The 4 Levels of Open Source Risk Management
1 like2,583 views
The document describes different levels of open source risk management from manual tracking using spreadsheets to fully automated identification and inventory of open source components. It notes that manual tracking impacts developer productivity and accuracy is difficult to maintain. The highest level of automated risk management allows open source to be automatically identified, inventoried, and mapped to vulnerabilities and licenses without disrupting the software development lifecycle. Black Duck Software offers products to help organizations automate open source security and license compliance management.
The 4 Levels of Open Source Risk Management
- 1. LEVEL 3 – TRACKING OPEN SOURCE BY SPREADSHEET Making Progress (Issues Remain). Developers complain that manual tracking is impacting their productivity. Accuracy is difficult to maintain. Provides limited insight into security vulnerabilities. DO YOU KNOW WHAT LICENSE OR SECURITY ISSUES MIGHT ARISE FROM YOUR USE OF OPEN SOURCE? BLACK DUCK CAN HELP YOU: Automatically identify and inventory open source software used to build applications and Docker containers Map open source components to known vulnerabilities and license requirements with Black Duck’s comprehensive KnowledgeBase™ of more than 1.5 million open source projects and 75,000 vulnerabilities Streamline and secure continuous integration/deployment activities with integration with the most popular DevOps and security tools, including IBM AppScan, HP Fortify, Docker, Red Hat Atomic, Jenkins, and Atlassian Help your teams set policies to govern open source security, license, and code quality risks, enforce policies through build-tool integrations, and manage remediation efforts through IT workflow support. Continuously monitor for and provide alerts for new open source vulnerabilities For more information, visit www.blackducksoftware.com LEVEL 1 – IGNORING RISK Code Red. You’re unaware of open source used in your code. No policies in place to manage open source security and licensing risks. LEVEL 2 – MANUAL DISCOVERY OF OPEN SOURCE Significant Trouble. Inaccurate open source invento- ries. Processes to manage open source are incon- sistent. No controls over open source use. Where does your organization stand with open source risk management? How are you identifying and securing open source used in your code? Measure your organization against these four levels to find out… LEVEL 4 –AUTOMATED OS RISK MANAGEMENT Way Cool. Open source is automatically identified, inventoried, and mapped to known vulnerabilities and license requirements without impacting your SDLC. Organizations worldwide use Black Duck Software’s industry-leading products to automate the processes of securing and managing open source software, eliminating the pain related to security vulnerabilities, open source license compliance and operational risk. Black Duck is headquartered in Burlington, MA, and has offices in San Jose, CA, London, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information, visit www.blackducksoftware.com