The Ultimate Guide to Managing Open Source

Open source makes the world go round. It’s easy to use and simple to plug in. Used correctly, it gives you the competitive edge you need to focus more resources on innovation. But which projects do you depend on? What security and other threats do they bring? How are they licensed? If left unmanaged, open source can lead to costly risks for your organization. Join our webinar to learn
• How open source contributes to the software supply chain
• The benefits and risks associated with open source usage
• What various governmental and industry bodies are mandating to manage open source risk

Once you have a grasp on how open source can both benefit and introduce risk to your organization, your next consideration should be learning to manage it. How can you build open source risk management governance into your development pipelines, and prove to your customers that you’re doing your part in protecting your software supply chain?

Join our talk as open source experts from Dell and GTC Law Group discuss:

• Determining which open source is the best fit for your company’s software
• Managing risk without slowing development and delivery
• Digitizing and automating open source risk governance
• Generating and utilizing compliant software Bills of Materials (SBOMs)

Modern application development and deployment models make for a software supply chain that’s more complicated than ever before. While managing the open source dependencies brought in by developers and package managers is a crucial consideration, you must begin looking further.

- Which dependencies are being included in containers after you’ve scanned the base image?
- What business, security and compliance risks are introduced by the web services you leverage?
- What are the license obligations of the code snippets automatically added by intelligent IDEs?

Join us as we discuss how to stay on top the newest application development technologies and the risks that come along with them.

Pillar three of the National Cybersecurity Strategy, released in March 2023, includes a liability provision. This provision calls for vendors to be held liable for damages caused by their products if they weren’t built with reasonable security measures. It also establishes a baseline for cybersecurity measures for all companies doing business with the government, but implementation will require help from legislation.

For a variety of reasons, everyone is talking about software Bills of Materials (SBOMs). Some organizations are being required to generate and provide them, while others are asking for them from their vendors. One thing is for certain though - there is a lot of noise surrounding SBOMs, and it's not making it any easier to understand what must be done, what should be done, and what can be done.

Join Mike McGuire, security solutions manager with the Synopsys Software Integrity Group, as he cuts through the noise and simplifies the concept of the modern SBOM. Mike will address some of the market’s lingering questions, including:
- Why there is a heightened focus on SBOM
- What SBOM is and is not
- How to build and use an SBOM
- How they can help you secure your software supply chain.

Modern applications are no longer created from scratch; instead they are constructed of various components, including open source code that is often developed by individuals outside the organization. Our research reveals that open source code makes up 76% of the average application.

Although leveraging open source software provides access to external expertise, it also entails responsibilities for organizations. Ensuring the security, compliance, and quality of the code is crucial. This is where software composition analysis (SCA) plays a significant role.

Join this discussion that explores the following topics:

o What SCA is and how it functions
o Addressing risks through SCA
o Key elements of an effective SCA solution
o Building a comprehensive open source risk management program with SCA

The Log4j debacle highlighted just how difficult it is for security teams to find vulnerable software, and the recent executive order around a software bill of materials is highlighting the importance of knowing what software the organization is using. How can a software bill of materials help security teams with detection and response? In this webinar, experts discuss how organizations can use the software bill of materials as part of their enterprise security strategy. Learn how to implement a software bill of materials, identify controls and processes that need to be implemented alongside it, and understand potential challenges to be aware of. Organizations rarely have a clear picture of what software is running in their organization, but it doesn't have to be that way.

During this webinar you will:

- Unpack the potential, as well as limitations of a SBOM.
- Find out what you should look for in an SBOM, and how to ask for one.
- Get the facts about how security teams have successfully implemented SBOMs into their overall security strategy.

With the cost of cyberattacks predicted to cost $10.5 trillion by 2025, the European Commission is looking to transform the cybersecurity landscape through the Cyber Resilience Act. The goal of the CRA is to “bolster cybersecurity rules to ensure more secure hardware and software products.” But what does that mean for those of us already involved in AppSec?

Join our experts as they discuss how AppSec professionals may be impacted by CRA as it exists today. Specifically, we’ll explore:
- Which products may be subject to the CRA based on the definition of “digital elements”
- What impacts this could have on software supply chain moving forward
- How you can assess your AppSec programs to see where you stand with CRA as defined today

The CRA is currently a draft, as such opinions and insights from presenters are subject to change.

