Accelerating Innovation with Software Supply Chain Management
Transcript of Accelerating Innovation with Software Supply Chain Management
![Page 1: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/1.jpg)
ACCELERATING INNOVATION WITHSoftware Supply Chain Management
Matthew BarkerTechnical [email protected]
![Page 2: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/2.jpg)
@sonatype
![Page 3: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/3.jpg)
@sonatype
![Page 4: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/4.jpg)
106,000Organizations Analyzed
Source: 2015 State of the Software Supply Chain Report
@sonatype
![Page 5: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/5.jpg)
We all have a
SOFTWARE SUPPLY CHAIN
@sonatype
![Page 6: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/6.jpg)
POLLING QUESTION
What percent of modern apps are composed of open source components?
6
a. 10 - 20%b. 50 - 60%c. 80 - 90%
![Page 7: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/7.jpg)
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud ServicesClosed Source
90% From 3rd Parties
@sonatype
![Page 8: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/8.jpg)
Need speed, efficiency & quality for agile, continuous DevOps?
Automate your software supply chain with three proven principles:
Use higher quality parts
Use better & fewer suppliers
Track what you use and where
![Page 9: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/9.jpg)
@sonatype
![Page 10: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/10.jpg)
CHANGE Typical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: 2015 State of the Software Supply Chain Report@sonatype
![Page 11: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/11.jpg)
POLLING QUESTION
How many open source suppliers do companies work with?
11
a. 5,372b. 7,601
c. 15,118
![Page 12: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/12.jpg)
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders(downloads)
Suppliers(artifacts)
Parts(versions)
Average 240,757 7,601 18,614
@sonatype
![Page 13: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/13.jpg)
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
![Page 14: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/14.jpg)
@sonatype
![Page 15: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/15.jpg)
Sample of Open Source Repositories
2014Volume of
Download RequestsCentral.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
@sonatype
![Page 16: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/16.jpg)
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
PATTERN #1
PATTERN #2
@sonatype
![Page 17: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/17.jpg)
POLLING QUESTION
What percent of components are sourced from repository managers vs.
other tools?
17
a. 25%b. 55%c. 95%
![Page 18: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/18.jpg)
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
95%of downloads
5%of downloads
@sonatype
![Page 19: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/19.jpg)
19
![Page 20: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/20.jpg)
Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
![Page 21: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/21.jpg)
POLLING QUESTION
What percent of organizations do not have a policy governing quality and
integrity of components?
21
a. 25%b. 55%c. 95%
![Page 22: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/22.jpg)
Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype
![Page 23: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/23.jpg)
Orders Quality Control
Average downloads
# with known vulnerabilities
% with known vulnerabilities
% known vulnerabilities (2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report@sonatype
![Page 24: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/24.jpg)
@sonatype
![Page 25: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/25.jpg)
Analysis of 1,500+ Applications
106 components
24 known
vulnerabilities
9restrictive licenses
@sonatype
![Page 26: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/26.jpg)
What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …
They could choose
any supplier they want for
any given part, regardless of
quality.
Any part can be chosen
even if it is outdated or known to be
unsafe.
Since there is no visibility, it is
very slow and costly
to recalla part.
There is no quality
control or consistency from car to car.
There is no inventory
of the parts that were used, or
where.
![Page 27: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/27.jpg)
1
2
3 Create a software Bill of Materials for your application
Design a frictionless, automated, “continuous” approach
Choose good components from the start - empower developers with the right information at the right time
@sonatype
![Page 28: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/28.jpg)
Shift Left= ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
CHOOSE GOOD COMPONENTS FROM THE START
@sonatype
![Page 29: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/29.jpg)
CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD
Jenkins integration run history and status of each build, across multiple applications.
Builds might be stable or unstable. Also shows build success and failures.
Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.
@sonatype
![Page 30: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/30.jpg)
CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM
5MINUTES
@sonatype
![Page 31: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/31.jpg)
Supply chain advantage
Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned
System, by Ananth Iyer and Sridhar Seshadri
![Page 32: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/32.jpg)
John WillisDevOps Days Core
Organizer
Gareth RushgrovePuppet Labs
Nigel SimpsonF-100 Entertainment Giant
@sonatype
![Page 33: Accelerating Innovation with Software Supply Chain Management](https://reader031.fdocuments.net/reader031/viewer/2022022201/589ed3431a28ab47138b7317/html5/thumbnails/33.jpg)
@sonatype
Back to the Cars… What’s this got to do with software???
Use fewer and better suppliers Choose high quality parts Track what parts are used and where
Quality, speed, remediation time
Debt, rework, negative branding
Collaboration and governance to create value!