More Related Content Similar to BlackDuck Suite Similar to BlackDuck Suite (20) BlackDuck Suite1. The Black Duck Suite:
Enabling Faster, Lower
Cost Innovation with
Open Source Software
Black Duck Software
2. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Agenda
Market Dynamics and Challenges
Meeting the Challenges
Overview of the Black Duck Suite
Summary
3. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Evolution of Software Development
Component-Based
Development
1980’s 1990’s 2000’s
Focus
Code Design
Individual Software
Developer
Scope
Development
Ecosystem
Application Life
Cycle Management
Single
Enterprise
Project
Team
Collaboration
4. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
The Promise of Open Source
The Promise The Challenges
Significantly reduce
development costs –
up to 90% – and
accelerate time to
market
Billions of lines of
available code
Management
Compliance
Security
Realize the promise
while eliminating
the challenges
The Black Duck
Solution...
5. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Black Duck Enables Multi-Source Development
YOUR COMPANY
Software Application
Open Source
Software
Internally
Developed
Code
Outsourced Code
Development
Commercial 3rd
-
Party Code
Individuals
Universities
Corporate Developers
Code
Obligations
6. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Development Challenges Using Open Source
at Scale
Management
Leverage the right software
from many sources
Increase productivity using
component software
Encourage standardization
of components & versions
Deliver timely support
Compliance & Security
Comply with open source
policies
Manage licensing and
associated obligations
Complying with export
regulations
Track security vulnerabilities
Formal control of open source
software lags adoption:
58% of companies surveyed
do not have formal polices or
guidelines for OSS
Source: 451 Group, December 2009
7. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Risks of Unmanaged Code
Loss of
Intellectual
Property
Export
Regulations Injunctions
Security
Vulnerabilities
Software
Defects
License
Rights and
Restrictions
Contractual
Obligations
Escalating
Support
Costs
8. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.Copyright © 2007 Black Duck Software, Inc. All Rights Reserved. Confidential and Proprietary.
The Story of Cisco’s Software Supply-Chain
Developers modified firmware
turning a low-end ($60) device
into a high-function router
The story
continues...
embedded the code
in one of its chipsets
used GPL code to
customize Broadcom’s
standard Linux distribution
bought
for $500M in 2003
adopted this technology
into its WRT54G wireless
broadband router
Source code
made available by
FSF accused Cisco
of a license violation
9. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Infringement
Valuation
Negative publicity
New revenue
Support costs
Vulnerability
Risks of Open Source and Other Cases
(VOIP Phone)
(Wireless Router)
(GPS Navigation)
(Network Attached Storage)
(WiMax, other )
(iPhone WIP300)
(Home Hub Router)
10. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Even Large, Well Run Software Companies Have
Challenges : Microsoft Windows 7 GPL Violation
The Windows 7 USB/DVD
Tool Violated GPLv2
License
• Code was “multi-source,”
including code from an
external supplier with OSS
• Microsoft pulled the product
from the Microsoft Store, then
announced it is making the
source code and binaries
available
Takeaways:
• Even big companies make
mistakes
• OSS can enter from many
sources
• It’s difficult to manage OSS
without both process and
technology
11. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Google Security Flaws
These vulnerabilities
discovered within 24
hours of release
Easily avoided with
the right solution
12. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Pro-Active and Controlled Use of Open Source
Cost of defects
– Minimal when issues are
detected early in lifecycle
– Grows 100-1,000X late in
the lifecycle
Invest time and process
to choose good code up
front vs fixing problems
later
Capers Jones, Applied software measurement: assuring
productivity and quality, 1999.
14. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Meeting the Challenges
of Using Open Source
You could automate manual approval processes and
empower team members to collaborate?
– Bring together legal, development, executive staff, others
You could automate discovery and validation to manage risk
and ensure compliance?
– Know what’s in your code base
– Validate software bill of materials (BoM) before shipping
– Know origins of external code
Development had a catalog of pre-approved components?
– Eliminate unnecessary, redundant requests and approvals
– Know and track where components are used
Finding the right open source was fast and easy?
– Quality, maturity
– Version
– Understanding license obligations
– Dependencies
What if...
15. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Black Duck Helps Unleash the Potential
of Open Source Software
Workflow and approval for multi-user team
collaboration with role-based access control
– Eliminate approval delays, enhance group productivity
Automatically scan code base to identify open
source and uncover hidden license obligations
– Ensure compliance and confidently manage software origins
and obligations
Catalog of pre-approved components
– Saves time and effort
– Encourages standardization and re-use
Industry’s most comprehensive open source
KnowledgeBase
– Enables fast, easy, search and selection of open source
software
16. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Case Study: InfoPrint Solutions
“We chose Black Duck automation to improve productivity by supporting our software
license approval processes, code validation and security alert processes. And more
importantly, it gives us the highest confidence that we are in compliance with the
licenses for the open source software embedded in our products.”
