Open source and embedded software development

#ESCconf#ESCconf

Open source and embedded software development: Collision course or hands-free perfection

#ESCconf#ESCconf

Presenter

Rod Cope

CTO

Rogue Wave Software

rod.cope@roguewave.com

Twitter: @rodcope

#ESCconf#ESCconf

Agenda

1. Introduction

2. Using OSS

3. License risk

4. MISRA, OWASP

5. Safety & security

6. Q & A

4© 2017 Rogue Wave Software, Inc. All Rights Reserved.

#ESCconf#ESCconf

Open source is everywhere

• Over 5 million open source projects on GitHub

• 80+ licenses approve by OSI

98% of organizations have OSS in their code https://guides.github.com/activities/contributing-to-open-source/

https://opensource.org/licenses/alphabetical

http://www.roguewave.com/programs/open-source-support-report

#ESCconf#ESCconf

67% of developers are not sure if

there’s a policy for source code, or

don’t know what it is.

http://www.roguewave.com/resources/white-papers/software-security-begins-with-flaw-free,-standards

7© 2017 Rogue Wave Software, Inc. All Rights Reserved.

#ESCconf#ESCconf

Support the implementation

Self-supportCommitter

support

Community support

Commercial support

#ESCconf#ESCconf

Why use commercial support

Missing skillset

Time constraints

People change jobs

#ESCconf#ESCconf

Commercial support example

The original implementation was not built for scale. We’ll help you build a

workaround.

We’re experiencing heavy latency and heavy resource utilization with ActiveMQ. The person who

built this left.

#ESCconf#ESCconf

Support the selected software

80% of support issues are either a lack of product knowledge, or something in the environment outside of the package.

http://www.roguewave.com/programs/open-source-support-report

#ESCconf#ESCconf

What can organizations do?

Detect critical areas

Investigate knowledge gaps

Implement a plan

#ESCconf#ESCconf

Monitor and test implementation

•Avoid bottlenecks

14© 2017 Rogue Wave Software, Inc. All Rights Reserved.

#ESCconf#ESCconf

Free comes with restrictions

Organizations may be at risk of

violating legal obligations.

#ESCconf#ESCconf

Litigation in federal court

• Versata v. Ameriprise

• XimpleWare v. Versata and Ameriprise

• Hellwig v. VMware

• Oracle v. Google

• Jacobsen v. Katzer

#ESCconf#ESCconf

Audit code

Identify packages

Bill of materials (BOM)

Obligations

18© 2017 Rogue Wave Software, Inc. All Rights Reserved.

#ESCconf#ESCconf

Maintain compliance

#ESCconf#ESCconf

MISRA recommends SCA

“In order to ensure that the source code written does conform to the

[MISRA] subset it is necessary to have measures in place which check that

none of the rules have been broken.

The most effective means of achieving this is to use one or more of the

static checking tools that are available commercially.”

- Section 4.3.1

#ESCconf#ESCconf

Analysis tools

Identify bugs and vulnerabilities

Compliance checkers

22© 2017 Rogue Wave Software, Inc. All Rights Reserved.

#ESCconf#ESCconf

Vulnerabilities

#ESCconf#ESCconf

Remediation

Establish processes

Research issues

Scan all code

#ESCconf#ESCconf

Community updates

Monitor and implement

community updates.

#ESCconf#ESCconf

Critical security announcements

OPENUPDATE SIGN UP: roguewave.com/openupdate

#ESCconf#ESCconf