Confidence in IT

Software Census official blog



How we help organizations manage third party software components in continuous delivery

posted Apr 21, 2017, 4:48 AM by Björn Spåra   [ updated Apr 21, 2017, 3:38 PM by Software Census AB ]



Continuous Software Composition Analysis
Modern applications are not developed so much as assembled out of components, Tightly glued together and enclosed in custom application code. It is estimated that out of all code making up a typical modern application, roughly 90% of it is third party code components such as frameworks and libraries. Each of those components are subject to the terms of their individual license agreement and potentially vulnerable to security threats. According to Gartner, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages by 2019, up from less than 10% in 2016. 

How are you addressing these challenges?
 
Assessment
The Software Composition Assessment Service is typically an 8-10 weeks consulting engagement designed to help you identify how and where open source software is used across your enterprise and to establish a foundation for defining continuous software composition analysis requirements. The assessment provides a gap analysis where your organisation’s current practices are compared against industry best practices, and we offer a set of recommendations to address the identified gaps.

The following format is used to deliver this service:
  • Planning - Scoping of engagement, establishing a project team, formalizing a project plan which includes critical success factors and metrics.
  • Data collection - Gathering documentation, policies and key information about your apps, its third party software components and your organisations software development practices. How is your app developed? By who? How is your app delivered? Who is using it? For what purpose? Which OSS and third party components are used?
  • Risk analysis - Data is consolidated and analysed from a risk perspective in three domains
    • Security - Known vulnerabilities currently present in you code base
    • Legal - Rights transfered or granted under each software components license agreement and impact of application delivery model
    • Operational - Component criticality and continued development through community involvement
  • GAP analysis - Requirements for continuous software composition analysis baseline, financial impact assessment and current maturity level. 
  • Recommendations and roadmap - Report and recommend key initiatives for improvement including a high-level plan and road-map for governance, control and operation of continuous software composition analysis. 

Training/Workshop
Understanding the risks and challenges surrounding open source and third party software components within your enterprise is key to developing a plan for implementing a governance framework and an operating model tailored to your specific risks and objectives. Continuous Software Composition Analysis Workshop is a customized interactive training session designed to guide your team (five to ten attendees) through the issues of managing open source software components in enterprise application continuous delivery. The workshop is targeted at a cross- organisational audience including legal, license management, security, enterprise architect, developer, test and operations personel. The training materials are based on Software Census framework for Continuous Software Composition Analysis and tailored to your application delivery process.

Implementation
There are plenty of tools available to automate and integrate software composition analysis in an application development and delivery process. A project to evaluate available options, selecting the tools best fitted for the job and implementing them to support the process it typically delivered in 12-16 weeks.

Support
On-going support making sure that the software composition analysis solution and processes operate according to specification and agreed service levels. We also keep you on track and make sure we jointly roll out new capabilities according to road-map and follow up on progress.

To find out more about Software Census and our Continuous Software Composition Analysis offerings please feel free to contact rosendo.zabala@softwarecensus.se.

Software Census Open Source Assessment Services

posted Mar 20, 2017, 6:16 AM by Rosendo Zabala



Addressing the risks and challenges surrounding open source software with an effective governance strategy is the key to success, Does your organization have a plan for addressing these risks and challenges?

Most organization does not have a comprehensive enterprise-wide plan in place to deal with OSS risks and challenges. Between 80-90% of a modern application code base is open source software components and managing it is an important element of the overall management of software development. Enterprises need to implement a well defined plan to address these risks such as legal (licensing), security (vulnerabilities) and operational (communities, proliferation, versions), that are connected with the use of OSS.

Software Census AB, helps enterprises to define and implement such a plan to mitigate these risks and challenges through a set of assessment services to discover, analyze and monitor the use of Open Source in your organization on an ongoing basis.

e-mail us at info@softwarecensus.se for more information.

Oracle - En projektguide enligt Software census

posted Feb 10, 2017, 9:25 AM by Kristoffer Rangmar   [ updated Feb 10, 2017, 3:19 PM by Björn Spåra ]



Hur har vi det med Oracle licenser? Hur ser avtalet ut? Vadå kan inte säga upp? Ligger servern i virtuella datacentret? Varför är alla Oracle options påslagna? Ridå…

Oracle som tillverkare/leverantör innebär många utmaningar där Software Census gärna vill hjälpa till för en enklare tillvaro. Det kräver ett grundligt arbete som innefattar att titta på nuvarande avtal, beställningsorder samt installationer genom hela stacken (databaser, middleware och applikationer). Vill man sedan gå djupare är det nyttigt att även gå igenom processer och arbetssätt för att undvika en ogynnsam position i framtiden. 

