Open source and embedded software development
-
Upload
rogue-wave-software -
Category
Software
-
view
216 -
download
0
Transcript of Open source and embedded software development
#ESCconf#ESCconf
Open source and embedded software development: Collision course or hands-free perfection
#ESCconf#ESCconf
Presenter
Rod Cope
CTO
Rogue Wave Software
Twitter: @rodcope
#ESCconf#ESCconf
Agenda
1. Introduction
2. Using OSS
3. License risk
4. MISRA, OWASP
5. Safety & security
6. Q & A
4© 2017 Rogue Wave Software, Inc. All Rights Reserved.
#ESCconf#ESCconf
Open source is everywhere
• Over 5 million open source projects on GitHub
• 80+ licenses approve by OSI
98% of organizations have OSS in their code https://guides.github.com/activities/contributing-to-open-source/
https://opensource.org/licenses/alphabetical
http://www.roguewave.com/programs/open-source-support-report
#ESCconf#ESCconf
67% of developers are not sure if
there’s a policy for source code, or
don’t know what it is.
http://www.roguewave.com/resources/white-papers/software-security-begins-with-flaw-free,-standards
7© 2017 Rogue Wave Software, Inc. All Rights Reserved.
#ESCconf#ESCconf
Support the implementation
Self-supportCommitter
support
Community support
Commercial support
#ESCconf#ESCconf
Why use commercial support
Missing skillset
Time constraints
People change jobs
#ESCconf#ESCconf
Commercial support example
The original implementation was not built for scale. We’ll help you build a
workaround.
We’re experiencing heavy latency and heavy resource utilization with ActiveMQ. The person who
built this left.
#ESCconf#ESCconf
Support the selected software
80% of support issues are either a lack of product knowledge, or something in the environment outside of the package.
http://www.roguewave.com/programs/open-source-support-report
#ESCconf#ESCconf
What can organizations do?
Detect critical areas
Investigate knowledge gaps
Implement a plan
#ESCconf#ESCconf
Monitor and test implementation
•Avoid bottlenecks
14© 2017 Rogue Wave Software, Inc. All Rights Reserved.
#ESCconf#ESCconf
Free comes with restrictions
Organizations may be at risk of
violating legal obligations.
#ESCconf#ESCconf
Litigation in federal court
• Versata v. Ameriprise
• XimpleWare v. Versata and Ameriprise
• Hellwig v. VMware
• Oracle v. Google
• Jacobsen v. Katzer
#ESCconf#ESCconf
Audit code
Identify packages
Bill of materials (BOM)
Obligations
18© 2017 Rogue Wave Software, Inc. All Rights Reserved.
#ESCconf#ESCconf
Maintain compliance
#ESCconf#ESCconf
MISRA recommends SCA
“In order to ensure that the source code written does conform to the
[MISRA] subset it is necessary to have measures in place which check that
none of the rules have been broken.
The most effective means of achieving this is to use one or more of the
static checking tools that are available commercially.”
- Section 4.3.1
#ESCconf#ESCconf
Analysis tools
Identify bugs and vulnerabilities
Compliance checkers
22© 2017 Rogue Wave Software, Inc. All Rights Reserved.
#ESCconf#ESCconf
Vulnerabilities
#ESCconf#ESCconf
Remediation
Establish processes
Research issues
Scan all code
#ESCconf#ESCconf
Community updates
Monitor and implement
community updates.
#ESCconf#ESCconf
Critical security announcements
OPENUPDATE SIGN UP: roguewave.com/openupdate
#ESCconf#ESCconf