customer case study: sciencelogic - many paths to compliance
TRANSCRIPT
Many Paths to Compliance
The ScienceLogic / Black Duck story
Scott MartinDirector of Security and Compliance
ScienceLogic
Black Duck Customer Conference 1
About Scott
2Black Duck Customer Conference
• Over 20 years experience in many areas of IT• Government• ISP• Finance
• Nearly 10 years with ScienceLogic• Director of Quality Assurance• Director of Security and Compliance
3Black Duck Customer Conference
• HQ in Washington DC• MSP, Enterprise & Government Customers• Sales offices in US, EMEA, APAC
About ScienceLogic
4
Our Customers
Black Duck Customer Conference
Service Providers Enterprises Government
ScienceLogic Architecture Overview: Distributed
5Black Duck Customer Conference
Physical or virtualappliance
Collectors
Collectors
Collectors
Cloud
Hosted / Colocation
Data center
Cognitive Reflection Test
Developed by Professor Shane Frederick, Massachusetts Institute of Technology
QuestionsYou have a total of 90 seconds, or 30 seconds per question:
1. A bat and a ball cost $1.10 in total. The bat costs $1 more than the ball. How much does the ball cost?
2. If it takes five machines five minutes to make five widgets, how long does it take 100 machines to make 100 widgets?
3. In a lake, there is a patch of lily pads. Every day, the patch doubles in size. If it takes 48 days for the patch to cover the entire lake, how long would it take for the patch to cover half of the lake?
ANSWERS1. 5 cents 2. 5 minutes 3. 47 days
6Black Duck Customer Conference
• Which are you?
• Impulsive?• Thoughtful and reflective?
Cognitive Reflection Test
7Black Duck Customer Conference
Thoughtful is Better at ScienceLogic
• Over 1000 discrete open source or commercial components across 3 products
• Across 4 operating system variants • Over 2,000 new vulnerabilities each year
8Black Duck Customer Conference
0
1000
2000
3000
4000
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Open Source Vulnerabilities Reported Per Year
nvd vulndb-exclusive
Major Business Challenges
• The Department of Defense (DOD) Unified Capabilities (UC) Approved Products List (APL) compliance• Critical differentiator for public and private sector clients
• Dynamic Development• Ensuring supportable, low-risk decisions while remaining agile
• Appliance-based application• Deliver entire Operating System
• Demanding investors• $80M+ from Goldman Sachs, Intel Capital, and others
9Black Duck Customer Conference
Role of U.S. DoD UC APL Certification
10Black Duck Customer Conference
What is it?• Single consolidated list of products that
have completed Interoperability (IO) and Information Assurance (IA) certification
Who is it for? • U.S. Department of Defense (DoD)
networks• Other Government Agencies use it as a
standard in which to judge suitability
Role of U.S. DoD UC APL Certification
11Black Duck Customer Conference
Why is it important?• The APL is the only listing of equipment by
approved by DoD• DoD entities are required to fulfill their system
needs by only purchasing APL listed products• Provided one of the listed products meets their
needs• The APL must be consulted prior to
purchasing a system or product• Only then may DoD go off list apply for an
exception
DoD UC APL Certification Process
12Black Duck Customer Conference
Requires significant investment
Continuous process
Standard that vendors
should target
ScienceLogic has made the investment for our customers
DoD UC APL
13Black Duck Customer Conference
ScienceLogic addresses critical security issues within 24 hours, important issues within a week & all other issues are updated quarterly or in next available release.
From Black Duck Open Source Security Audit Report:• On average, open source makes up over a third
of the code base in the average commercial application.
14
Managing Customer Expectations on our Platform
Black Duck Customer Conference
• The applications Black Duck analyzed, on average, included over 100 unique open source components• ScienceLogic has over 1,000 components across three code bases• Keeping track of vulnerabilities and updates is a challenge
• The component count was well above what ScienceLogic believed they were using. Leading to questions about…• Vulnerabilities in used components • Compliance with all licenses in use
15
Managing Customer Expectations on our Platform
Black Duck Customer Conference
Legacy Code Base
DoD UC APL compliance• Open Source in Used
• All source must be accounted for• Original developers not with the company• Source code must come from a verifiable source
• Minimal documentation• Must update all packages as they come available
• GEN000120 – “System security patches and updates must be installed and up-to-date.”
• This applies to all packages, not just ones that are part of the OS• Without Black Duck this would not be possible
16Black Duck Customer Conference
Appliance-based Application
17Black Duck Customer Conference
• Managing internal use of OS• Single platform for multiple
appliances• Specialized builds of OS• Red Hat• CentOS• Oracle Linux
• Handling of Red Hat’s versioning scheme
• Multitude of package updates
Protex/Code Center/The Hub
• Protex• Extremely powerful• Highly Accurate• Moderately Easy to Use (once you understand the layout)• Could use a facelift
• Code Center• Still our go to for approvals and vulnerabilities• Manage component is bulk
• The Hub• Clean layout• Easy to use and understand• Shows great potential
18Black Duck Customer Conference
Lessons Learned
Black Duck best practices and recommendations• Get Training
• Mistakes are painful• Use Black Duck for initial scans• Don’t use temporary help
• Do your research• Protex has multiple matches on same project
19Black Duck Customer Conference
20Black Duck Customer Conference
Scott MartinDirector of Security and Compliance @[email protected]
Questions?
Thank You
21Black Duck Customer Conference
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET 22Black Duck Customer Conference
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET 23Black Duck Customer Conference
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET 24Black Duck Customer Conference
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET 25Black Duck Customer Conference
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET
Use this for expressing vulnerabilities
26Black Duck Customer Conference
27
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference
28
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference
29
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference
30
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNETBlack Duck Customer Conference
31
Assets - Icons
Need an icon but don’t see it? Contact Rachel Felson for a custom one. DO NOT PULL FROM THE INTERNET
Use this for expressing vulnerabilities
Black Duck Customer Conference
For Additional Help
If you need assistance with graphics or have questions about the deck please contact Rachel Felson at [email protected]
32Black Duck Customer Conference