SlideShare une entreprise Scribd logo

Social Code Scanning

Télécharger en tant que PPTX, PDF
Symphony Software Foundation
Symphony Software Foundation

Social Code Scanning

Business
1  sur  30
Social Code Scanning 2017-05-24 Barcelona Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation Analysing code, together
Social Code Scanning - our first event! ✓ What is it Hands-on-code Workshop to analyse quality, security and legal aspects of your code Quick intro on how to analyse and measure Networking, pizza and beers are on us ✓ Who’s behind Organised by the Symphony Software Foundation Hosted by CodeWorks Barcelona ✓ Requirements - none 1/23
The Symphony Software Foundation ✓ Non-profit organisation to foster an open source community and developer ecosystem for the financial services ✓ Leverages Symphony* and other open source platforms to drive inter-firm collaboration ✓ Open Governance - Board of Directors, Engineering Steering Committee Standards - Working Groups Source - github.com/symphonyoss 2/23
Today’s takeaways 1. Understand If/when to analyse your code Common scenarios 2. Try Analysing your code Commonly adopted tools 3. Ask Share doubts, questions 3/23
Why analyze code? 1. To know your codebase Your code is a puzzle, few tiles are actually made by you Code modularity constantly increases (more, smaller tiles) Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits Open source constitutes a massive tile repository, publicly available 2. Your customers (or consumers) deserve to know Nobody wants to consume unsecure/buggy code Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries cannot afford quality/security/legal exposure #dealbreaker 4/23
Security
Why measure security? 1. Protect your data #atrest #intransit 2. Protect your servers 3. ... 5/23
What to measure 1. Query CVE databases http://cve.mitre.org/ https://www.exploit-db.com/ #offsec #kalilinux #mrrobot https://nvd.nist.gov/ #usgov 2. Code patterns http VS https Hardcoded keys and passwords Anti-patterns 6/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 7/23
Quality
Why measure quality? 1. Know when quality lowers (and where) 2. Say bye to regressions 3. Focus on (new) code #boostproductivity 4. .... 8/23
What to measure 1. Project Activity Commits (codebase activity) Bugs - Opened VS Fixed Inter-firm collaboration #bus-factor Documentation User manual Installation manual Roadmap 9/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 10/23
Legal
Why care about legal compliance? 1. Respect the rights of open source contributors a. Appropriate attribution b. Reciprocal (copyleft) licensing requirements 2. Avoid intellectual property infringement a. Copyrights b. Patents 3. Demonstrate due diligence (aka build trust) a. Targeted for highly regulated industries #consumption #contribution 11/23
What to measure 1. Outbound - choose the right license a. Proprietary b. Open source i. Permissive ii. Copyleft iii. Weak copyleft iv. Public domain 2. Dependencies Inbound (for bundled software) 12/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries 2. Automated/continuous scanning BlackDuck / OpenHub Fossa WhiteSource VersionEye 13/23
Open source common misunderstandings 1. It’s public in github, no license is defined, ergo it’s open source ■ Quite the opposite, as no license defaults to "all rights reserved", including use and redistribution for personal and commercial purposes 2. No license is defined… contributions are welcome! ■ Without a contribution policy, license sets the terms for collaboration 3. I defined a LICENSE file, I’m fine ■ If you use dependencies, you must check their licenses and make sure it doesn’t conflict with your outbound license 4. I have 2 direct dependencies and their license is ok, I’m fine 14/23
Wrapping up
General remarks 1. Keep it simple 2. Understand requirements 3. Manage expectations 4. Use the right tool…. Useful resources symphonyoss.atlassian.net/wiki choosealicense.com 15/23
16/23
17/23
Let’s see some action!
Google Map Polygon Filter React component allows to draw a draggable polygon on a Google Map and extract locations within that area. 18/23
Google Map Polygon Filter Scanning with VersionEye 19/23
Google Map Polygon Filter bcrypt-pbkdf - upgrade to 1.0.1 20/23
Traffic Alarm ReactNative alarm that adapts to traffic situation 21/23
Traffic Alarm Scanning with VersionEye https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses 22/23
Traffic Alarm Reading GoogleMaps Terms of Service 23/23
Thanks! Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation

Recommandé

Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
Bastian Feder
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
Shane Coughlan
 
Defensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters WebinarDefensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters Webinar
Patexia Inc.
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
Protecode
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 

Recommandé

Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
Bastian Feder
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
Shane Coughlan
 
Defensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters WebinarDefensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters Webinar
Patexia Inc.
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
Protecode
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Open Source & Open Development
Open Source & Open Development Open Source & Open Development
Open Source & Open Development
Sander van der Waal
 
