Академический Документы
Профессиональный Документы
Культура Документы
Market trends
Why technical DD is needed
M&A Issues
How it works
– Code Scanning
– Analysis
Internally
Outsourced Code Developed
Development Cambridge Code
Commercial
3rd-Party Code San Mateo
Code
Open Source
Software
Bangalore
Individuals Russia
Universities
Your Software Application
Corporate
Developers Obligations YOUR COMPANY – TOOLS, PROCESSES
5
Why Technical DD is Needed: Issues
Risks
– Lose deal
– Delay deal
– Reduced price/valuation
– Lost revenue
Why Technical DD is Needed: Issues
Product Risks
– Uncertain "pedigree"
– "AS IS“
– Copy left nature of GPL & other licenses
Risks of Unmanaged Code
Loss of
Intellectual License
Property Rights and
Restrictions
Software
Export Defects
Regulations Injunctions
Contractual
Obligations
Security
Vulnerabilities
Escalating
Support
Costs
Software Licensing Violations
Software Freedom
Law Center
Best Buy gpl-violations.org
Cisco Motorola Others
Verizon Acer
Monsoon Multimedia Jacobsen v Katzer
Skype
Xterasys ASUS eeePC laptop
D-Link
High-Gain Antennas Diebold
BT
Bell Microproducts
Super Micro Computer
Valuation
Infringement
Remediation Costs
New revenue
Support costs
Vulnerability
Technology Allows Easy Discovery of
Unknown Open Source
Black Duck Analysis
Code Base
Validation Server
Open
Source Report
Third
Party
Code
KnowledgeBase Bill of License
Internal Materials Conflict
Code Projects Licenses
The Black Duck KnowledgeBase:
Unmatched Depth & Breadth
Extensive metadata
– Name, description, versions, URL – Cryptography
– License, programming language, OS – Code prints of source/binary
– National Vulnerability Database – Customer-specific/contributed
Code matching
– Compare Code Prints of your source code to
the Black Duck KnowledgeBase
– Detects matches of components, files and
code fragments
Finds reused code even when altered
Reports project / license for confirmation
– Language independent
Dependency analysis
– Import/include statements
Integrated string search
– Standard string search queries
– Custom strings
– Find licenses, copyrights, URL‟s, company
names, user comments (“taken from”), …
Analysis results that are unachievable by
a manual process
Binary Code Analysis
File matching
– Compares checksum value to the
KnowledgeBase
Libraries, class files, executables,
archives, images, and more.
Dependency analysis
– Detect dependencies embedded in JAR,
CLASS, DLL, SO, etc, …
Change Usage
– Some obligations depend upon usage scenario
– Re-architect so usage of component is less integrated
– Comply with more desirable license terms
What are the Remedies? - Cont.
Replace Code
– Replace with other OSS
– Replace with Commercial Alternative
– Replace with In-house developed Code
Need Clean Room Environment?
– Can be difficult if OSS component is critical
– Can be lengthy and expensive
SAP Profile
Why is SAP
Open source due
performing OS
diligence is expected
diligence?