Oracle är en leverantör som är känd för att optimera sina intäkter genom en komplex licensmodell som är svår att hantera. Noggrannhet, ett bra internt regelverk och en plattformsstrategi som erkänner dessa utmaningar underlättar för organisationen att undvika obehagliga och kostsamma överraskningar. Dessa är också grunden för framgångsrika förhandlingar då ett gott underlag ger en bättre förhandlingsposition och således det avtal man själv vill uppnå och inte det Oracle anser man ska ha.


Mål

Var börjar vi och vad blir resultatet? Nedan har vi listat aktiviteter och ingående frågeställningar som vi kommer att hantera och besvara.

  • Vad har vi och var är det? - Hur många licenser har vi köpt och var är dessa installerade? Hur skall vi räkna processorlicenser i vår miljö (VmWare, KVM, Solaris zoner och resurs containers)?
  • Ökad insyn i den faktiska användningen - Används applikation x och databas y och isf av hur många och vilka är det? 
  • Vilka “features” används faktiskt och vilka “options” kräver de license för?
  • Ökad förståelse för hur vi ska hantera licenserna - Kan vi säga upp applikation x utan att påverka databas y? Kräver SQL Profiles verkligen Diagnostics Pack?
  • Ökad förståelse för hur avtalen fungerar tillsammans med licenserna - Vilka regler gäller, Oracle Master Agreement, Purchase Orders?
  • Att nå en sk “baseline” samt underhålla denna - Att veta exakt vad som finns och var det är installerat samt tilldela rätt licenser på rätt ställe uppnås bäst genom en solid livscykelhantering där nödvändiga aktiviteter finns definierade och ansvaret för utförande tydligt tilldelat någon som faktiskt kan utföra aktiviteten.
  • Vilka önskemål har vi i framtiden av Oracle? - Hur ser målen ut på kort samt lång sikt, det finns goda möjligheter att påverka båda med rätt underlag.
  • Hur ser Oracles framtid ut i organisationen? - Vilka fördelar respektive nackdelar ser vi och vilka möjligheter har vi att påverka vår framtid?

Milstolpar

I.    Licenssammanställning: 
En summering av licensinnehavet så det tydligt framgår vad man har rätt att använda. Vi samlar även de kommersiella faktorerna så vi har ett så gott underlag som möjligt vid framtida förhandlingar.

II.    Eventuell Automatisering; 
I vissa lägen kan det vara klokt att automatisera inventeringar så långt det går med hjälp av verktyg. I andra fall kanske man nöjer sig med en engångsinsats t.ex. innan en förnyelse eller större förändring av IT-miljön.

III.    Inventering av installerade produkter: 
Att ta reda på vad man har installerat kan göras på olika sätt, det enklaste men också det mest tidskrävande är att använda sig av scripts som körs på varje maskin där man har Oracle installerat. Alternativt finns det flertalet verktyg man kan använda sig av, dessa kräver ofta en större insats initialt men skall inventeringen upprepas regelbundet så är det värt att automatisera så långt det går.

IV.    “Baseline”: 
När steg 1 till 3 är avklarat så har man tillräckligt med information för att sammanfoga det inköpta licenserna med vad som är installerat. Detta ger ett netto av licenser som antingen är för låg eller för hög. I bästa fall är nettot noll.

V.    Strategi: (´´Att misslyckas i förberedelsen är att förbereda ett misslyckande´´ - Benjamin Franklin.) 
Riskanalys och omvärldsbevakning ligger tillsammans med nulägesanalys till grund för en strategi som blir både kommersiell och teknikgivande. Utkomsten är en klar och tydlig bild av vad man har för önskemål av Oracle och vilka vägar som finns tillgängliga för att nå dessa. Det finns gott om valmöjligheter och konstellationer med både produkter och leverantörer för att hjälpa er nå målen.

