OSS has taken over the enterprise: The top five OSS trends of 2015

OSS has taken over the
enterprise: The top five
OSS trends of 2015
Richard Sherrard
director of product management

Richard Sherrard
director of product management
Presenters
Rogue Wave Software
2© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Top five open source
trends of 2015

Open source trends we’ve seen in 2015
© 2015 Rogue Wave Software, Inc. All Rights Reserved.
• Open source has taken over the enterprise
• Open source discovery challenges
• Open source risk management
• Open source governance
• Multi-tiered approach to open source management
4

#1
Open source has taken
over the enterprise

Growth of open source
© 2015 Rogue Wave Software, Inc. All Rights Reserved. 6
Use of open source continues to grow
at a fast pace!
90% of companies use
OSS components in
commercial software
(Gartner)
>80% of a typical Java
application is open-
source components and
frameworks
(TechCrunch)
11 million developers
worldwide make 13
billion open source
requests each year

Innovation drives open source adoption
7
 Open source components provide critical functionality
 Improves developer productivity
No license fees
 “More eyes” improves quality & security
Leveraged development effort
 Apache, Tomcat, Wildfly, Jakarta Commons, jQuery
 Communities continuously improve features
Mature, commoditized applications and libraries
Community peer review

Open source in the enterprise
8
“By 2016, open source software will be in mission-critical software
portfolios within 99% of all Global 1,000 enterprises.”
Innovate
• Opens up code options
• Deploy applications with any
combination of code source
• Optimize developer effort and
time
• Quicker time to market
Identify and mitigate risk
• Technical risk
• Business risk
• Security risk
• Legal and compliance risk
Balance risk and reward

How open source enters your codebase
9
“90% of code in modern applications is open source” and
“31% of companies have had or suspect a breach in an open source component“
Open source
community
Legacy code
Internally
developed code
Reused code
Third party code
Supply chain
code
Outsource code
Delivered
code

Mixed source risks
Loss of
intellectual
property
Defects and quality
issues
License restrictions
and obligations
Support costs
Security
vulnerabilities
Injunctions

What organizations are looking to answer?
11
Dev VP
& Mgr
OSS Compliance Mgr
CTO/ CIO/CISO
Security Mgr
Legal
What open source am I using
Where are we using open source
across the organization
How can I increase the security
of the open source
What are my legal obligations
Are we able to participate in the
open source communities

Embrace OSS and automate the governance process
12
Create an automated organization-wide OSS policy and leverage the
benefits
• Increase developer productivity
• Educate and develop OSS policies for the developers to follow
• Marshal the resources of the OSS community
• Accelerate software development
Understand, manage, and govern OSS comprehensively
Inventory Support Govern

Large codebases: Open source is everywhere
14
• Companies today have extremely large codebases made up of 1000’s of
developed applications.
• Lots of different technologies in play – web, mobile, embedded
• Larger number of 3rd party software suppliers being used today
Over 100 million
lines of code goes
into a average high
end car today!

Into the “unknown”
15
• Once DISCOVERY of the open source is known you can then better understand
it
– What license(s) is it distributed under – GPL, Apache, BSD…
– What version(s) are being used; are they outdated!
– Are there known security risks
– Do I have quality issues with it
– Is their a strong community behind it!
• A plan of action can then be worked on to resolve identified risks and issues
– There will be many!
Biggest open source
challenge organizations
face today is the “Not
knowing” what they have
and “Where they have it”

How are they doing discovery today?
16
• Companies find it extremely hard if not impossible to uncover where open
source is being used across the organization
• It is a very ad hoc process across the organization
• Manual code reviews can take multiple man years to complete.
• Surveying or interviewing the development teams is slow and inaccurate as
developers leave and move on
• Larger number of 3rd party software suppliers being used today

Automate the discovery of open source
17
Automated OSS
Scanning
SDLC
Integrations
OSS
Approvals

Automate discovery of your open source
18
• Discovery by scanning your code
• Conduct scan in-place – access code where it is
• Run baseline and delta scans on your code
• Identify the “right” project
• Multiple matching techniques to find projects, files, snippets, modified code
• Patented noise reduction techniques to avoid false positives, pinpoint the
“right” project
• Search for the “right” OSS for your needs
• Large knowledgebase of OSS
• Rich information about the package
• Automated approval policy for OSS usage
• Integrate into the SDLC
• Continuous Integration builds enable on-going automation of your code
scanning
Get a comprehensive view
of OSS across projects &
teams

Assessing risk in open source
20
For all its benefits, risks exist
Legal risk
Using the wrong
license can
compromise IP
Security risk
The OSS
component can
include
vulnerabilities
Support risk
Who do you call
for help?

Cisco’s loss of IP
21
•Used GPL code to
customize
Broadcom's Linux
distribution
CyberTan
• Embedded the
code in chipset
Broadcom
• Adopted this into
its WRT54G
router
Linksys
•Bought Linksys for
$500m
•FSF Accused Cisco of
license violation
•Source code made
available
CISCO
Developers modified
firmware turning a low-
end ($60) device into a
high functioning router

Unknown OSS and security issues

Code vulnerabilities

Lack of open source support
24
• Open source software does not come with commercial support; you are
dependent upon the OSS communities to provide you help and fixes
• Who do you call when your “Mission Critical” open source application has
an issue?...“No throat to choke”!
• Developers have to negotiate wasted cycles and downtime while waiting for
fixes from the community
• Developers do not have anyone to help with risks and development pitfalls
• No formal training provided on the OSS package

Managing OSS risk
25
20%
of organizations lack meaningful controls
over OSS selection and use
of developers need not prove security of
OSS they are using
of the organizations claim to track
vulnerabilities in OSS over time
76%
80%
Increased use + few controls = unmanaged risk

Open source support
26
• With the ubiquity of open source, enterprises need commercial-grade
support.
• We are the only vendor offering 24x7 support across hundreds of
OSS packages.
• Our “Tier 4” support gives you one call access to enterprise
architects, tackling a range of challenging and critical issues.
• We are thought leaders in the industry, and can provide enormous
value to any business that utilizes open source software.

Value of open source support
27
Support offerings range across hundreds of open source products. We
help customers:
 Avoid downtime and wasted cycles
 Navigate complex OSS packages requiring broad and deep expertise
 Mitigate risks and development pitfalls
 Receive formal, instructor-led training across several OSS packages
 Gain the peace of mind that comes with 24X7 support coverage

We support the best of open source

OSS best practices
30
Acquisition
& Approval
Support &
Maintenance
Tracking
Audit &
Governance
Training
Legal
Compliance
Community
Interaction
Acquisition
& Approval
Support &
Maintenance
Tracking
Audit &
Governance
Training
Legal
Compliance
Community
Interaction
Consulting
Certified library
request &
approval process
SLA support
OpenUpdate
Project tracking
Auditing services
License obligation audit
Certification services
Technical and
OSS training
OSS Policy

Manual OSS process
31
Web search Ask around
Check the
spreadsheet
Answer
questions
Security
review
Update
spreadsheet
Contact legal
Fill out form Advocate
Monitor
security alerts
Where Used?
Code Review Rewrite
Wait Wait
Arch. review
Other approval
boards
Monitor
updates to
components
Select
Approve
Monitor
Discover
Inventory

OSS management process
32
Select
Discover
ApproveInventory
Monitor

Approve your OSS
33
Requirement: Workflows reflect policies
Request and approval workflow
– Fully customizable, flexible workflow engine
• Create workflows that match the way teams work
• Forms that ask the questions you need to approve requests
• Support complex workflows with serial or parallel reviewers
• Track OSS by use, what, where, when, how and who
Flexible OSS policy management
– Effectively communicate policies to all employees
• Easily create policies based on combination of OSS package, version
and license
• Auto approve or deny requests based on usage model

Inventory and monitor your OSS
34
Requirement: Understand what you have, learn about it and where you
have it
See OSS inventory by project
– Policy violations
– Combined lists of both approved, known OSS, and newly discovered
OSS via scanning
– Comprehensive OSS Bill of Materials
Continuously monitor OSS for security vulnerabilities and updates
– Automatic: Daily updates via link to National Vulnerability Database
(NVD) to list all know CVEs by OSS package
– Manual: Daily updates on new security vulnerabilities from OSS experts
after reviewing of hundreds of packages

#5
Multi tiered approach to
open source management

Multiple approaches to managing open source
36
• Finding issues late and maybe in production
are very expensive to resolve
• Not able to dig deeper into your code to find
potential problems
• Not able to fix issues on open source in use
• Continuous architecture and package reviews
to stay on top of the latest technology

Static code analysis
37
Significantly reduces the cost of reliable, secure software
• Complements existing testing approaches
• Automated and repeatable analysis
Enforces key industry standards
• DISA STIG, CWE, MISRA
• CERT, SAMATE
• OWASP, DO-178B, FDA validation
• ...and more

Dynamic code analysis
38
• Interactive debugging
• Interactive memory debugging
• Reverse debugging
• Unattended debugging
• Serial and parallel applications

Open source is everywhere!
40
Open source can no longer be avoided in your application
development
Learn to embrace the usage of open source
Need to understand what you have and where you have it
Open source is not “FREE” and comes with it own risks and
rewards
With out checks & balances in place, open source chaos will arise
Take a multi pronged approach to managing open source

Rogue Wave capabilities

What we do
42
Rogue Wave helps organizations simplify
complex software development, improve
code quality, and shorten cycle times

See us in action:
www.roguewave.com
Richard Sherrard
richard.sherrard@roguewave.com

OSS has taken over the enterprise: The top five OSS trends of 2015

OSS has taken over the enterprise: The top five OSS trends of 2015

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie OSS has taken over the enterprise: The top five OSS trends of 2015

Ähnlich wie OSS has taken over the enterprise: The top five OSS trends of 2015 (20)

Mehr von Rogue Wave Software

Mehr von Rogue Wave Software (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

OSS has taken over the enterprise: The top five OSS trends of 2015