More Related Content Similar to Palamida Open Source Compliance Solution (20) Palamida Open Source Compliance Solution 2. 1995
F22 software (avionics only)
~1.7M LOC
Copyright © 2012 Palamida, Inc.
3. 2012
“It takes dozens of microprocessors
F22 software (avionics only) running 100 million lines of code to get
~1.7M LOC a premium car out of the driveway”
(IEEE Spectrum February 2009 Image: General Motors)
Copyright © 2012 Palamida, Inc.
4. New Ways of Composing Services
Cloud Computing … a
style of computing in
which massively scalable
IT-related
capabilities are provided
“as a service” using
Internet technologies to
multiple external
customers.
Definition: Gartner Group
Copyright © 2012 Palamida, Inc.
9. And with…
Smaller
Budgets
Copyright © 2012 Palamida, Inc.
10. Today’s Reality…
A software development
organization cannot be
competitive without widespread
use of open source
Copyright © 2012 Palamida, Inc.
11. Gartner OSS Predictions
• By 2016, OSS will be included in mission-critical software portfolios
within 99% of Global 2000 enterprises, up from 75% in 2010.
• By 2014, 50% of Global 2000 organizations will experience
technology, cost and security challenges through lack of open-source
governance.
• By 2015, OSS will be used and adopted to help enable over 60% of
platform-as-a-service (PaaS) services.
• By 2014, 30% of applications running on proprietary versions of Unix
will be migrated to OSS-based Linux on x86.
• By 2014, those organizations with effective, open-source community
participation will consistently deliver high returns from their open-
source investments.
• By 2013, up to 50% of Global 2000 non-IT enterprises will contribute
to at least one OSS project.
• By 2016, 50% of leading non-IT organizations will use OSS as a
business strategy to gain competitive advantage.
Predicts 2011: Open-Source Software, the Power Behind the
Throne
23 November 2010
ID:G00209180
Copyright © 2012 Palamida, Inc.
12. Typical Software Project Metrics
• 2.9 GB
• 87,863 Files
• 8,535,345 LOC
• Copyright holders – ~350
• Binaries/Archives/JARS – 1207
What is This Software Project Trying To Tell You?
Copyright © 2012 Palamida, Inc.
13. There is probably a lot of content that you
don’t know about
Audit Example
15.9GB
Size
59.1M LOC
Documented OS
303
components
Undocumented OS
535
components
Total # 838
% LOC from Open
60-65%
Source
Copyright © 2012 Palamida, Inc.
14. It’s Likely Your Disclosure of 3rd Party Content is
Incomplete…
350
Open Source Components Disclosed In Advance of Audit vs. Undisclosed
300
250
200
Undisclosed
150 Disclosed
100
50
0
1 2 3 4 5 6 7 8 9 10 11 12 13
Source: Palamida Audit Projects
Copyright © 2012 Palamida, Inc.
15. …With License Terms that May Be Problematic
Audit Breakdown by License
30%
25%
20%
15%
TOTAL %
10%
5%
0%
Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional Services
Copyright © 2012 Palamida, Inc.
16. Open Source is not somehow “different”
Plaintiffs would be happy to settle this matter with PLAINTIFFS'
Best Buy and Phoebe Micro if they either (i) ceased
all distribution of BusyBox or (ii) committed to MEMORANDUM OF LAW
distribute BusyBox in compliance with the free and IN SUPPORT OF THEIR
open source license terms under which Plaintiffs offer MOTION FOR
BusyBox to the world. Plaintiffs have patiently worked
with Best Buy and Phoebe Micro to bring their PRELIMINARY INJUNCTION
products into compliance with the license, but AGAINST DEFENDANTS
unfortunately have now concluded that those efforts BEST BUY, CO., INC. AND
are destined to fail because neither Best Buy nor
Phoebe Micro has the capacity and desire to meet
PHOEBE MICRO, INC.
either of Plaintiffs' demands for settlement. As such,
Plaintiffs are forced to protect their interests in
BusyBox by now respectfully moving for a preliminary SOFTWARE
injunction, pursuant to Rule 65, enjoining and
restraining defendants Best Buy and Phoebe Micro
FREEDOM CONSERVANCY, INC. and
from any further copying, distribution, or use of their ERIK ANDERSEN,
copyrighted software BusyBox.