VI.    Avtalstaktik: 
Utifrån strategiska mål och rådande förutsättningar bygger vi sedan den optimala förhandlingspositionen. Det finns många sätt att uppnå ett så optimalt avtal som möjligt, att veta vad Oracle drivs och motiveras av är såklart en fördel och där kan vi bidra med vår kunskap för att hjälpa er så ni kan nå era mål.


Att fundera över
Valmöjligheterna är stora i den värld vi lever i och sanningen är alltid komplexare än vad man kan beskriva vid första anblick. Därför är det nödvändigt att komma överens om de stora målen.
  • Vill organisationen gå mot en mer molnbaserad infrastruktur och applikationsutbud? 
  • Har man i sådana fall bestämt sig för en eller flera leverantörer och hur påverkar det Oracle positionen?
  • Hur ser avtalen ut med eventuella outsourcing partners? 
  • Vågar vi utveckla i Java?
  • Vilka krav kan vi ställa på efterlevnad samt hantering av våra licenser? 
  • Kan vi ta in nya partners för att eventuellt ersätta Oracle med t.ex. support från tredje-part?

Den kommersiella sidan av diskussionen är såklart av högsta vikt och även om en leverantör har satt upp alla hinder som finns för att skydda sina intäkter så finns det alltid alternativa vägar att gå. Byta produkter, köpa styckvis eller i paket, byta leverantör eller byta plattform (moln) osv. hur hopplös en situation än ter sig så finns alltid möjligheter. 

Software census arbetar utifrån ett holistiskt synsätt för att komma åt problematiken som gjort att man har hamnat där man är. Hade processerna varit klara och hade inte databas x installerats utan att någon antecknade det i CMDB, Hade verktyg z rapporterat som det skulle så hade dmz också synts i rapporterna, hade vi haft ett väl strukturerat inköpsprocess så hade inte inköpsorder yy:s ihopslagning varit okänd osv. Dessa är symtom som vi alla känner igen och det är av yttersta vikt att komma tillrätta med. Känner du igen något av det vi beskriver så får ni gärna höra av er så kan vi hitta en väg framåt.

´´Det viktigaste att göra om man befinner sig i en grop utan stege är att sluta gräva´´ - Gammalt gotländsk djungelordspråk

Webinar; Microsoft Enterprise Agreement - Det du borde veta innan förhandling

posted Jan 12, 2017, 4:42 AM by Björn Spåra   [ updated Jan 12, 2017, 8:16 AM ]


Det du borde veta innan du förhandlar Enterprise Agreement med Microsoft

Har ni ett Enterprise Agreement med Microsoft som omförhandlas det närmaste året? Skall du delta i förhandlingsgruppen? Då är detta webinar för dig!

Lyssna på Europas främsta expert på Microsoft-avtal dela med sig av sina kunskaper i detta kostnadsfria webinar.

Tid & plats: Tisdag 2017-01-31 kl 14:00 i en browser nära dig!

Registrering
Om du inte kan delta eller föredrar att ta del av informationen på annat vis, skicka ett mail till: info@softwarecensus.se

Microsofts licensmaskin är stor och komplex. När Microsofts kundteam gör sig redo att sätta sig vid förhandlingsbordet har de som regel betydligt bättre kunskap om er än vad ni har om dem.

Under detta webinar om ca 30 minuter går vi igenom Microsoft från insidan och hur mätmodeller, beslutsprocesser och bemyndigandestrukturer påverkar Microsofts agerande och prioriteringar i den stundande förhandlingen.

 
Gunnar Werner
..är VP Contract Assurance Services på Software Census AB och hjälper bolagets kunder optimera licensavtal genom utbildning, kontrakt-granskning och förhandlingsrådgivning.

Tidigare har Gunnar arbetat 22 år på Microsoft varav 14 år som Licensing Executive (Business Desk) med ansvar och yttersta beslutsmandat för affärer i Skandinavien.

About Software Census
Software Census is trusted by some of the largest and most innovative enterprises in the Nordics. At Software Census we work hard to help our clients manage risks associated with the application of software in business operations. Our work results in improved control, reduced cost and increased visibility of security and compliance risks, in source code repos, data centers and in the cloud.

Software is our passion.

Promoting safe use of software in the enterprise is our mission.


Registrering



First (tiny) experiece of the Microsoft LinkedIn aquisition

posted Jan 11, 2017, 2:48 AM by Gunnar Werner   [ updated Jan 23, 2017, 1:11 PM by Björn Spåra ]


I Love my Windows phone!

