Post on 11-Feb-2017
ACCELERATING INNOVATION WITHSoftware Supply Chain Management
Matthew BarkerTechnical Directormbarker@sonatype.com505-239-4008
@sonatype
@sonatype
106,000Organizations Analyzed
Source: 2015 State of the Software Supply Chain Report
@sonatype
We all have a
SOFTWARE SUPPLY CHAIN
@sonatype
POLLING QUESTION
What percent of modern apps are composed of open source components?
6
a. 10 - 20%b. 50 - 60%c. 80 - 90%
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud ServicesClosed Source
90% From 3rd Parties
@sonatype
Need speed, efficiency & quality for agile, continuous DevOps?
Automate your software supply chain with three proven principles:
Use higher quality parts
Use better & fewer suppliers
Track what you use and where
@sonatype
CHANGE Typical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: 2015 State of the Software Supply Chain Report@sonatype
POLLING QUESTION
How many open source suppliers do companies work with?
11
a. 5,372b. 7,601
c. 15,118
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders(downloads)
Suppliers(artifacts)
Parts(versions)
Average 240,757 7,601 18,614
@sonatype
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
@sonatype
Sample of Open Source Repositories
2014Volume of
Download RequestsCentral.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
@sonatype
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
PATTERN #1
PATTERN #2
@sonatype
POLLING QUESTION
What percent of components are sourced from repository managers vs.
other tools?
17
a. 25%b. 55%c. 95%
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
95%of downloads
5%of downloads
@sonatype
19
Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
POLLING QUESTION
What percent of organizations do not have a policy governing quality and
integrity of components?
21
a. 25%b. 55%c. 95%
Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype
Orders Quality Control
Average downloads
# with known vulnerabilities
% with known vulnerabilities
% known vulnerabilities (2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report@sonatype
@sonatype
Analysis of 1,500+ Applications
106 components
24 known
vulnerabilities
9restrictive licenses
@sonatype
What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …
They could choose
any supplier they want for
any given part, regardless of
quality.
Any part can be chosen
even if it is outdated or known to be
unsafe.
Since there is no visibility, it is
very slow and costly
to recalla part.
There is no quality
control or consistency from car to car.
There is no inventory
of the parts that were used, or
where.
1
2
3 Create a software Bill of Materials for your application
Design a frictionless, automated, “continuous” approach
Choose good components from the start - empower developers with the right information at the right time
@sonatype
Shift Left= ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
CHOOSE GOOD COMPONENTS FROM THE START
@sonatype
CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD
Jenkins integration run history and status of each build, across multiple applications.
Builds might be stable or unstable. Also shows build success and failures.
Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.
@sonatype
CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM
5MINUTES
@sonatype
Supply chain advantage
Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned
System, by Ananth Iyer and Sridhar Seshadri
John WillisDevOps Days Core
Organizer
Gareth RushgrovePuppet Labs
Nigel SimpsonF-100 Entertainment Giant
@sonatype
@sonatype
Back to the Cars… What’s this got to do with software???
Use fewer and better suppliers Choose high quality parts Track what parts are used and where
Quality, speed, remediation time
Debt, rework, negative branding
Collaboration and governance to create value!