Introduction To Open Source
Introduction To Open SourceIntroduction To Open Source
Introduction To Open Source
Uchechukwu Obimma
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
Semen Arslan
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
dmgerman
 
Leverage the power of Open Source in your company
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
Guillaume POTIER
 
GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
Suyati Technologies
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
Nuno Brito
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
Shane Coughlan
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Open source
Open sourceOpen source
Open source
Sahil Kajani
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
Lavan1997
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Open Source: What’s this all about?
Open Source: What’s this all about?Open Source: What’s this all about?
Open Source: What’s this all about?
Brad Montgomery
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
Aaron G. Sauers, CLP
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
Chris Aniszczyk
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
Stefano Fago
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
M. Antoinette Jerom
 
open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......
MohammedAnas871930
 
The Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron WilliamsonThe Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron Williamson
Symphony Software Foundation
 
Strangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial ServicesStrangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial Services
Symphony Software Foundation
 

Contenu connexe

Similaire à Social Code Scanning

GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
Lavan1997
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
Chris Aniszczyk
 

Similaire à Social Code Scanning (20)

Open Source & Open Development
Open Source & Open Development Open Source & Open Development
Open Source & Open Development
 
Introduction To Open Source
Introduction To Open SourceIntroduction To Open Source
Introduction To Open Source
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Leverage the power of Open Source in your company
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
 
GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Open source
Open sourceOpen source
Open source
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
 
Open Source: What’s this all about?
Open Source: What’s this all about?Open Source: What’s this all about?
Open Source: What’s this all about?
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
 
open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......
 

Plus de Symphony Software Foundation

Plus de Symphony Software Foundation (20)

The Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron WilliamsonThe Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron Williamson
 
Strangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial ServicesStrangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial Services
 
Community is a Positive Sum Game, Gabriele Columbro
Community is a Positive Sum Game, Gabriele ColumbroCommunity is a Positive Sum Game, Gabriele Columbro
Community is a Positive Sum Game, Gabriele Columbro
 
State of the Union, Gabriele Columbro
State of the Union, Gabriele ColumbroState of the Union, Gabriele Columbro
State of the Union, Gabriele Columbro
 
Open Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
Open Developer Platform: What Is It and Why Should I Care? Maurizio PillituOpen Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
Open Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
 
Building Productive & Predictable Community Engagement, Jono Bacon
Building Productive & Predictable Community Engagement, Jono BaconBuilding Productive & Predictable Community Engagement, Jono Bacon
Building Productive & Predictable Community Engagement, Jono Bacon
 
201704 - An Introduction to the Symphony Software Foundation
201704 - An Introduction to the Symphony Software Foundation201704 - An Introduction to the Symphony Software Foundation
201704 - An Introduction to the Symphony Software Foundation
 
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutesFinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
 
FinJS NYC: Open Source + Open Standards - The Dynamic Duo
FinJS NYC: Open Source + Open Standards - The Dynamic DuoFinJS NYC: Open Source + Open Standards - The Dynamic Duo
FinJS NYC: Open Source + Open Standards - The Dynamic Duo
 
Webinar: An introduction to the Symphony Software Foundation project life cycle
Webinar: An introduction to the Symphony Software Foundation project life cycleWebinar: An introduction to the Symphony Software Foundation project life cycle
Webinar: An introduction to the Symphony Software Foundation project life cycle
 
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
 
Symphony Software Foundation - Vision, Overview and how to engage with our Co...
Symphony Software Foundation - Vision, Overview and how to engage with our Co...Symphony Software Foundation - Vision, Overview and how to engage with our Co...
Symphony Software Foundation - Vision, Overview and how to engage with our Co...
 
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
 
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red DeerJune 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
 
OpenFin's Interoperability
OpenFin's Interoperability OpenFin's Interoperability
OpenFin's Interoperability
 
Symphony Product & Roadmap Update
Symphony Product & Roadmap Update Symphony Product & Roadmap Update
Symphony Product & Roadmap Update
 
Markit SymphonyOSS Update
Markit SymphonyOSS Update Markit SymphonyOSS Update
Markit SymphonyOSS Update
 
Symphony Software Foundation Knowledge Decision Services
Symphony Software Foundation Knowledge Decision Services Symphony Software Foundation Knowledge Decision Services
Symphony Software Foundation Knowledge Decision Services
 
Symphony Software Foundation Financial Objectives Standardization
Symphony Software Foundation Financial Objectives Standardization Symphony Software Foundation Financial Objectives Standardization
Symphony Software Foundation Financial Objectives Standardization
 