When I finally took the time to update my LinkedIn account recently I recieved this message from LinkedIn:

"It looks like you have used the older version of our app in the last few months and we wanted to let you know that we will no longer be supporting this older version after January 15, 2017".

LinkedIn further pointed me to the alternatives IOS8 or higher OR Android Ice Cream Sandwich. Very politely they also indicated that next time I load the Linkedin app (they know I hold a Windows phone!) I would be prompted to upgrade with links to the Apple Store or Google play. Even if I could make a device upgrade through these vendors stores I still want to use my Windows phone that I just love. It is to me like an exo-organ. Simply can`t give it up. I spent the rest of the day in agony...

There are angels. Yes they exist!

This morning LinkedIn sent out a correction mail stating that:

"you received an email to let you know that older versions of the LinkedIn app are being retired. The good news is that users of a Windows phone will not be affected and since our records show that you are accessing LinkedIn through the Windows version of the app.......".

They even say they will support older versions! Fantastic! Thank you Microsoft! The fact that my Bank app is no longer supported on Windows Phone 8.1 does not bother me.

I wonder what will come from the Microsoft acquisition of LinkedIn?

Here is my list to Santa;
  1. Keep the LinkedIn biz within the sales org at MS (preferably EPG) 
  2. Make good deals with the CRM and the Skype factories 
  3. Make it as an O365 service 

Sell it as;

4 SKUs
  1. MS LinkedIn std (like it is today and for free) 
  2. MS LinkedIn premium (sort of Yammer integrated..not sure how) 
  3. MS LinkedIn Ultimate (b+including SFB with extl conferencing) 
  4. MS LinkedIn Enterprise plus (all of above plus PBX) 

Will we see something like; "Office 365SPE w/LInEntplusadtnusr ShrdSvr ALNG SubsVL MVL PerUsr" in the Enterprise Agreement CPSs before Christmas 2017? Stay tuned...

Hacking Social Protocols

posted Dec 1, 2016, 4:43 AM by Björn Spåra   [ updated Dec 1, 2016, 1:26 PM ]


My first real job (before I got into IT-Security) was in sales. With "sales" I mean the kind of sales where you walk up to random strangers on the street and pitch them various novel items carried with you in a duffel bag. With "real" I mean 100% commission based which meant that unless I actually sold something, I did not get payed. The random people I mentioned, often took it upon themselves to advise me to get a "real job", as if that idea had somehow escaped me. There is a lot to be said about this time in my life and the lessons I learned, dealing with people, sales psychology and entrepreneurship. However this post is not about that. This post is about hacking the mind and directing thoughts and actions of others towards you own objectives.

It was a beautiful spring day in Stockholm, Sweden - and I was working my way through a part of town where tourists like to stroll and take in the sights, when suddenly I came across a funny looking building I had not noticed before. It was a small yellow concrete structure with no windows and a solid iron gate. Intrigued, I walked up to the gate and noticed an intercom terminal and a small sign, identifying the occupants of this odd structure as the Customs Authority.

I pictured the inside of this structure as virgin territory, previously isolated with inhabitants totally unprepared for my brand of selling. I knew I had very little chances of gaining entry and that the people inside would most likely not react kindly to my presence, should I through some miracle succeed. Undeterred, I decided to boldly go where no soliciting was allowed. I pressed the button on the intercom..

"Customs" - said a female voice coming through from the other side of the massive gate designed to keep me out - obviously a security guard.

"Hello, is this the Customs Authority?" - said the younger me.

"Yes" - said the female voice.

"Oh good, thank you very much!" - said the would-be-antagonist (me). And the gate opened.

Partly due to my own surprise in my success, and the fact that the security guard quickly realized her mistake and rushed to physically block entrance - I did not actually go inside, which in hindsight is probably a good thing because I am pretty sure I would have gotten into trouble. But this little anecdote illustrates the power of the protocol and the vulnerabilities that may come as a result. By simply not conforming to protocol and advancing the conversation to a point where I was thanking the security guard for obliging, the security guard automatically opened the gate without thinking.

Humans can recover from this type of mistake, as the security guard at the Swedish Customs Authority promptly did, and react accordingly. Computers however, typically cannot. Any system (human or machine) that rely on protocol and expects a certain type of behaviour at a certain point in the process is potentially vulnerable.

