OSS has taken over the enterprise: The top five OSS trends of 2015

OSS has taken over the enterprise: The top five OSS trends of 2015Richard Sherrarddirector of product management

Richard Sherrarddirector of product management

Presenters

Rogue Wave Software

2© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Top five open source trends of 2015

Open source trends we’ve seen in 2015

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

• Open source has taken over the enterprise • Open source discovery challenges• Open source risk management• Open source governance• Multi-tiered approach to open source

management

4

#1Open source has taken

over the enterprise

Growth of open source


6

Use of open source continues to grow at a fast pace!

90% of companies use OSS components

in commercial software (Gartner)

>80% of a typical Java application is

open-source components and

frameworks (TechCrunch)

11 million developers

worldwide make 13 billion open source requests each year

Innovation drives open source adoption

7

Open source components provide critical functionality Improves developer productivity

No license fees

“More eyes” improves quality & security

Leveraged development effort

Apache, Tomcat, Wildfly, Jakarta Commons, jQuery Communities continuously improve features

Mature, commoditized applications and libraries

Community peer review


Open source in the enterprise

8

“By 2016, open source software will be in mission-critical software portfolios within 99% of all Global 1,000 enterprises.”

Innovate• Opens up code options• Deploy applications with

any combination of code source

• Optimize developer effort and time

• Quicker time to market

Identify and mitigate risk• Technical risk• Business risk• Security risk• Legal and compliance

risk

Balance risk and reward


How open source enters your codebase

9

“90% of code in modern applications is open source” and“31% of companies have had or suspect a breach in an open source component“

Open source community

Legacy code

Internally developed code

Reused code

Third party code

Supply chain code

Outsource code


Delivered code

Mixed source risks


Loss of intellectual

property

Defects and quality issues

License restrictions and

obligations

Support costs

Security vulnerabilitie

s

Injunctions

What organizations are looking to answer?

11

Dev VP & Mgr

OSS Compliance Mgr

CTO/ CIO/CISO

Security Mgr

Legal

What open source am I using

Where are we using open source across the organization

How can I increase the security of the open source

What are my legal obligations

Are we able to participate in the open source

communities


Embrace OSS and automate the governance process

12

Create an automated organization-wide OSS policy and leverage the benefits

• Increase developer productivity• Educate and develop OSS policies for the developers to follow• Marshal the resources of the OSS community• Accelerate software development

Understand, manage, and govern OSS comprehensively

Inventory Support Govern


#2Open source discovery

Large codebases: Open source is everywhere

14

• Companies today have extremely large codebases made up of 1000’s of developed applications.

• Lots of different technologies in play – web, mobile, embedded

• Larger number of 3rd party software suppliers being used today

Over 100 million lines of code goes

into a average high end car

today!


Into the “unknown”

15

• Once DISCOVERY of the open source is known you can then better understand it

– What license(s) is it distributed under – GPL, Apache, BSD…

– What version(s) are being used; are they outdated!

– Are there known security risks

– Do I have quality issues with it

– Is their a strong community behind it!

• A plan of action can then be worked on to resolve identified risks and issues

– There will be many!

Biggest open source challenge organizations face today is the “Not knowing” what they have and “Where they have it”


How are they doing discovery today?

16

• Companies find it extremely hard if not impossible to uncover where open source is being used across the organization

• It is a very ad hoc process across the organization

• Manual code reviews can take multiple man years to complete.

• Surveying or interviewing the development teams is slow and inaccurate as developers leave and move on

• Larger number of 3rd party software suppliers being used today


Automate the discovery of open source

17

Automated OSS Scanning

SDLC Integrations


Automate discovery of your open source

18

• Discovery by scanning your code• Conduct scan in-place – access code where it is

• Run baseline and delta scans on your code

• Identify the “right” project• Multiple matching techniques to find projects, files, snippets, modified code

• Patented noise reduction techniques to avoid false positives, pinpoint the “right” project

• Search for the “right” OSS for your needs• Large knowledgebase of OSS

• Rich information about the package

• Automated approval policy for OSS usage

• Integrate into the SDLC• Continuous Integration builds enable on-going automation of your code scanning

Get a comprehensive view of OSS across projects & teams


#3Open source risk

Assessing risk in open source

20

For all its benefits, risks exist

Legal risk

Using the wrong license can

compromise IP

Security risk

The OSS component can include

vulnerabilities

Support risk

Who do you call for help?


