Upload
sonatype
View
173
Download
0
Tags:
Embed Size (px)
Citation preview
RESEARCH COVERED BY
DevOps Leadership Series & Contributing Author
Upcoming Speaking Engagements:
LISA15 | USENIX (Nov. 12, 2015 - DC)OWASP NYC CyberSocial (September 16, 2015 - NYC)Atlanta Java Users Group (Sept. 15, 2015 - Atlanta)HP Protect (Sept. 3, 2015 - DC)
@weekstweets
John WillisDevOps Days Core Organizer
Gareth RushgrovePuppet Labs
Nigel SimpsonF-100 Entertainment Giant
@sonatype
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B 17B2014
@sonatype
Open Source Download Requests…
Source: 2015 State of the Software Supply Chain Report
POLLING QUESTION
What percent of modern apps are composed of open source components?
a. 10 - 20%b. 50 - 60%c. 80 - 90%
10
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
@sonatype
Better and fewer
suppliers
Higher qualityparts
Improved visibility
and traceability
3 savings inmodern supply chains Automation
@sonatype
CHANGETypical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
@sonatype Source: 2015 State of the Software Supply Chain Report
POLLING QUESTION
How many open source suppliers do companies work with?
a. 5,372b. 7,601
c. 15,118
15
Suppliers Serving Manufacturers
Orders(downloads)
Suppliers(artifacts)
Parts(versions)
Average 240,757 7,601 18,614
@sonatype
Source: 2015 State of the Software Supply Chain Report
41%390 days (median 265days). CVSS 10s 224 days
59% never repaired
<7The best were remediated in under a week.
@sonatype
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
Sample of Open Source Repositories
2014Volume of
Download RequestsCentral.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
@sonatype
Source: 2015 State of the Software Supply Chain Report
CHANGETypical component is
updated 3 - 4X per year.
Unlike COTS, there is no clear, effective
COMMUNICATION channel
…but there can be.
985,000 OSS COMPONENTS
11 MILLION OSS USERS
@sonatype
Repository Managers Accessing the Central Repository
@sonatype
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
PATTERN #1
PATTERN #2
@sonatype Source: 2015 State of the Software Supply Chain Report
POLLING QUESTION
What percent of components are sourced from public repositories?
a. 25%b. 55%c. 95%
24
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
95%of downloads
5%of downloads
@sonatype Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype Source: 2015 State of the Software Supply Chain Report
POLLING QUESTION
What percent of organizations do not have a policy governing quality and
integrity of components?
a. 25%b. 55%c. 95%
29
Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype
Orders Quality Control
Average downloads
# with known vulnerabilities
% with known vulnerabilities
% known vulnerabilities(2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
@sonatypeSource: 2015 State of the Software Supply Chain Report
Analysis of 1,500+ Applications
106components
24 known
vulnerabilities
9restrictive licenses
@sonatype
1
2
3 Create a software Bill of Materials for one application
Design a frictionless, automated, “continuous” approach
Empower developers with the right information at the right time
@sonatype
CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD
Jenkins integration run history and status of each build, across multiple applications.
Builds might be stable or unstable. Also shows build success and failures.
Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.
@sonatype
Shift Left= ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
EMPOWER DEVELOPERS FROM THE START
@sonatype