Knowing how to shortcut thought processes and manufacture decisions based on injected ideas can be quite useful.

Develop your auditing skills to improve ITAM/SAM

posted Apr 10, 2015, 8:31 AM by Björn Spåra   [ updated May 6, 2015, 5:11 AM ]

AUDIT FOR COMPLIANCE, CONFORMANCE AND COST EFFECTIVENESS

With unplanned cost from external software license compliance audits on the rise, internal auditors may need to start paying closer attention to the organizations management of its software assets. Substantive testing is largely ineffective on wider scale as license terms and metrics vary from supplier to supplier- However, involving ITAM/SAM departments and external experts may help determine high risk software suppliers and allow internal auditors to target those high value / high risk suppliers, performing internal license compliance audits in addition to testing of internal control.

Software Census offers a 3-day (20 CPE) classroom training course designed to facilitate substantive testing of software license compliance and testing of internal controls to demonstrate ITAM/SAM effectiveness. Internal auditing of software license compliance will strengthen governance of IT, drive improvement in ITAM/SAM and restore management confidence in IT.

This course is designed for ITAM/SAM professionals wanting to improve their auditing skills and IT Auditors who want to improve their licensing and ITAM/SAM skills. During the course you will design internal controls and evaluation criteria to test them. You will work with raw data extracts and learn proper techniques to evaluate the data and assert its trustworthiness. You will learn how to collate and reconcile deployment, capacity, configuration and usage data with license entitlements.

Join us in Stockholm at a date that is convenient for you!


What is a license key?

posted Apr 10, 2015, 7:09 AM by Björn Spåra   [ updated Apr 15, 2015, 3:14 AM ]

WHAT IS A LICENSE KEY AND WHO SHOULD MANAGE IT?

A common misconception about software license keys is that the key is the license. Strictly speaking, the license is the rights granted to the user of the software and the license key simply the token that enables the copy protection scheme to verify the user as a legitimate paying customer. The basic idea is that only users that have acquired the appropriate license will be issued a license key enabling them to install or use the software.

The key itself can be a string of characters entered into the installer or the software itself which by some method of computational comparison verifies the entered key and subsequently continues the installation process or the execution of the software. The key can also be a hardware dongle that physically connects with the computer making the key less vulnerable to copying. Generally speaking, circumventing copy protection schemes based on either software license keys or hardware dongles through reverse engineering of the verification code is not complicated unless rigorous code protection mechanisms are put in place to obfuscate the copy protection itself. Bear in mind that all protection systems can (and will, given enough time and resources) be broken.

In recent years, the copy protection schemes have evolved and on-line verification is used to verify the validity of the license key. Microsoft use software license keys to activate each instance if its software. There are two types of activation mechanisms, one where each instance of the software is activated directly with Microsoft (or through an activation proxy) independently of each other using a single MAK (Multiple Activation Key). The other activation method deploys an activation server within the organisation to allow individual software instances to activate internally using KMS (Key Management Service) without communicating directly with Microsoft. Upon activation, the key is checked online with Microsoft to determine its validity, and keys used by unauthorised users are subsequently withdrawn and further activation requests using the compromised key are rejected.

There are copy protection schemes that rely on a license file which is typically some form of digitally signed certificate. There are copy protection schemes that do not rely on a license key at all but rather the authorization users authenticating to the software publisher through online or federated corporate identities. Of course, there are software publishers that do not rely on copy protection at all and simply make their software available for download.

Some people would argue that the management of software license keys is the responsibility of the ITAM/SAM department. And they would be right from a certain perspective. License keys must be managed and if the ITAM/SAM department manages the license, why not the license key? Issuing a license key for each software installation sounds like a pretty good control, right? Wrong!

The majority of software license non-compliance issues are the result of over deploying prepackaged software where the license key is already entered, or due to the change of hardware configuration or user authorization where the license key does little to help. When installing software requiring a license key, 9/10 IT professional will save the key for another time. In fact, the license key is completely useless from a control perspective and should be eradicated entirely. Software publishers wishing to combat non-compliance in the enterprise space would be better off making tools to report license usage directly to the offending customer, embedded in their software products.

So who should manage the license key?

The people who perform software packaging/installations of course..

1-8 of 8