Cisco’s loss of IP

21

•Used GPL code to customize Broadcom's Linux distribution

CyberTan

• Embedded the code in chipset

Broadcom

• Adopted this into its WRT54G router

Linksys

•Bought Linksys for $500m

•FSF Accused Cisco of license violation

•Source code made available

CISCO

Developers modified firmware turning a low-end ($60) device into a high functioning router


Unknown OSS and security issues


Code vulnerabilities


Lack of open source support

24

• Open source software does not come with commercial support; you are dependent upon the OSS communities to provide you help and fixes

• Who do you call when your “Mission Critical” open source application has an issue?...“No throat to choke”!

• Developers have to negotiate wasted cycles and downtime while waiting for fixes from the community

• Developers do not have anyone to help with risks and development pitfalls

• No formal training provided on the OSS package


Managing OSS risk

25

20%

of organizations lack meaningful controls over OSS selection and use

of developers need not prove security of OSS they are using

of the organizations claim to track vulnerabilities in OSS over time

76%

80%

Increased use + few controls = unmanaged risk


Open source support

26

• With the ubiquity of open source, enterprises need commercial-grade support.

• We are the only vendor offering 24x7 support across hundreds of OSS packages.

• Our “Tier 4” support gives you one call access to enterprise architects, tackling a range of challenging and critical issues.

• We are thought leaders in the industry, and can provide enormous value to any business that utilizes open source software.


Value of open source support

27

Support offerings range across hundreds of open source products. We help customers:

Avoid downtime and wasted cycles Navigate complex OSS packages requiring broad and deep expertise Mitigate risks and development pitfalls Receive formal, instructor-led training across several OSS packages Gain the peace of mind that comes with 24X7 support coverage


We support the best of open source


#4Open source governance

OSS best practices

30

Acquisition & Approval

Support & Maintenanc

e

Tracking

Audit & GovernanceTraining

Legal Compliance

Community Interaction

Acquisition & Approval

Support & Maintenanc

e

Tracking

Audit & GovernanceTraining

Legal Compliance

Community Interaction

Consulting

Certified library request & approval process

SLA supportOpenUpdate

Project tracking

Auditing services

License obligation audit

Certification services

Technical and OSS training

OSS Policy


Manual OSS process

31

Web search Ask around Check the spreadsheet

Answer questions

Security review

Update spreadsheet

Contact legal

Fill out form Advocate

Monitor security alerts

Where Used?

Code Review Rewrite

Wait Wait Arch. review

Other approval boards

Monitorupdates to

components

Select

Approve

Monitor

Discover

Inventory


OSS management process

32

Select

Discover

ApproveInventory

Monitor


Approve your OSS

33

Requirement: Workflows reflect policiesRequest and approval workflow

–Fully customizable, flexible workflow engine

•Create workflows that match the way teams work

•Forms that ask the questions you need to approve requests

•Support complex workflows with serial or parallel reviewers

•Track OSS by use, what, where, when, how and who

Flexible OSS policy management–Effectively communicate policies to all employees

•Easily create policies based on combination of OSS package, version and license

•Auto approve or deny requests based on usage model


Inventory and monitor your OSS

34

Requirement: Understand what you have, learn about it and where you have itSee OSS inventory by project

– Policy violations

– Combined lists of both approved, known OSS, and newly discovered OSS via scanning

– Comprehensive OSS Bill of Materials

Continuously monitor OSS for security vulnerabilities and updates– Automatic: Daily updates via link to National Vulnerability Database

(NVD) to list all know CVEs by OSS package

– Manual: Daily updates on new security vulnerabilities from OSS experts after reviewing of hundreds of packages


#5Multi tiered approach to

open source management

Multiple approaches to managing open source

36

• Finding issues late and maybe in production are very expensive to resolve

• Not able to dig deeper into your code to find potential problems

• Not able to fix issues on open source in use

• Continuous architecture and package reviews to stay on top of the latest technology


Static code analysis

37

Significantly reduces the cost of reliable, secure software• Complements existing testing approaches• Automated and repeatable analysis

Enforces key industry standards• DISA STIG, CWE, MISRA• CERT, SAMATE• OWASP, DO-178B, FDA validation• ...and more


Dynamic code analysis

38

• Interactive debugging

• Interactive memory debugging

• Reverse debugging

• Unattended debugging

• Serial and parallel applications


To wrap up

Open source is everywhere!

40

Open source can no longer be avoided in your application development

Learn to embrace the usage of open source

Need to understand what you have and where you have it

Open source is not “FREE” and comes with it own risks and rewards

With out checks & balances in place, open source chaos will arise

Take a multi pronged approach to managing open source


Rogue Wave capabilities


What we do

42

Rogue Wave helps organizations simplify complex software

development, improve code quality, and shorten cycle times


See us in action:

www.roguewave.com

Richard [email protected]