Filed 1/31/11
Copyright © 2012 Palamida, Inc.
17. Software IP is a potent competitive weapon
Love, Larry: Here Is the Oracle
Statement and Final Complaint Versus
Google
by Kara Swisher
Posted on August 12, 2010 at 6:46 PM PT
This afternoon, the database software giant said
it was suing Google (GOOG), alleging patent
and copyright infringement of Java-related
intellectual property in the development of
Android mobile operating system software.
http://kara.allthingsd.com/20100812/love-larry-here-is-the-oracle-statement-and-final-complaint-versus-google/
Copyright © 2012 Palamida, Inc.
18. And Open Source Is Not Immune to Vulnerabilities
90
80
70
60
50
89
40
30 61 60
20 41
27 31
10 11
1 5 5
0
Apache jQuery GNU C libpng LibTIFF OpenSSL Zlib Libcurl Libxml2 OpenSSH
Tomcat Library
Vulnerabilities in Popular Open Source Projects Source: National Vulnerability Database
Copyright © 2012 Palamida, Inc.
19. Oh No, Kernel.org was Hacked
by Susan Linton - Aug. 31, 2011
A notice appeared on www.kernel.org today informing
visitors that the servers housing the Linux kernel source
code had been hacked earlier this month. The breach
was discovered yesterday and maintainers believe the
source code itself is unaffected.
Source: ostatic.com
Copyright © 2012 Palamida, Inc.
20. August 2011
‘Devastating’ Apache bug leaves servers
exposed
Devs race to fix weakness disclosed in 2007
Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache
handles HTTP-based range requests was published Friday on the Full-disclosure
mailing list. By sending servers running versions 1.3 and 2 of Apache multiple GET
requests containing overlapping byte ranges, an attacker can consume all memory on a
target system.
August 14, 2011
Copyright © 2012 Palamida, Inc.
21. Mango OSS DWR OSS Components Scriptaculous
Components Apache Spring Framework Components
Quartz Enterprise Job Scheduler Apache Struts PrototypeJS 1.5.0
Apache Commons Logging Hibernate
Apache Jakarta Taglibs NVD Reported
Scriptaculous
Vulnerabilities: 1
Spring Framework
Beehive
JfreeChart
WebWork
Apache Jakarta Commons
Backport Util Concurrent
Freemarker
Google Injection Framework
Jcommon Utility Classes
Apache-db-derby
Apache Log4J
NVD Reported
JavaMail API
Vulnerabilities: 4
MySQL
SAX: Simple API for XML
J2EE Java2 SDK Activation
AQP Alliance
DWR Direct Web Remoting
pngencoder
NVD Reported
git-MM JDBC driver Vulnerabilities: 0
Apache Xerces
Copyright © 2012 Palamida, Inc.
22. Risk is Risk
And you can’t mitigate risk you don’t know you have
Copyright © 2012 Palamida, Inc.
24. What to Do Tomorrow
• Set up an OSRB or equivalent
• Establish your policy for use of externally
sourced software
• Don’t stop at IP, include security
• Audit any software acquired via M&A
• Evaluate compliance alternatives, and get
started
Copyright © 2012 Palamida, Inc.
25. • Comprised of Legal,
Open Source Development and Security
• Review and Approve Policy for
Review Board externally sourced software
• Establish the scope of
information required and
retained (the request form)
• Case-by-case use decisions
• Review and approve the policy
for compliance with obligations
• Reports to CFO, GC, VP
engineering or others
periodically on compliance
status
Copyright © 2012 Palamida, Inc.
26. Policy
What is the name and version of this
software component?