If software is an important part of your business and you need to comply with license terms and protect against security vulnerabilities, you need to know and track what is inside your software. Lists of software components and dependencies are typically referred to as Software Bills of Materials (SBOMs).

Standardizing the format for SBOMs can improve the accuracy and efficiency for managing software license compliance and security vulnerabilities – especially if your software is the result of a long list of suppliers (e.g., a commercial product which depends on a commercial library which uses an open-source library which includes source from a different open-source project).

With the May 12, 2021 U.S. Presidential Executive Order on Improving the Nations Cyber Security, several software suppliers are being required to produce their SBOMs in a standard format.

SPDX is a standard format for SBOMs. Although it has been around for more than 10 years, it has gone through some significant evolution such representing data on security vulnerabilities. There is a forthcoming major release which supports several new use cases such as tracking the build process and tracking data about artificial intelligence models.

In this talk, we will start with how you can use the widely adopted SPDX 2.3 spec to represent security vulnerability and license compliance data and then go into some of the new features of the SPDX 3.0 specification. We will touch on what goes into making a quality SBOM.

At the conclusion of the talk, you will have a better understanding how you can make use of SPDX whether you are producing software or evaluating software you use (or plan to use).

Join this webinar to learn how Black Duck® snippet matching can help identify open source software and the potential license risk that tools like GitHub CoPilot and OpenAI's ChatGPT can introduce into your codebase. With Black Duck you can

- Identity components as one of over 2,700 licenses tracked in our KnowledgeBase
- Understand license requirements in simple terms so development can quickly assess the impact of including a component in their code
- Flag potential license conflicts so teams stay in compliance with policy

Open source is widely used in software development because it allows you to create high-quality software quickly - especially with the use of AI-assisted coding tools. But if left unmanaged, open source can lead to license compliance issues as well as security and code quality risks. Whether you’re on the buy side or sell side, these risks could negatively affect valuation in an M&A transaction.

Join this live Synopsys webinar for an inside look at the data Black Duck Audits complied in 2023 from the hundreds of tech transactions and thousands of codebases we audited. We’ll cover:

• Open source license and security risks by the numbers
• Why audits have become the norm in M&A tech due diligence
• How you can get a complete picture of open source risks

Companies and individuals alike are concerned about their software supply chain security. To be honest, who isn't?

Threat actors are looking for new ways to exploit software weaknesses. Beyond the application layer. They are taking advantage of the inherent trust associated with open-source software. And we all know OS software is only as secure as its weakest link.

In this session, security expert Boris Cipot will discuss:
- How to use AI generated code without opening yourself up to IP violations
- The increase in malicious software and how to avoid being another statistic
- How to satisfy all supply chain motivations, whether they're customer requirements or industry regulations

Join Boris to learn about software supply chain risks. And what you can do to prevent them.

As far as the Cybersecurity and Infrastructure Security Agency (CISA) is concerned, there are six types of SBOMs that can be created for a single application or piece of software; neither of which will be identical. While CISA doesn’t have a favorite type of SBOM, you may find that your organization, vendors, or customers prefer some over others. As such, it’s important to understand what to expect from each type, how to generate them, and be prepared to reconcile the differences across them.

Learning objectives:
• Become familiar with the six types of SBOM
• Understand the benefits and limitations of each type
• Know the methods and tools required to generate each type

Open source software has emerged as a primary target for cyberattacks. In fact, 9 out of 10 companies have detected software supply chain threats, with 70% admitting that their current solutions are inadequate. While open source attacks are the “path of least resistance” for many threat actors, attacks on commercial and proprietary software are on the rise.

Join this live webinar with Synopsys and ReversingLabs to explore a forward-looking security strategy for areas of concern for development teams – the software both within and lying beyond their control. We’ll cover:

• Critical considerations for managing and securing open source usage
• How to distinguish between opportunistic and malicious software supply chain risks
• The correlation between inadequate application security management and security risks
• How attackers inject malicious packages into the software ecosystem
• Actionable steps to reduce software supply chain risks

In the complex world of software development, generative artificial intelligence (GAI) coding tools appear as a beacon of productivity and effectiveness. When handled with precision, they brighten the path to innovation, cutting through the intricacies of coding. However, as with any unchecked flame, such tools must be carefully managed to avoid endangering an organization's valued IP, impacting its bottom line or introducing risk into an M&A transaction.

