
  • 22. Consuming open source software Use of components creates a SOFTWARE SUPPLY CHAIN DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION
  • 23. Licenses are one part of the story, but what about… HEARTBLEEDEverything was secure until, suddenly it wasn’t Introduced December 2011 Discovered April 2014 Lot of instances fixed, but still not all!
  • 24. Consuming open source software If you’re not using secure COMPONENTS you’re not building secure APPLICATIONS DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT SELECTION
  • 25. You need to know what is used in your enterprise! How can we empower developers in using open source but be risk aware?
  • 26. What can we learn from the Java space? • They use artifact repositories to pull their packages from and push their packages to – Provides a single point where you can ask questions about the software • In the Microsoft ALM tools, we are used to – Use Version control repositories for our sources – Use network drop locations for our build products – Use the web to pull our packages
  • 27. Consuming open source software DEVELOPMENT BUILD AND PUBLISH PRODUCTION COMPONENT SELECTION
  • 28. When you have a repo in place, you can…. • Scan for licenses in use • Scan for known vulnerabilities • Scan for popularity
  • 29. Meet the artifact repository • There are different flavors out there – Alternatives are archiva, Artifactory, Nexus – You can look at a comparison at: http://docs.codehaus.org/display/MAVENUSER/Maven+Repository +Manager+Feature+Matrix • For my demos I am using Sonatype Nexus – The one I most commonly encountered in my engagements with customers – Supports the Microsoft Eco system with NuGet!
  • 31. Great but not all OSS comes from NuGet How can you know what is in your enterprise, because just using a proxy does not cut it?
  • 32. How to publish to repo after build By publishing your product back to the artifact repository, you can now scan your software on use of OSS
  • 33. Consuming open source software DEVELOPMENT BUILD AND PUBLISH PRODUCTION COMPONENT SELECTION
  • 35. Great! Now I have an artifact repository, how does that solve my needs?
  • 36. We need a way to scan my repository and answer my important questions
  • 38. Part of the puzzle • Artifact repositories can help you – Empower your developers to build on shoulders of giants – Analyze what is in use • Source code or binaries – Give insights in your exposure to known vulnerabilities in OSS components • There are things you need to figure out yourself – What OSS do we pick for certain parts of the system – How do you select the right component with an abundance of choice? – How do you engage with communities? – How to manage contributions to OSS?
  • 39. What we not covered • Integrating license and vulnerability scans as part of your continuous delivery pipeline • Defining policies for what you allow – Component Lifecycle Management tooling – Can plug into your build system or your delivery pipelines • People and Perception – Developer bias – Developer satisfaction – Not looking at the other side of the fence
  • 40. Summary • There is more to open source than sources • Understand licensing • Understanding the OSS ecosystem • OSS usage impacts your business • Set up a strategy to know what you are using • Artifact repository can help you solve parts of the puzzle – Make them part of your Continuous Delivery Pipeline
  • 41. Questions? • Xpirit Magazine in your TechDays bag with cool articles on e.g: – Hololens programming – Azure Service Fabric – Application Insights http://fluentbytes.com @marcelv mdevries@Xpirit.com Need help? Contact us