Where is it used?
What is the license?
Is this component in a software product
that ships to customers?
Does this component contain
known vulnerabilities?
Have we modified this component?
When was the last time we checked this
software for version and vulnerability?
Does this component contain encryption?
Have we added this component to the
notices file?
Copyright © 2012 Palamida, Inc.
27. Mergers and Acquisitions (and outsourced development)
• Make code audit a contract item
• Don’t rely on reps regarding code content – typically 3-5x more found
than disclosed
• Use outside firms to maintain an “arms-length” relationship
• Factor in remediation costs
• Don’t integrate the code with yours until you are confident of origin
Copyright © 2012 Palamida, Inc.
28. What Acquiring Firms Are Concerned About Today
• GPL and other Viral Licenses (esp v3.0)
• Affero GPL
• Commercial Content and Libraries
• Restrictions on commercial use or field of use (e.g. no Military use)
• Cryptography
• Code with Unknown Licenses
• % of undisclosed content
Copyright © 2012 Palamida, Inc.
29. Evaluate Compliance Alternatives, and Get Started
• In-house process
• External Professional Services – periodic reports
• In-house system
• Owned by development
• Used by development, legal and security
• System of record for policy and content
• The first pass is the most time-consuming – consider a
outside audit to populate the internal system
Copyright © 2012 Palamida, Inc.
30. Key Questions to Ask…
• How High is the Bar?
• What is “Good Enough”?
• Have You Scanned Everything? [Probably Not!]
• What’s Out There That’s Hard, But Important?
Copyright © 2012 Palamida, Inc.
31. How High Is the Bar?
• More Linux kernel and related materials “in scope”
• More interest in historical versions / installed base
• Open Source projects requiring more internal deep reviews
• Management signing off on Bill of Materials or equivalent
• More divestitures, concern about internal process exposure
Copyright © 2012 Palamida, Inc.
32. What Is “Good Enough”?
• The Community is getting more savvy and vocal
• The “Community” includes commercial vendors $$$$$
• More internal emphasis on tracking down source for LGPL binaries – compliance and
disaster recovery
• Customers are demanding more; at delivery and at contract signing
• Scanning is occurring at internal and external touch points
• More historical versions being reviewed at M&A time
• A supplier to my supplier is MY supplier!
Copyright © 2012 Palamida, Inc.
33. Have You Scanned Everything [Probably Not]?
• Java: Maven becoming more prevalent
• C/C++/etc…: Github remote repositories
• Commercial Source compiled on laptop
• Binary analysis bar is being raised
• Where did all these binaries come from? 1000 to 10,000+
• More naïve companies requiring scans / Bad Advice
• Web services
• Post acquisition discovery of missing code
Copyright © 2012 Palamida, Inc.
34. What’s Out There That Is Hard, But Important?
• Object Oriented Design Issues (esp. C++/Java/C#)
• Header files cut and pastes (The Google Bionic Issue)
• Binaries and subcomponents
• Code with Unknown licenses – more every day
• Popular projects w/ Bad Licenses (Code Project CPOL or Stack Overflow CC BY-SA)
• Employees that travel w/ “Toolkits” “Wall St. Programmer Guilty of Code Theft”
http://query.nytimes.com/gst/fullpage.html?res=9E00E2D81E31F932A25751C1A9669D8B63
Copyright © 2012 Palamida, Inc.
Editor's Notes Here’s a typical example from an audit we did in 2007. This is from a well known enterprise software company. They were very diligent about keeping track of what was going into their software and had catalogued 303 open source components they were using. But as you can see here they were way off base and the actual number was 838. We discovered 535 components—big moving parts critical to their product—that they had no idea were there. And there is nothing unique about their situation. We have seen something similar in every audit we’ve ever done. Based on our experience it is a virtual certainty that your company’s software is similar. This means that you are using components that probably have known security exploits that are listed in the NVD, and that your undocumented code is also unpatched and un-upgraded.