customer case study: sciencelogic - many paths to compliance

Many Paths to Compliance

The ScienceLogic / Black Duck story

Scott MartinDirector of Security and Compliance

ScienceLogic

Black Duck Customer Conference 1

About Scott

2Black Duck Customer Conference

• Over 20 years experience in many areas of IT• Government• ISP• Finance

• Nearly 10 years with ScienceLogic• Director of Quality Assurance• Director of Security and Compliance


• HQ in Washington DC• MSP, Enterprise & Government Customers• Sales offices in US, EMEA, APAC

About ScienceLogic

4

Our Customers

Black Duck Customer Conference

Service Providers Enterprises Government

ScienceLogic Architecture Overview: Distributed


Physical or virtualappliance

Collectors

Collectors

Collectors

Cloud

Hosted / Colocation

Data center

Cognitive Reflection Test

Developed by Professor Shane Frederick, Massachusetts Institute of Technology

QuestionsYou have a total of 90 seconds, or 30 seconds per question:

1. A bat and a ball cost $1.10 in total. The bat costs $1 more than the ball. How much does the ball cost?

2. If it takes five machines five minutes to make five widgets, how long does it take 100 machines to make 100 widgets?

3. In a lake, there is a patch of lily pads. Every day, the patch doubles in size. If it takes 48 days for the patch to cover the entire lake, how long would it take for the patch to cover half of the lake?

ANSWERS1. 5 cents 2. 5 minutes 3. 47 days


• Which are you?

• Impulsive?• Thoughtful and reflective?

Cognitive Reflection Test


Thoughtful is Better at ScienceLogic

• Over 1000 discrete open source or commercial components across 3 products

• Across 4 operating system variants • Over 2,000 new vulnerabilities each year


0

1000

2000

3000

4000

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Open Source Vulnerabilities Reported Per Year

nvd vulndb-exclusive

Major Business Challenges

• The Department of Defense (DOD) Unified Capabilities (UC) Approved Products List (APL) compliance• Critical differentiator for public and private sector clients

• Dynamic Development• Ensuring supportable, low-risk decisions while remaining agile

• Appliance-based application• Deliver entire Operating System

• Demanding investors• $80M+ from Goldman Sachs, Intel Capital, and others


Role of U.S. DoD UC APL Certification


What is it?• Single consolidated list of products that

have completed Interoperability (IO) and Information Assurance (IA) certification

Who is it for? • U.S. Department of Defense (DoD)

networks• Other Government Agencies use it as a

standard in which to judge suitability

Role of U.S. DoD UC APL Certification


Why is it important?• The APL is the only listing of equipment by

approved by DoD• DoD entities are required to fulfill their system

needs by only purchasing APL listed products• Provided one of the listed products meets their

needs• The APL must be consulted prior to

purchasing a system or product• Only then may DoD go off list apply for an

exception

DoD UC APL Certification Process


Requires significant investment

Continuous process

Standard that vendors

should target

ScienceLogic has made the investment for our customers

DoD UC APL


ScienceLogic addresses critical security issues within 24 hours, important issues within a week & all other issues are updated quarterly or in next available release.

From Black Duck Open Source Security Audit Report:• On average, open source makes up over a third

of the code base in the average commercial application.

14

Managing Customer Expectations on our Platform


• The applications Black Duck analyzed, on average, included over 100 unique open source components• ScienceLogic has over 1,000 components across three code bases• Keeping track of vulnerabilities and updates is a challenge

• The component count was well above what ScienceLogic believed they were using. Leading to questions about…• Vulnerabilities in used components • Compliance with all licenses in use

15

Managing Customer Expectations on our Platform


Legacy Code Base

DoD UC APL compliance• Open Source in Used

• All source must be accounted for• Original developers not with the company• Source code must come from a verifiable source

• Minimal documentation• Must update all packages as they come available

• GEN000120 – “System security patches and updates must be installed and up-to-date.”

• This applies to all packages, not just ones that are part of the OS• Without Black Duck this would not be possible


Appliance-based Application


• Managing internal use of OS• Single platform for multiple

appliances• Specialized builds of OS• Red Hat• CentOS• Oracle Linux

• Handling of Red Hat’s versioning scheme

• Multitude of package updates

Protex/Code Center/The Hub

• Protex• Extremely powerful• Highly Accurate• Moderately Easy to Use (once you understand the layout)• Could use a facelift

• Code Center• Still our go to for approvals and vulnerabilities• Manage component is bulk

• The Hub• Clean layout• Easy to use and understand• Shows great potential


Lessons Learned

Black Duck best practices and recommendations• Get Training

• Mistakes are painful• Use Black Duck for initial scans• Don’t use temporary help

• Do your research• Protex has multiple matches on same project



Scott MartinDirector of Security and Compliance @[email protected]

Questions?

Thank You


Assets - Icons

Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET 22Black Duck Customer Conference

Assets - Icons


Assets - Icons

Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET

Use this for expressing vulnerabilities


27

Assets - Icons

Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference

28

Assets - Icons


29

Assets - Icons


30

Assets - Icons


31

Assets - Icons

Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET

Use this for expressing vulnerabilities


For Additional Help

If you need assistance with graphics or have questions about the deck please contact Rachel Felson at [email protected]
