5. 10 years ago:
•FEATURES
•FEATURES
•FEATURES
•Major updates every year
Product development has changed
Today:
•User experience
•Ease of use
•Major updates every day
Tools that didn’t grow up, fail in todays fast development processes
13. once upon a time... �
Protex and Dynatrace AppMon
14. • Eclipse rich client
• Millions of features
• 1-2 releases per year
• Parent company Compuware owned
Protex license
• Part of release was to run Protex
scan
• ~20.000 problems detected!
Dynatrace AppMon
15. • Start of development ~ 6 years ago
• Ship every sprint (2 weeks) to production
• No Protex scans
Dynatrace next generation product
20. First approach
•Entire code base
•5 hours scan duration
•12.000 findings �
Scanning Dynatrace with Protex
Second approach
•Scan third party libraries only
•2 hours scan duration
•300 findings �
21.
22. We need to find an alternative �
Black Duck Hub to the rescue...
23. • Live demo looked very promising
• POC started
• 8 minutes scan duration
• 50 findings
• Awesome!
Black Duck Hub online demo
24. Legal department got interested...
Approval process for new libraries? NO*
Manually approve specific licenses? NO*
Code level scans? NO*
25. ... 3 months later �
After fighting many (verbal) battles...
Finally decision to purchase Hub
26. Protex vs. Hub system requirements
Protex Hub
CPU 4-8 cores 4 cores
Ram 32-64 GB 12 GB
HD 2-4 TB !!! 100 GB
Installation Proprietary Installer Docker Setup
28. • Built by developers for developers
• Easy to integrate in every build system
• APIs
• Active Github projects
Integrating Hub in our environment
29.
30. Setting up policies
• Take care about all high license
risks
• Add missing licenses
• Clean up false identifications
• No problem due to great UX
• Dynatrace Product
• 4 Blackduck Projects
• 970 OS components
• 0 high license risks
31. Great, but I can’t check for new
violations every day �
You don’t have to, set up notifications!
32. • Notifications from CI System
• Policy vioation -> fail build -> send mail
• Hub alert
• Alerts per Blackduck project
• Slack, Hipchat, Email
Notifications
33. • Define project owner per Hub project
• Make project owners responsible for taking care of policy violations
• Easy onboarding of new users
Project Owners
34. So what about security risks? �
We don’t really cover that topic so far... !
35.
36. • List of all vulnerabilities of OS components in use
• Workflow for remediation
• Set status
• Upgrade guidance
• Comment - link to bug ticket
• Notifications for new vulnerabilities
• Our goal: 0 high license risks
Managing Security Risks
37. Black Duck Hub became an integral part of our secure SDLC
Part of our “4 principles of secure development”
38.
39. • Stay policy violation free
• Scan the right thing
• New version every 2 weeks (1.140, 1.141, ... latest)
• Clean up security and license risks initially
• Deal with false identifications
Challenges with Hub
40. 1. Bill of Material published to web site automatically
2. 0 High, 0 Medium security risks
3. Remediate policy violations immediately
Ultimate Goals
41. A true story about the transition from ...
Protex Hub
yearly daily scans
hate love
Security in SDLC
Secure development
Secure operations
Everybody hated Blackduck
It was kind of a swear word in the whole company
Everybody hated Blackduck
It was kind of a swear word in the whole company
UI Drove me cracy
Every single click took ages to execute
We tried hard – didn’t get it in shape
With horrible UX, nobody would ever wanted to work with it
1. no, we can use automated policy checks
2. no, there are 3 simple categories
3. Do we really need that?
With Protex you needed a 2 day training to understand just the basics
Also Blackduck loved our story... Video testimonial