– Mike Munger, Senior Technical Staff Manager
InfoPrint Solutions Company
Why InfoPrint chose Black Duck
Identify open source
software
Automate approval
process
Monitor security
vulnerabilities on open
source components
Black Duck Code
Center for approval
automation
Black Duck Protex
servers validating
BOM’s and
performing license
discovery
Manages legal risk
Enables
collaboration
around open
source approvals
Streamlines
processes
Problem Solution Benefits
17. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Case Study: Intel Corporation
“We selected Black Duck because its knowledge base of open source software and the
maintenance of that knowledge base were more robust than other solutions—and the
more robust the knowledge base, the lower the risk that licensed software will be used
inappropriately.”
Why Intel chose Black Duck
Identify open source
software
Automate verification
and compliance
Improve collaboration
between functions
(development, legal,
management, etc.)
Black Duck Protex
servers deployed
globally, integrated
with development
tools
Identifies software
conflicts early
Reduces rework
Lowers risk of
legal issues
Problem Solution Benefits
18. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Manage the risks and maximize the
compelling benefits of multi-source
development
Integrates with existing development tools
and processes
Solves the three main challenges
associated with multi-source development:
Enabling Multi-Source Development Across the Application Lifecycle
Management Compliance Security
19. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Management
Create and share a catalog of approved components
Configurable, role-based approval workflow
Authentication and role-based access control for
individual enterprise users
Comprehensive code and component search and
selection
Compliance
Automate code discovery, validation, audit
Ensure compliance with regulations and company policies
Manage and control software versions, origins & obligations
(open source and other code)
Monitor known security vulnerabilities
Automatic updates to catalog with real-
time alerts; track “where used”
Ensure selection of most secure open
source components
Security
20. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Application Lifecycle
Conceptualize Define Design Develop Build Test Deploy
Search &
Select Approve
Validate
Compliance
Audit &
Maintain
Scan/Analyze
Management, Compliance, Security
21. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
IT
Security
Legal
Management
Quality
Approval
Company
Policies
Build, Test Systems
Software
Bill of
Materials
Scan & Validate
Production Systems
Development
Catalog
Component
Requests
Audit & Maintain
SCM
Search
&Select
Approved
Components
Open source
Code prints
Vulnerabilities
Binaries
KnowledgeBase
Automated
Workflow
22. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Comprehensive Code Search
Black Duck KnowledgeBase
Internal
Internal CatalogSCM Files
Koders.com
External
Code
Search
Find and re-use OSS and existing code across multiple repositories
Improve quality by more easily tracking down bugs/defects across the
enterprise
Source code
Component
Attributes
23. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
The Black Duck Suite - Architecture
Scalable enterprise
architecture
Modular design
Customizable
Extensible
Browser-based for
anywhere, any
time access
Integrates with
existing ALM
infrastructure
KnowledgeBase
SDK
Core Framework
UI Framework
23
24. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Supporting Enterprise Collaboration
25. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Typical Deployment of the Black Duck Suite
Code
Code
Code
Code
Code
Code
Code
Code
Approval
Validation
Approval
Scanning
Source CodeCode
Centralized approval with
decentralized scanning &
validation
Validation
ValidationValidation
26. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
The Black Duck KnowledgeBase
The Foundation of the Black Duck Suite
The industry’s most comprehensive
open source database
Extensive metadata
Tens of billions of lines of code
From over 4,500 sites
Released under 1,800+ unique
licenses
39,000+ security vulnerabilities
450+ cryptographic algorithms
Name, description, versions, URL
License, programming language, OS
National Vulnerability Database
Cryptography
Code Prints of source/binary
Other information
Open Source
Software
Uniquely addresses the “long tail” of OSS projects
Patented search & pattern-matching technologies
Continuously expanded
Custom Code Printing to add proprietary code
Daily security vulnerability alerts
Automated Metadata Updates issued ~2x month
28. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Developer
Catalog
Faster and lower cost application development
Make better choices on the front-end of development
process (100X less costly than fixing a defect later)
Increased reuse of good code – open source, licensed from
3rd parties
Authentication and access control for individual enterprise
users
Avoidance of…
– License problems
– Version uncertainties
– Security vulnerabilities
KnowledgeBase
Developers
Security
IT
Legal
Management
Quality
Approval Boards
SourceForge
RubyForge
Eclipse.org
Apache.org
etc…
Open Source
Approval Flow
Alerts
OSS & Code
Management
29. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Confidently manage software origins & obligations
Audit code base against approved components
Simplify code reviews and 3rd party licensing
Reduce costs while improving accuracy
Application Server
Projects Licenses
Open
Source
Third
Party
Code
Internal
Code
Compliance
KnowledgeBase
Review Board
License
Conflict
Bill of
Materials
Developers
Automated
