Yesterday I attended the DoD Open Technologies conference sponsored by the Association For Enterprise Integration. The presentation slides have been posted. It was a well attended event at the Reagan building in Washington DC. The keynote address was provided by Sun Federal's president and COO Bill Vass. Bill pointed out how, during his time working at OSD (before he came to Sun), the intelligence agencies were beginning to adopt open source software for a number of reasons:
- More secure
- Higher quality
- Lower procurement barriers
- Faster deployment
- Lower cost to exit
- Allows government participation and customization
He also pointed out that software (whether open source or proprietary) is developed in Russia, India and China. He left no doubt that the government is using and should continue to use Open Source software throughout their IT programs. Feel free to review all of Bill's slides.
Mark Tolliver (formerly of Sun) for Alamida software discussed the importance of software component analysis (SCA). SCA is the process of auditing your software to determine:
- What OSS components you are using
- What licenses apply
- What vulnerabilities might exist
In one example, he used his company's tools to scan a piece of ISV software and found that 65% of it consisted of OSS software. His experience shows that the industry average is now up to 50%. This causes a number of issues because licensing issues and vulnerabilities in OSS software become YOUR issues when you deliver a product to your customer. If you are not fully aware of all of the components, you may be passing on vulnerabilities from older versions of software that have already been fixed in the community. SCA is important because you can't secure what you don't know that you have.
His recommendations to the government included:
- Require vendor to document OSS code contents
- Audit code acquired
- create a strategy for application security
- Enforce ongoing training for engineers on how to get the code, vet the code and integrate the OSS code
- Document the use of all code for future generations of maintainers
- Use automated scanning tools (his product, of course)
- Static Analysis
- Dynamic Analysis
- Compositional analysis
John Garing CIO of Defense Information Systems Agency (DISA) described how the Hitler had trouble invading Russion because of differences in the train guage standards between the two. He drew parallels between this and his current personal problem in the DoD where they have contracted with two different Collaboration solutions (to provide competition). A person chatting in one community can't "see" or interact with a person in the other community. To summarize, open standards and open interfaces are key to getting services faster to the warfighter.
A panel of government and industry discussed a variety of topics related to open source.
Dan Risacher of OSD/NII reported that a new OSD guidance memo was expected to be released soon. Dan is a big advocate of open source in the government.
Bdale Garbee of HP is an open source participant in the industry and suggested that government needs to go further to allow both government employees and system integrators to participate and contribute to OSS projects without running afoul of government property rights, employer policies or patent issues. They also discussed the issues surrounding license and ITAR export control.
The afternoon panel discussed how tactical approaches to open source are being carried out.
Stu Lewin of BAE systems described their detailed creation of a governance board, processes, documentation and training to ensure that the OSS brought into BAE projects is properly vetted, licensed, documented and maintained.
Allan Hardy of Lockheed Martin described how they audit OSS use and perform risk mitigation. He noted that OSS touches every stage of the software life cycle from proposal through design, test, documentation and support. He credited a strong process as well as ongoing training of engineers to a successful use of OSS.
Colin Roufer is a lawyer at Boeing and discussed the legal issues surrounding OSS. Important points include:
- There is no negotiation of a license such as the GPL. Get over it
- The GPL does NOT require that you give the source to everyone in the world, one those who receive the binary
- The recipients of GPL code are bound by the same requirement to pass source code and license down to second level recipients
Peter Vescuso of Black Duck software described a case study of a small company who provided OSS to Broadcom. The Broadcom chip was in turned built into a Linksys router. Linksys was in turn bought by Cisco. At this point, Cisco did not know that there was OSS content as was not properly conveying that information to its customers. OSS management requires a cross-function team including:
- export control
- Configuration management
Open source is good for the government. It can lower costs, improve quality and reduct time to mission accomplishment. Sun Microsystems is the largest contributor of open source software in the industry. You can take advantage of OpenSolaris, MySQL, Netbeans, OpenStorage and many other products today at low cost.
Please join our OpenStorage launch on November 10th to learn more.