Open Source Software: The Intersection Of IP And Security PDF Free Download

2y ago

52 Views

1 Downloads

3.45 MB

30 Pages

Report/dmca

Download PDF

Transcription

2009F22 software (avionics only) 1.7M LOC“It takes dozens of microprocessorsrunning 100 million lines of code to geta premium car out of the driveway”(IEEE Spectrum February 2009 Image: General Motors)Copyright 2011 Palamida, Inc.

New Ways of Composing ServicesCloud Computing astyle of computing inwhich massively scalableIT-relatedcapabilities are provided“as a service” usingInternet technologies tomultiple externalcustomers.Definition: Gartner GroupCopyright 2011 Palamida, Inc.

Gartner OSS Predictions By 2016, OSS will be included in mission-critical software portfolioswithin 99% of Global 2000 enterprises, up from 75% in 2010. By 2014, 50% of Global 2000 organizations will experiencetechnology, cost and security challenges through lack of open-sourcegovernance. By 2015, OSS will be used and adopted to help enable over 60% ofplatform-as-a-service (PaaS) services. By 2014, 30% of applications running on proprietary versions of Unixwill be migrated to OSS-based Linux on x86. By 2014, those organizations with effective, open-source communityparticipation will consistently deliver high returns from their opensource investments. By 2013, up to 50% of Global 2000 non-IT enterprises will contributeto at least one OSS project. By 2016, 50% of leading non-IT organizations will use OSS as abusiness strategy to gain competitive advantage.Predicts 2011: Open-Source Software, the Power Behind the Throne23 November 2010ID:G00209180Copyright 2011 Palamida, Inc.

There is probably a lot of content that youdon’t know aboutAudit ExampleSize15.9GB59.1M LOCDocumented OScomponents303Undocumented OS535componentsTotal #838% LOC from OpenSource60-65%Copyright 2011 Palamida, Inc.

With license terms that may be problematicAudit Breakdown by License30%25%20%15%TOTAL %10%5%0%Source: 2010 Year to Date Audit Engagements Performed by Palamida Professional ServicesCopyright 2011 Palamida, Inc.

Open Source is not somehow “different”Plaintiffs would be happy to settle this matter with BestBuy and Phoebe Micro if they either (i) ceased alldistribution of BusyBox or (ii) committed to distributeBusyBox in compliance with the free and open sourcelicense terms under which Plaintiffs offer BusyBox to theworld. Plaintiffs have patiently worked with Best Buy andPhoebe Micro to bring their products into compliance withthe license, but unfortunately have now concluded thatthose efforts are destined to fail because neither Best Buynor Phoebe Micro has the capacity and desire to meeteither of Plaintiffs' demands for settlement. As such,Plaintiffs are forced to protect their interests in BusyBoxby now respectfully moving for a preliminary injunction,pursuant to Rule 65, enjoining and restraining defendantsBest Buy and Phoebe Micro from any further copying,distribution, or use of their copyrighted software BusyBox.PLAINTIFFS'MEMORANDUM OF LAWIN SUPPORT OF THEIRMOTION FORPRELIMINARY INJUNCTIONAGAINST DEFENDANTSBEST BUY, CO., INC. ANDPHOEBE MICRO, INC.SOFTWAREFREEDOM CONSERVANCY, INC. andERIK ANDERSEN,Filed 1/31/11Copyright 2011 Palamida, Inc.

Software IP is a potent competitive weaponLove, Larry: Here Is the OracleStatement and Final Complaint VersusGoogleby Kara SwisherPosted on August 12, 2010 at 6:46 PM PTThis afternoon, the database software giant saidit was suing Google (GOOG), alleging patentand copyright infringement of Java-relatedintellectual property in the development ofAndroid mobile operating system aint-versus-google/Copyright 2011 Palamida, Inc.

Oh No, Kernel.org was Hackedby Susan Linton - Aug. 31, 2011A notice appeared on www.kernel.org today informing visitorsthat the servers housing the Linux kernel source code had beenhacked earlier this month. The breach was discoveredyesterday and maintainers believe the source code itself isunaffected.Source: ostatic.comCopyright 2011 Palamida, Inc.

August 2011‘Devastating’ Apache bug leaves serversexposedDevs race to fix weakness disclosed in 2007Attack code dubbed “Apache Killer” that exploits the vulnerability in the way Apache handlesHTTP-based range requests was published Friday on the Full-disclosure mailing list. By sendingservers running versions 1.3 and 2 of Apache multiple GET requests containing overlappingbyte ranges, an attacker can consume all memory on a target system.August 14, 2011Copyright 2011 Palamida, Inc.

Mango OSSComponentsQuartz Enterprise Job SchedulerDWR OSS ComponentsApache Commons LoggingApache Spring FrameworkApache Jakarta TaglibsApache StrutsSpring FrameworkHibernateJfreeChartApache Jakarta CommonsScriptaculousComponentsPrototypeJS 1.5.0NVD ReportedVulnerabilities: 1ScriptaculousBeehiveFreemarkerWebWorkJcommon Utility ClassesApache-db-derbyApache Log4JJavaMail APIMySQLBackport Util ConcurrentGoogle Injection FrameworkNVD ReportedVulnerabilities: 4SAX: Simple API for XMLJ2EE Java2 SDK ActivationAQP AllianceDWR Direct Web Remotingpngencodergit-MM JDBC driverApache XercesNVD ReportedVulnerabilities: 0Copyright 2011 Palamida, Inc.

What to Do Tomorrow Set up an OSRB or equivalent Establish your policy for use of externallysourced software Don’t stop at IP, include security Audit any software acquired via M&A Evaluate compliance alternatives, and getstartedCopyright 2011 Palamida, Inc.

Open SourceReview Board Comprised of Legal,Development and Security Review and Approve Policy forexternally sourced software Establish the scope ofinformation required andretained (the request form) Case-by-case use decisions Review and approve the policyfor compliance with obligations Reports to CFO, GC, VPengineering or othersperiodically on compliancestatusCopyright 2011 Palamida, Inc.

PolicyWhat is the name and version of thissoftware component?Where is it used?What is the license?Is this component in a software productthat ships to customers?Does this component containknown vulnerabilities?Have we modified this component?When was the last time we checked thissoftware for version and vulnerability?Does this component contain encryption?Have we added this component to thenotices file?Copyright 2011 Palamida, Inc.

Mergers and Acquisitions (and outsourced development) Make code audit a contract item Don’t rely on reps regarding code content – typically 3-5x more foundthan disclosed Use outside firms to maintain an “arms-length” relationship Factor in remediation costs Don’t integrate the code with yours until you are confident of originCopyright 2011 Palamida, Inc.

What Acquiring Firms Are Concerned About Today GPL and other Viral Licenses (esp v3.0)Affero GPLCommercial Content and LibrariesRestrictions on commercial use or field of use (e.g. no Military use)CryptographyCode with Unknown Licenses% of undisclosed contentCopyright 2011 Palamida, Inc.

Evaluate Compliance Alternatives, and Get Started In-house process External Professional Services – periodic reports In-house system Owned by development Used by development, legal and security System of record for policy and content The first pass is the most time-consuming – consider aoutside audit to populate the internal systemCopyright 2011 Palamida, Inc.

By 2014, those organizations with effective, open-source community participation will consistently deliver high returns from their open-source investments. By 2013, up to 50% of Global 2000 non-IT enterprises will contribute to at least one OSS project. By 2016, 50% Author: Greg KeltonPublish Year: 2011