Symphony Software Foundation Desktop Wrapper Working Group Update
Symphony Software Foundation Desktop Wrapper Working Group UpdateSymphony Software Foundation Desktop Wrapper Working Group Update
Symphony Software Foundation Desktop Wrapper Working Group Update
 

Dernier

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 

Dernier (20)

It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 

Social Code Scanning

  • 1. Social Code Scanning 2017-05-24 Barcelona Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation Analysing code, together
  • 2. Social Code Scanning - our first event! ✓ What is it Hands-on-code Workshop to analyse quality, security and legal aspects of your code Quick intro on how to analyse and measure Networking, pizza and beers are on us ✓ Who’s behind Organised by the Symphony Software Foundation Hosted by CodeWorks Barcelona ✓ Requirements - none 1/23
  • 3. The Symphony Software Foundation ✓ Non-profit organisation to foster an open source community and developer ecosystem for the financial services ✓ Leverages Symphony* and other open source platforms to drive inter-firm collaboration ✓ Open Governance - Board of Directors, Engineering Steering Committee Standards - Working Groups Source - github.com/symphonyoss 2/23
  • 4. Today’s takeaways 1. Understand If/when to analyse your code Common scenarios 2. Try Analysing your code Commonly adopted tools 3. Ask Share doubts, questions 3/23
  • 5. Why analyze code? 1. To know your codebase Your code is a puzzle, few tiles are actually made by you Code modularity constantly increases (more, smaller tiles) Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits Open source constitutes a massive tile repository, publicly available 2. Your customers (or consumers) deserve to know Nobody wants to consume unsecure/buggy code Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries cannot afford quality/security/legal exposure #dealbreaker 4/23
  • 7. Why measure security? 1. Protect your data #atrest #intransit 2. Protect your servers 3. ... 5/23
  • 8. What to measure 1. Query CVE databases http://cve.mitre.org/ https://www.exploit-db.com/ #offsec #kalilinux #mrrobot https://nvd.nist.gov/ #usgov 2. Code patterns http VS https Hardcoded keys and passwords Anti-patterns 6/23
  • 9. How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 7/23
  • 11. Why measure quality? 1. Know when quality lowers (and where) 2. Say bye to regressions 3. Focus on (new) code #boostproductivity 4. .... 8/23
  • 12. What to measure 1. Project Activity Commits (codebase activity) Bugs - Opened VS Fixed Inter-firm collaboration #bus-factor Documentation User manual Installation manual Roadmap 9/23
  • 13. How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 10/23
  • 14. Legal
  • 15. Why care about legal compliance? 1. Respect the rights of open source contributors a. Appropriate attribution b. Reciprocal (copyleft) licensing requirements 2. Avoid intellectual property infringement a. Copyrights b. Patents 3. Demonstrate due diligence (aka build trust) a. Targeted for highly regulated industries #consumption #contribution 11/23
  • 16. What to measure 1. Outbound - choose the right license a. Proprietary b. Open source i. Permissive ii. Copyleft iii. Weak copyleft iv. Public domain 2. Dependencies Inbound (for bundled software) 12/23
  • 17. How to measure 1. One-off (manual) scanning Read your code Know your libraries 2. Automated/continuous scanning BlackDuck / OpenHub Fossa WhiteSource VersionEye 13/23
  • 18. Open source common misunderstandings 1. It’s public in github, no license is defined, ergo it’s open source ■ Quite the opposite, as no license defaults to "all rights reserved", including use and redistribution for personal and commercial purposes 2. No license is defined… contributions are welcome! ■ Without a contribution policy, license sets the terms for collaboration 3. I defined a LICENSE file, I’m fine ■ If you use dependencies, you must check their licenses and make sure it doesn’t conflict with your outbound license 4. I have 2 direct dependencies and their license is ok, I’m fine 14/23
  • 20. General remarks 1. Keep it simple 2. Understand requirements 3. Manage expectations 4. Use the right tool…. Useful resources symphonyoss.atlassian.net/wiki choosealicense.com 15/23
  • 21. 16/23
  • 22. 17/23
  • 23. Let’s see some action!
  • 24. Google Map Polygon Filter React component allows to draw a draggable polygon on a Google Map and extract locations within that area. 18/23
  • 25. Google Map Polygon Filter Scanning with VersionEye 19/23
  • 26. Google Map Polygon Filter bcrypt-pbkdf - upgrade to 1.0.1 20/23
  • 27. Traffic Alarm ReactNative alarm that adapts to traffic situation 21/23
  • 28. Traffic Alarm Scanning with VersionEye https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses 22/23
  • 29. Traffic Alarm Reading GoogleMaps Terms of Service 23/23
  • 30. Thanks! Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation