SlideShare una empresa de Scribd logo

Social Code Scanning

Descargar como PPTX, PDF
Symphony Software Foundation
Symphony Software Foundation

Social Code Scanning

Empresariales
1 de 30
Social Code Scanning 2017-05-24 Barcelona Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation Analysing code, together
Social Code Scanning - our first event! ✓ What is it Hands-on-code Workshop to analyse quality, security and legal aspects of your code Quick intro on how to analyse and measure Networking, pizza and beers are on us ✓ Who’s behind Organised by the Symphony Software Foundation Hosted by CodeWorks Barcelona ✓ Requirements - none 1/23
The Symphony Software Foundation ✓ Non-profit organisation to foster an open source community and developer ecosystem for the financial services ✓ Leverages Symphony* and other open source platforms to drive inter-firm collaboration ✓ Open Governance - Board of Directors, Engineering Steering Committee Standards - Working Groups Source - github.com/symphonyoss 2/23
Today’s takeaways 1. Understand If/when to analyse your code Common scenarios 2. Try Analysing your code Commonly adopted tools 3. Ask Share doubts, questions 3/23
Why analyze code? 1. To know your codebase Your code is a puzzle, few tiles are actually made by you Code modularity constantly increases (more, smaller tiles) Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits Open source constitutes a massive tile repository, publicly available 2. Your customers (or consumers) deserve to know Nobody wants to consume unsecure/buggy code Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries cannot afford quality/security/legal exposure #dealbreaker 4/23
Security
Why measure security? 1. Protect your data #atrest #intransit 2. Protect your servers 3. ... 5/23
What to measure 1. Query CVE databases http://cve.mitre.org/ https://www.exploit-db.com/ #offsec #kalilinux #mrrobot https://nvd.nist.gov/ #usgov 2. Code patterns http VS https Hardcoded keys and passwords Anti-patterns 6/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 7/23
Quality
Why measure quality? 1. Know when quality lowers (and where) 2. Say bye to regressions 3. Focus on (new) code #boostproductivity 4. .... 8/23
What to measure 1. Project Activity Commits (codebase activity) Bugs - Opened VS Fixed Inter-firm collaboration #bus-factor Documentation User manual Installation manual Roadmap 9/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 10/23
Legal
Why care about legal compliance? 1. Respect the rights of open source contributors a. Appropriate attribution b. Reciprocal (copyleft) licensing requirements 2. Avoid intellectual property infringement a. Copyrights b. Patents 3. Demonstrate due diligence (aka build trust) a. Targeted for highly regulated industries #consumption #contribution 11/23
What to measure 1. Outbound - choose the right license a. Proprietary b. Open source i. Permissive ii. Copyleft iii. Weak copyleft iv. Public domain 2. Dependencies Inbound (for bundled software) 12/23
How to measure 1. One-off (manual) scanning Read your code Know your libraries 2. Automated/continuous scanning BlackDuck / OpenHub Fossa WhiteSource VersionEye 13/23
Open source common misunderstandings 1. It’s public in github, no license is defined, ergo it’s open source ■ Quite the opposite, as no license defaults to "all rights reserved", including use and redistribution for personal and commercial purposes 2. No license is defined… contributions are welcome! ■ Without a contribution policy, license sets the terms for collaboration 3. I defined a LICENSE file, I’m fine ■ If you use dependencies, you must check their licenses and make sure it doesn’t conflict with your outbound license 4. I have 2 direct dependencies and their license is ok, I’m fine 14/23
Wrapping up
General remarks 1. Keep it simple 2. Understand requirements 3. Manage expectations 4. Use the right tool…. Useful resources symphonyoss.atlassian.net/wiki choosealicense.com 15/23
16/23
17/23
Let’s see some action!
Google Map Polygon Filter React component allows to draw a draggable polygon on a Google Map and extract locations within that area. 18/23
Google Map Polygon Filter Scanning with VersionEye 19/23
Google Map Polygon Filter bcrypt-pbkdf - upgrade to 1.0.1 20/23
Traffic Alarm ReactNative alarm that adapts to traffic situation 21/23
Traffic Alarm Scanning with VersionEye https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses 22/23
Traffic Alarm Reading GoogleMaps Terms of Service 23/23
Thanks! Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation

Recomendados

Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
Bastian Feder
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
Shane Coughlan
 
Defensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters WebinarDefensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters Webinar
Patexia Inc.
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
Protecode
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 

Recomendados

Why documentation osidays
Why documentation osidaysWhy documentation osidays
Why documentation osidays
Bastian Feder
 
OpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-introOpenChain Webinar #11 - cii-bp-badge-intro
OpenChain Webinar #11 - cii-bp-badge-intro
Shane Coughlan
 
Defensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters WebinarDefensive Publication - Patexia IP Matters Webinar
Defensive Publication - Patexia IP Matters Webinar
Patexia Inc.
 
OpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software HeritageOpenChain Webinar #5: Software Heritage
OpenChain Webinar #5: Software Heritage
Shane Coughlan
 
OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021OpenChain Automation Case Study - September to December 2021
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
 
FOSSLight Open Source Project
FOSSLight Open Source Project FOSSLight Open Source Project
FOSSLight Open Source Project
Shane Coughlan
 
Licensing in Composite Open Source Projects
Licensing in Composite Open Source ProjectsLicensing in Composite Open Source Projects
Licensing in Composite Open Source Projects
Protecode
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
Open Source & Open Development
Open Source & Open Development Open Source & Open Development
Open Source & Open Development
Sander van der Waal
 
Introduction To Open Source
Introduction To Open SourceIntroduction To Open Source
Introduction To Open Source
Uchechukwu Obimma
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
Semen Arslan
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
dmgerman
 
Leverage the power of Open Source in your company
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
Guillaume POTIER
 
GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
Suyati Technologies
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
Nuno Brito
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
Synopsys Software Integrity Group
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
Shane Coughlan
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Open source
Open sourceOpen source
Open source
Sahil Kajani
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
Lavan1997
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Open Source: What’s this all about?
Open Source: What’s this all about?Open Source: What’s this all about?
Open Source: What’s this all about?
Brad Montgomery
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
Aaron G. Sauers, CLP
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
Chris Aniszczyk
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
Stefano Fago
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
M. Antoinette Jerom
 
open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......
MohammedAnas871930
 
The Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron WilliamsonThe Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron Williamson
Symphony Software Foundation
 
Strangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial ServicesStrangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial Services
Symphony Software Foundation
 

Más contenido relacionado

Similar a Social Code Scanning

GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
Friprogsenteret
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
Evernym
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
Lavan1997
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
Better Software
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
Chris Aniszczyk
 

Similar a Social Code Scanning (20)

Open Source & Open Development
Open Source & Open Development Open Source & Open Development
Open Source & Open Development
 
Introduction To Open Source
Introduction To Open SourceIntroduction To Open Source
Introduction To Open Source
 
Open Source Project Management
Open Source Project ManagementOpen Source Project Management
Open Source Project Management
 
Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)Introduction to License Compliance and My research (D. German)
Introduction to License Compliance and My research (D. German)
 
Leverage the power of Open Source in your company
Leverage the power of Open Source in your company Leverage the power of Open Source in your company
Leverage the power of Open Source in your company
 
GoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'EliaGoOpen 2010: Sandro D'Elia
GoOpen 2010: Sandro D'Elia
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
 
Ubucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSSUbucon 2013, licensing and packaging OSS
Ubucon 2013, licensing and packaging OSS
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation“State of the Tooling” in Open Source Automation
“State of the Tooling” in Open Source Automation
 
Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)Open Source & What It Means For Self-Sovereign Identity (SSI)
Open Source & What It Means For Self-Sovereign Identity (SSI)
 
Open source
Open sourceOpen source
Open source
 
Open source software vs proprietary software
Open source software vs proprietary softwareOpen source software vs proprietary software
Open source software vs proprietary software
 
Software Open Source in ambito industriale
Software Open Source in ambito industrialeSoftware Open Source in ambito industriale
Software Open Source in ambito industriale
 
Open Source: What’s this all about?
Open Source: What’s this all about?Open Source: What’s this all about?
Open Source: What’s this all about?
 
Open-Source Software Panel - IP Track
Open-Source Software Panel - IP TrackOpen-Source Software Panel - IP Track
Open-Source Software Panel - IP Track
 
Open Source Compliance at Twitter
Open Source Compliance at TwitterOpen Source Compliance at Twitter
Open Source Compliance at Twitter
 
Exploring Open Source Licensing
Exploring Open Source LicensingExploring Open Source Licensing
Exploring Open Source Licensing
 
Open Source vs Proprietary
Open Source vs ProprietaryOpen Source vs Proprietary
Open Source vs Proprietary
 
open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......open_source_tools.pptx 4th sem bca......
open_source_tools.pptx 4th sem bca......
 

Más de Symphony Software Foundation

Más de Symphony Software Foundation (20)

The Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron WilliamsonThe Case for an Open Fintech Ecosystem, Aaron Williamson
The Case for an Open Fintech Ecosystem, Aaron Williamson
 
Strangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial ServicesStrangers in a Strange Land, Open Source in Financial Services
Strangers in a Strange Land, Open Source in Financial Services
 
Community is a Positive Sum Game, Gabriele Columbro
Community is a Positive Sum Game, Gabriele ColumbroCommunity is a Positive Sum Game, Gabriele Columbro
Community is a Positive Sum Game, Gabriele Columbro
 
State of the Union, Gabriele Columbro
State of the Union, Gabriele ColumbroState of the Union, Gabriele Columbro
State of the Union, Gabriele Columbro
 
Open Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
Open Developer Platform: What Is It and Why Should I Care? Maurizio PillituOpen Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
Open Developer Platform: What Is It and Why Should I Care? Maurizio Pillitu
 
Building Productive & Predictable Community Engagement, Jono Bacon
Building Productive & Predictable Community Engagement, Jono BaconBuilding Productive & Predictable Community Engagement, Jono Bacon
Building Productive & Predictable Community Engagement, Jono Bacon
 
201704 - An Introduction to the Symphony Software Foundation
201704 - An Introduction to the Symphony Software Foundation201704 - An Introduction to the Symphony Software Foundation
201704 - An Introduction to the Symphony Software Foundation
 
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutesFinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
FinDEVr New York 2017 - Deliver your OSS Symphony integration in minutes
 
FinJS NYC: Open Source + Open Standards - The Dynamic Duo
FinJS NYC: Open Source + Open Standards - The Dynamic DuoFinJS NYC: Open Source + Open Standards - The Dynamic Duo
FinJS NYC: Open Source + Open Standards - The Dynamic Duo
 
Webinar: An introduction to the Symphony Software Foundation project life cycle
Webinar: An introduction to the Symphony Software Foundation project life cycleWebinar: An introduction to the Symphony Software Foundation project life cycle
Webinar: An introduction to the Symphony Software Foundation project life cycle
 
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
FinJS London 2016 - Leveraging open source in the dev. process to maximize se...
 
Symphony Software Foundation - Vision, Overview and how to engage with our Co...
Symphony Software Foundation - Vision, Overview and how to engage with our Co...Symphony Software Foundation - Vision, Overview and how to engage with our Co...
Symphony Software Foundation - Vision, Overview and how to engage with our Co...
 
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
Symphony Innovate - "Open": tearing down the walls of dysfunctional collabora...
 
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red DeerJune 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
June 22nd 2016 - Foundation State of the Union - London Meetup @ Red Deer
 
OpenFin's Interoperability
OpenFin's Interoperability OpenFin's Interoperability
OpenFin's Interoperability
 
Symphony Product & Roadmap Update
Symphony Product & Roadmap Update Symphony Product & Roadmap Update
Symphony Product & Roadmap Update
 
Markit SymphonyOSS Update
Markit SymphonyOSS Update Markit SymphonyOSS Update
Markit SymphonyOSS Update
 
Symphony Software Foundation Knowledge Decision Services
Symphony Software Foundation Knowledge Decision Services Symphony Software Foundation Knowledge Decision Services
Symphony Software Foundation Knowledge Decision Services
 
Symphony Software Foundation Financial Objectives Standardization
Symphony Software Foundation Financial Objectives Standardization Symphony Software Foundation Financial Objectives Standardization
Symphony Software Foundation Financial Objectives Standardization
 
Symphony Software Foundation Desktop Wrapper Working Group Update
Symphony Software Foundation Desktop Wrapper Working Group UpdateSymphony Software Foundation Desktop Wrapper Working Group Update
Symphony Software Foundation Desktop Wrapper Working Group Update
 

Último

Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
pujan9679
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
kapoorjyoti4444
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
pr788182
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
Nauman Safdar
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 

Último (20)

New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
Chennai Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Av...
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGBerhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Berhampur 70918*19311 CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book nowPARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
PARK STREET 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book nowGUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
GUWAHATI 💋 Call Girl 9827461493 Call Girls in Escort service book now
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTSDurg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
Durg CALL GIRL ❤ 82729*64427❤ CALL GIRLS IN durg ESCORTS
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 

Social Code Scanning

  • 1. Social Code Scanning 2017-05-24 Barcelona Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation Analysing code, together
  • 2. Social Code Scanning - our first event! ✓ What is it Hands-on-code Workshop to analyse quality, security and legal aspects of your code Quick intro on how to analyse and measure Networking, pizza and beers are on us ✓ Who’s behind Organised by the Symphony Software Foundation Hosted by CodeWorks Barcelona ✓ Requirements - none 1/23
  • 3. The Symphony Software Foundation ✓ Non-profit organisation to foster an open source community and developer ecosystem for the financial services ✓ Leverages Symphony* and other open source platforms to drive inter-firm collaboration ✓ Open Governance - Board of Directors, Engineering Steering Committee Standards - Working Groups Source - github.com/symphonyoss 2/23
  • 4. Today’s takeaways 1. Understand If/when to analyse your code Common scenarios 2. Try Analysing your code Commonly adopted tools 3. Ask Share doubts, questions 3/23
  • 5. Why analyze code? 1. To know your codebase Your code is a puzzle, few tiles are actually made by you Code modularity constantly increases (more, smaller tiles) Platforms and technologies (ie runtimes) evolve fast, opening to new potential exploits Open source constitutes a massive tile repository, publicly available 2. Your customers (or consumers) deserve to know Nobody wants to consume unsecure/buggy code Highly-regulated (ie financial services) and mission-critical (ie aerospace) industries cannot afford quality/security/legal exposure #dealbreaker 4/23
  • 7. Why measure security? 1. Protect your data #atrest #intransit 2. Protect your servers 3. ... 5/23
  • 8. What to measure 1. Query CVE databases http://cve.mitre.org/ https://www.exploit-db.com/ #offsec #kalilinux #mrrobot https://nvd.nist.gov/ #usgov 2. Code patterns http VS https Hardcoded keys and passwords Anti-patterns 6/23
  • 9. How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 7/23
  • 11. Why measure quality? 1. Know when quality lowers (and where) 2. Say bye to regressions 3. Focus on (new) code #boostproductivity 4. .... 8/23
  • 12. What to measure 1. Project Activity Commits (codebase activity) Bugs - Opened VS Fixed Inter-firm collaboration #bus-factor Documentation User manual Installation manual Roadmap 9/23
  • 13. How to measure 1. One-off (manual) scanning Read your code Know your libraries Follow guidelines 2. Automated/continuous scanning BlackDuck WhiteSource SonarQube 10/23
  • 14. Legal
  • 15. Why care about legal compliance? 1. Respect the rights of open source contributors a. Appropriate attribution b. Reciprocal (copyleft) licensing requirements 2. Avoid intellectual property infringement a. Copyrights b. Patents 3. Demonstrate due diligence (aka build trust) a. Targeted for highly regulated industries #consumption #contribution 11/23
  • 16. What to measure 1. Outbound - choose the right license a. Proprietary b. Open source i. Permissive ii. Copyleft iii. Weak copyleft iv. Public domain 2. Dependencies Inbound (for bundled software) 12/23
  • 17. How to measure 1. One-off (manual) scanning Read your code Know your libraries 2. Automated/continuous scanning BlackDuck / OpenHub Fossa WhiteSource VersionEye 13/23
  • 18. Open source common misunderstandings 1. It’s public in github, no license is defined, ergo it’s open source ■ Quite the opposite, as no license defaults to "all rights reserved", including use and redistribution for personal and commercial purposes 2. No license is defined… contributions are welcome! ■ Without a contribution policy, license sets the terms for collaboration 3. I defined a LICENSE file, I’m fine ■ If you use dependencies, you must check their licenses and make sure it doesn’t conflict with your outbound license 4. I have 2 direct dependencies and their license is ok, I’m fine 14/23
  • 20. General remarks 1. Keep it simple 2. Understand requirements 3. Manage expectations 4. Use the right tool…. Useful resources symphonyoss.atlassian.net/wiki choosealicense.com 15/23
  • 21. 16/23
  • 22. 17/23
  • 23. Let’s see some action!
  • 24. Google Map Polygon Filter React component allows to draw a draggable polygon on a Google Map and extract locations within that area. 18/23
  • 25. Google Map Polygon Filter Scanning with VersionEye 19/23
  • 26. Google Map Polygon Filter bcrypt-pbkdf - upgrade to 1.0.1 20/23
  • 27. Traffic Alarm ReactNative alarm that adapts to traffic situation 21/23
  • 28. Traffic Alarm Scanning with VersionEye https://stackoverflow.com/questions/28756017/about-googlemaps-sdk-for-ios-licenses 22/23
  • 29. Traffic Alarm Reading GoogleMaps Terms of Service 23/23
  • 30. Thanks! Maurizio Pillitu Devops Director, Symphony Software Foundation @maoo maoo@symphony.foundation