Join this webinar to get an introduction to GAI coding tools and how you can minimize risk when using these in your organization. We’ll cover:

- Introduction to GAI coding tools (from code completion to code generation)
- Legal, operational, and M&A risks arising from GAI coding tools (e.g., IP ownership, IP infringement, cybersecurity)
- Establishing a general AI policy with provisions specifically tailored to issues arising in using AI for coding
- Managing risk arising from GAI coding tools - this includes a mix of technical, operational and administrative safeguards (e.g., usage policies, auditing tools, optimal selection and implementation of tools)

This presentation is intended for legal and technical teams involved in software development and M&A software due diligence.

Gain insights into important legal developments from two of the leading open source legal experts, Tony Decicco, Principal at GTC Law Group & Affiliates and Chris Stevenson, Of Counsel at DLA Piper.

This annual review will highlight the most significant legal developments related to open source software in 2023, focusing on topics that were resolved, those that got started and what we can expect to see in coming years.

We’ll cover:

• Updates on key open source-related litigation and disputes
• The Cyber Resilience Act and the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
• Potential liability for developers releasing and contributing to open source software
• The impacts of GAI coding tools, such as GitHub Copilot and Amazon CodeWhisperer
• Open source software controversies, deals, and hacks
• And much, much more

Register today!

CLE:
DLA Piper LLP (US) has been certified by the State Bar of California, Illinois MCLE Board, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an Accredited Provider. The following CLE credit is being sought:
• California: 1.5 Credit (1.5 General, 0.0 Ethics)
• Illinois: 1.5 Credit (1.5 General, 0.0 Professional Responsibility)
• New Jersey: 1.8 Credits (1.8 General, 0.0 Ethics)
• New York: 1.5 Transitional & Non-Transitional Credit (1.5 Professional Practice, 0.0 Ethics)
CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, and Puerto Rico.

Open source and third-party software make up the bulk of code in today’s applications. Open source has become so integral to modern development that security and development teams struggle to identify all the components in their software. AI code generation only adds to the difficulty.

From license compliance issues to security vulnerabilities to reliance on stagnant projects, it’s never been more critical to know what’s in your code. It’s table stakes for addressing these risks.

Join this live webinar to hear top open source legal experts discuss how to minimize risks while leveraging open source in software development and M&A. We’ll cover:

- Roots of open source
- Examination of the risks
- Overview of the most popular open source licenses
- Guidelines for managing

CLE:
DLA Piper LLP (US) has been certified by the State Bar of California, Illinois MCLE Board, the Board on Continuing Legal Education of the Supreme Court of New Jersey, and the New York State Continuing Legal Education Board as an Accredited Provider. The following CLE credit is being sought:
• California: 1.25 Credit (1.25 General, 0.0 Ethics)
• Illinois: 1.25 Credit (1.25 General, 0.0 Professional Responsibility)
• New Jersey: 1.5 Credits (1.5 General, 0.0 Ethics)
• New York: 1.5 Transitional & Non-Transitional Credit (1.5 Professional Practice, 0.0 Ethics)
CLE credit will be applied for in other states where DLA Piper has an office with the exception of Minnesota, North Carolina, Pennsylvania, and Puerto Rico.

In a survey of your peers, the Ponemon Institute uncovered a stark reality:

Teams are struggling to secure software supply chains as fast as advances in things like AI are increasing developments ability to produce it. For example, 52% of organizations leverage AI tools to generate code. Yet only 32% say they have processes in place to evaluate it. And less than half say they are effective in securing open source or evaluating the security of commercial software in their supply chain.

Where do you rank?

Join the webinar to understand the state of software supply chain security and how you can help your team keep pace with managing it. We’ll cover:

• How prepared organization are for supply chain attacks
• How to secure and manage open source and commercial software in your applications
• How things like AI and SBOM mandates are impacting security readiness