Workflow
30. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Find cryptographic code embedded in complex
software
Automate compliance with encryption export
policy and regulations
Simplify BIS/NSA notification and licensing
Generate audit and document compliance reports
CryptoBase
Developers
Compliance
Report
Compliance: Encryption & Export Regulations
31. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Security Vulnerability Management
Make informed choices early in the process to ensure
selection and use of most secure open source components
Catalog of approved components is automatically updated
Monitor security vulnerabilities
– Daily security alerts routed to customers
– Automatic alerts are sent to appropriate owner for all components
based on “where used”
e.g., Apache
Tomcat,
Struts, MySql
Where
Used
KnowledgeBase
Alerts
Developer
Catalog
Approved
Components
Approval Flow
Management
Alerts
32. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Fast search and increased visibility
Integration with development tools / SCM’s
Proven scalability to billions of lines of code
Enterprise Code Search for Software Developers
Developers SCM
Internal
Code
Index
CVS
File System
Subversion
Code Search
33. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Black Duck Suite Summary
Features Benefits
Completeness Covers key processes– search, select, approve,
validate and monitor
Provides the industry’s most comprehensive knowledge
base of OSS
Automation Improves efficiency and speed in development
Development and approval processes
Ensures compliance with company policies
Collaboration Enables stakeholders -- development, legal, security,
IT, trade compliance and others -- to work together to
achieve shared objectives
Scalability “Enterprise-class” scalability, configurability,
extensibility, and access-controlled security
Meets the needs of the largest software development
organizations
Integration SDK with web services API
Integrates with existing developer tools
Certified “Ready for Rational”
34. Copyright © 2010 Black Duck Software, Inc. All Rights Reserved.
Why Black Duck
Pioneered open source code
analysis market in 2002
Leadership products and
services for managing
open source throughout
the application life-cycle
Most comprehensive
KnowledgeBase of open
source software in the
industry
Most experienced
vendor with largest
customer base
Responsive 24X7 support,
global presence
Editor's Notes In the very early days of computing, product offerings seeking to improve developer productivity focused on tools for code design that could be used by the individual developer. For example, the first version of Turbo Pascal appeared in 1983.
As the industry matured, the focus of innovation grew to facilitate the collaboration of groups of developers. For example, the (then revolutionary) revision management tool ClearCase was released by Atria software in 1992.
Today, it’s the rare application that’s developed and coded from the ground up exclusively by internal resources. In the world of component-based development, where “reuse” is the mantra, developers are looking at a variety of sources of code; both internal and external. External sources of code are suppliers, partners and the open source community. We term the blending of the internal and external sources of code “the development ecosystem.” This brings us to the most recent (rightmost) stage in the history of innovation aimed at developer productivity which takes place in the era of component-based development.
While Black Duck does not make open source software, we help our customers realize the promise it offers while minimizing or eliminating the challenges and risks associated with it.
The challenges arise from mixing code from different sources: partner code, open source, internal code and vendor sourced. Each of these sources could be managing its own separate version of a code component. They could be incorporating conflicting software licenses into the code base. The code could have unexpected dependencies. The software ‘integrator’ is on the hook for robust and timely support, but the support model for open source code is an area that people must think about explicitly. Code from the development ecosystem could have varying levels of quality – some of it is great, some of it, not so great.
If an organization implements compliance, it may involve many approval boards. The danger of thorough compliance is that it can be time consuming, slow to react and bureaucratic. Yet, it is a necessary part of software development in today’s complex and changing landscape.
Many great companies have had bad things happen to them because they did not address the need for governance in their software supply chain.
Loss of Intellectual Property: Cisco was forced to open source some code and ultimately lost control over a product line. Impact was probably millions in lost revenue. See the support slide on this.
License rights and restrictions
Contractual obligations
Injunctions: When Monsoon Multimedia was sued by the software freedom law center, the suit requested an injunction (stop ship) on their product. This would be devastating for a business.
Export regulations
Security vulnerabilities
Software defects
Escalating support costs: Version proliferation
Continuously Expanded (sub-bullets):Updated 9/9/08
Significant investment in automated tools
Site mirrors for popular sites
Open Source Licenses
GPL
LGPL
Apache
BSD
CPL
Creative Commons
Eclipse
Microsoft
MIT
Sun
Open Source Sites
Apache.org
Eclipse.org
Kernel.org
Sun.com
RubyForge.org
Asterisk.com
PlanetSourceCode.com
Zope.org
GNU.org
CPAN.org
MySQL.com
SourceForge.net