Performing an Audit

Dave McLoughlinDirector, Open Source Auditing Services Rogue Wave Softwaredave.mcloughlin@roguewave.com

1. Future of Open Source survey

1% 10% 89%

What I write

What my team

writesWhat my team uses and/or what

the OSS community writes

My Application =

• Over 50% of enterprise organizations adopt and contribute to OSS today 1

OSS usage

OSS Risk

Lawsuit Threatens to break new ground on the GPL and Software Licensing Issues

Aaron Williamson Open Source.com “Lawsuit Threatens to break new ground on GPL and software licensing issues http://opensource.com/law/14/7/lawsuit-threatens-break-new-ground-gpl-and-software-licensing-issues July 30/2014

XimpleWare

V.S.

Technology acquisitions• Inherited OSS Risks• Reps and Warranties• Value of target

Measuring open source risks• Know your inventory with OSS scanning

– Automated, repeatable way to locate OSS packages (and packages within packages!) and licensing obligations

– Look for scanning tools that:• are SaaS – easier to set up and maintain

• Protect your IP by not requiring source code upload

• Maintain OSS support– Get notified of latest patches, risks, bugs

• Establish an OSS policy to minimize risk– Use only trusted packages

– Notify and update security fixes

Preparing for an audit• How do scanners work?

• Create fingerprints of your code to compare with a fingerprint KB• May also look for copyright, author, url, license information

• What do you scan?• Ideally source code, but binary is okay• Determine what you want to scan (version, product)• Check your code out of your source code repository

• Objectives• Set direction for audit: Security, Compliance, Governance

Audit process• Scan files

• Small scans can take a less than a day to complete• Large > million files could take a few days to complete

• Analyze results• Analysis is done by professional OSS auditors• Analysis typically takes a few days

• Create reports• Reports should include OSS BOM and non-OSS BOM• Licenses• Obligation information• Security reports (CVE and vulnerability information)

• Review reports

Example report

© 2015 Rogue Wave Software, Inc. All Rights Reserved.

Open Source Bill of Material (BOM) License

Information Compliance Information

Next steps after an auditThis is where your work really begins

• Compliance work• OSS License obligations are conditional• Create compliance check list• Review and complete compliance obligations

• Security review• Review applicability of CVE• Take necessary remediation steps

• Target review• Review findings and assess impact on acquisition

Conclusions:• Run an audit by to determine the following:

• Are there any licenses in deployed software that can put you at risk. (i.e. Copy Left licenses)

• Are there any known vulnerabilities in the open source packages you’ve distributed

• Create a policy to mitigate future risk:• Establish a safe place to download open source software• Ban licenses that can lead to risk• Ban packages with known vulnerabilities

• Run periodic delta scans to ensure that the policy is working

QUESTIONSdave.mclouglin@roguewave.com