Best practices for simplifying software audits
Download as PPTX, PDF2 likes692 views
The document outlines best practices for preparing for and simplifying software audits. It recommends structuring code in a hierarchical format and including essential license and attribution information at the file, folder, and project levels. Regular audits that identify all software components, licenses, and security vulnerabilities are important to reduce legal risks. The use of automated tools can improve audit speed and accuracy over manual methods. Education of development teams on audit procedures and open source policies is also key.
Best practices for simplifying software audits
- 1. Protecode Inc. 2015 1 Best Practices for Simplifying Software Audits Wednesday, June 24th, 2015
- 2. Protecode Inc. 2015 Agenda Software audits – What, why, who and how How to prepare for an audit Documentation you need – Per file, folder, project, organization Audit reports Resolving background & foreground IP Policies and internal education Wrap up and Q & A 2 Tiberius Forrester, Director of Solutions tforrester@protecode.com
- 3. Protecode Inc. 2015 Software Audits Complex projects use a mix of in house and third party code – Wide adoption of open source software – Code contributions across organizational boundaries – Popularity of outsourcing software – Ease of access to code (OSS repositories, WWW, Previous life work) 3 It is our software. Do we know what we have? Why Reduces uncertainties and vulnerabilities – IP Ownership and compliance with code obligations – Identifies known security exposures Helps technology organizations – Adopt open source software profitably – Reduce effort and shorten timelines Value
- 4. Protecode Inc. 2015 What Does a Software Audit Do? A software audit is a discovery process Identifies all components in a software portfolio – Own software – Open source software (OSS) – Other 3rd party software Identifies code attributes – Licensing, authorship and copyrights – Security vulnerabilities, encryption content – Software pedigree, versions, modifications Highlights legal obligations and reduces vulnerabilities – Licensing, known security vulnerabilities, exportability Creates a software Bill of Materials (BOM) – Software inventory 4
- 5. Protecode Inc. 2015 Internal audit team – Combination of legal and software expertise • Often an overworked and underpaid team (of 1) – Manual audit • Rely on records, examination of files and packages – Or automated scanning for improved speed and accuracy • Acquired or implemented in house External audit team – Arms-length software audit organizations • Typically used for financial transactions – Uses automated code scanning and discovery solutions – Delivers high level executive reports as well as signed-off machine generated reports Who performs the audit? 5
- 6. Protecode Inc. 2015 Preparing for the Audit Access to all code Knowledge of business model Understanding of the development environment – Tools, repositories, libraries List of known 3rd party components – Open source, commercial (and their licenses) Access to a list of developers – Within or outside organization Current and previous company copyright formats – Eg ACME Inc, copyright © ACEME Inc, List of company acquisitions – And their copyright formats 6
- 7. Protecode Inc. 2015 Preparing for an external audit 7 Have a single point of contact Sign Non-Disclosure Agreement (NDA) – 2 way, 3 way, 4 way or more! Explain the purpose of audit – M&A / tech transfer / collaboration / product delivery? – Who is the sponsor (recipient of the audit report) Provide company overview – What business? R&D practices – Contracting, outsourcing practices Describe software characteristics – Is there an open source adoption policy? – Composition and complexity of the code portfolio, • Structure, Languages, archives, Size- Mbytes or Files Have an audit agreement (SOW) in place – Duration, cost, confidentiality
- 8. Protecode Inc. 2015 Auditable Code Organization Flat structure – AVOID Hierarchical – Software manifest Systematic top-down structure Breakdown portfolio into Products and product components (eg: modules per software architecture) Third party components and open source software Libraries Identify Portfolios shared between different products Divide and Conquer! – Audit one reasonable-sized block at a time 8
- 9. Protecode Inc. 2015 Desired Folder Structure for Audits 9 Applicable sequence of information 1. File-level licenses and notes 2. Folder-level licenses and notes 3. Project-level licenses and notes
- 10. Protecode Inc. 2015 File Level Information Source file headers – Invaluable source of information Do not remove existing headers If there is something to add, then add to existing header – Open Source Software Retain existing header – Proprietary software, Use a list of standard headers Include copyright, date, author name, abstract Set up machine-generated code headers Binary files – OSS: you are stuck with what you get Proprietary: include copyright in the binary 10
- 11. Protecode Inc. 2015 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% Percentage of Proprietary Code Missing Header Information Small Portfolio Medium Portfolio Large Portfolio Missing Headers
- 12. Protecode Inc. 2015 OSS Header 12 Information added Don’t remove this!
- 13. Protecode Inc. 2015 Proprietary Headers Copyright (agree on a single format within your organization) Include author, date, summary, project Machine-readable header info (eg: xml) is preferred 13
- 14. Protecode Inc. 2015 Folder Level Information Include text files containing – Folder description – License(s) – Copyrights – For open source software • url pointing to download site • date it was acquired Watch for open source licenses – License evolution – Dual licensed (commercial and GPL) options – Multi-license projects – Composite projects 14
- 15. Protecode Inc. 2015 Factors Impacting License Obligations Distributed versus hosted software Modified versus unmodified third party software – Must be declared – May impact obligations Embedded code versus bundled software Binary-linked software Dependencies 15
- 16. Protecode Inc. 2015 Dependencies Typically a product software depends on other code (eg: libraries) Dependencies are resolved at build time A complete software audit requires – Manual interpretation of dependencies (eg: make files) PAINFUL! – Or access to the complete code post build-time Package managers can simplify auditing dependencies 16
- 17. Protecode Inc. 2015 Package Managers Handle software libraries and dependencies. – NuGet (.NET) – Packagist / Composer (PHP), – NPM (Node.JS), – RubyGems / Bundler (Ruby) – Bower (JS, CSS, HTML) – Maven (Java) – And others … Store a list of all packages and dependencies within a file in the root folder. Create and label 3rd party folders for easy navigation and links to source url and license Simplify auditing process
- 18. Protecode Inc. 2015 Attribution Obligation Common obligation between OSS licenses Is there a per file reference? Where is the actual text of license? • Per file • Per package, or folder Is there one text file containing concatenated list of all licenses? Copyleft (eg: GPL V2) Where can the public find the source code of the whole project? 18
- 19. Protecode Inc. 2015 Background VS. Foreground IP Needed for collaborative development – Commercial <> commercial – Academic <> commercial Before start of collaboration – Audit best practices (documentation, code structure, headers, dates) are in place – Each organization has completed an audit of their code • Automated audits create accurate code inventories with traceable code signatures – Dated backups of complete portfolios are available • Resolving post-development issues During collaboration – Audit best practices are in place – Regular (automated) audits and inventory lists are maintained 19
- 20. Protecode Inc. 2015 How Often Should You Audit? 20 Don’t leave it to the last minute.
- 21. Protecode Inc. 2015 Software Audits and OSS Adoption Have a policy in place – What is acceptable? • 3rd party software, sources, licenses, copyright per project, per portfolio – What documents to maintain and where – What to do and who to go to? Communicate the policy Pre-approval process Use automated tools to build a software inventory and ensure compliance. 21
- 22. Protecode Inc. 2015 Summary Educate – Let the software team know what is auditable Structure the code – Software structure or code manifest File headers contain essential Information – Keep 3rd party (and OSS) headers, company headers on proprietary files – File info trumps folder Info trumps package info Document – Structures, licenses, contracts, OSS sources Audit early, Audit often Manual Audits are painful – Various automatic scanning and discovery applications in the market 22
- 23. Protecode Inc. 2015 Q&A Please type your questions into the chat box to the right 23
- 24. Protecode Inc. 2015 24 info@protecode.com www.protecode.com