Findings Revealed: 2015 State of the Software Supply Chain
Download as PPTX, PDF7 likes1,048 views
The document highlights insights from the 2015 State of the Software Supply Chain report, focusing on the reliance on open source components by organizations and the importance of effective supply chain management. It presents statistics on components, downloads, and vulnerabilities, addressing the need for policies governing quality and integrity in software development. Additionally, it emphasizes the significance of empowering developers through automation and better information access to enhance software supply chains.
Findings Revealed: 2015 State of the Software Supply Chain
- 1. TOP HIGHLIGHTS & BENCHMARKS Derek E. Weeks VP and DevOps Advocate
- 2. RESEARCH COVERED BY DevOps Leadership Series & Contributing Author Upcoming Speaking Engagements: LISA15 | USENIX (Nov. 12, 2015 - DC) OWASP NYC CyberSocial (September 16, 2015 - NYC) Atlanta Java Users Group (Sept. 15, 2015 - Atlanta) HP Protect (Sept. 3, 2015 - DC) @weekstweets
- 3. @sonatype
- 4. @sonatype
- 5. 106,000Organizations Analyzed Source: 2015 State of the Software Supply Chain Report @sonatype
- 6. We all have a SOFTWARE SUPPLY CHAIN @sonatype
- 7. Modern software development HAS CHANGED Our process HASN’T CHANGED ENOUGH @sonatype
- 8. John Willis DevOps Days Core Organizer Gareth Rushgrove Puppet Labs Nigel Simpson F-100 Entertainment Giant @sonatype
- 9. 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B 17B 2014 Source: 2015 State of the Software Supply Chain Report @sonatype Open Source Download Requests…
- 10. POLLING QUESTION What percent of modern apps are composed of open source components? 10 a. 10 - 20% b. 50 - 60% c. 80 - 90%
- 11. How Dependent on 3rd Parties Are We? 10% Custom Written Code Typical Application Open Source Cloud Services Closed Source 90% From 3rd Parties @sonatype
- 12. Better and fewer suppliers Higher quality parts Improved visibility and traceability 3 savings in modern supply chains Automation @sonatype
- 13. @sonatype
- 14. CHANGE Typical component is updated 3 - 4X per year. 985,000 OSS COMPONENTS 11 MILLION OSS USERS108,000 SUPPLIERS Source: 2015 State of the Software Supply Chain Report @sonatype
- 15. POLLING QUESTION How many open source suppliers do companies work with? 15 a. 5,372 b. 7,601 c. 15,118
- 16. Suppliers Serving Manufacturers Source: 2015 State of the Software Supply Chain Report Orders (downloads) Suppliers (artifacts) Parts (versions) Average 240,757 7,601 18,614 @sonatype
- 17. 41% 390 days (median 265 days). CVSS 10s 224 days 59% never repaired <7 The best were remediated in under a week. Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf @sonatype
- 18. @sonatype
- 20. Sample of Open Source Repositories 2014 Volume of Download Requests Central.sonatype.org 17,213,084,947 Npmjs.org 15,460,748,856 NuGetGallery.com 280,124,916 Bintray.com 250,000,000 Source: 2015 State of the Software Supply Chain Report @sonatype
- 21. CHANGE Typical component is updated 3 - 4X per year. Unlike COTS, there is no clear, effective COMMUNICATION channel …but there can be. 985,000 OSS COMPONENTS 11 MILLION OSS USERS @sonatype
- 22. Repository Managers Accessing the Central Repository Source: 2015 State of the Software Supply Chain Report @sonatype
- 23. Source: 2015 State of the Software Supply Chain Report Public Repos Local Repo Build Tool Public Repos Build Tool PATTERN #1 PATTERN #2 @sonatype
- 24. POLLING QUESTION What percent of components are sourced from public repositories? 24 a. 25% b. 55% c. 95%
- 25. Source: 2015 State of the Software Supply Chain Report Public Repos Local Repo Build Tool Public Repos Build Tool 95% of downloads 5% of downloads @sonatype
- 26. 26
- 28. Source: 2015 State of the Software Supply Chain Report 240,000Components Downloaded Annually @sonatype
- 29. POLLING QUESTION What percent of organizations do not have a policy governing quality and integrity of components? 29 a. 25% b. 55% c. 95%
- 30. Q: Does your organization have an open source policy? Half of organizations continue to run without an open source policy. Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey @sonatype
- 31. If it does not fit, it does not get done. @sonatype
- 32. Orders Quality Control Average downloads # with known vulnerabilities % with known vulnerabilities % known vulnerabilities (2013 or older) 240,757 15,337 7.5% 66.3% Download Volumes of Old CVEs Source: 2015 State of the Software Supply Chain Report @sonatype
- 33. Source: 2015 State of the Software Supply Chain Report Outdated Versions Downloaded @sonatype
- 35. @sonatype
- 36. @sonatype
- 37. Analysis of 1,500+ Applications 106 components 24 known vulnerabilities 9 restrictive licenses @sonatype
- 38. v
- 39. 1 2 3 Create a software Bill of Materials for one application Design a frictionless, automated, “continuous” approach Empower developers with the right information at the right time @sonatype
- 40. CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD Jenkins integration run history and status of each build, across multiple applications. Builds might be stable or unstable. Also shows build success and failures. Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard. @sonatype
- 41. Shift Left= ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy EMPOWER DEVELOPERS FROM THE START @sonatype
- 42. CREATE A SOFTWARE BILL OF MATERIALS bit.ly/softwareBOM 5MINUTES @sonatype
- 43. YOU ALL GET A COPY TODAY!
- 44. IT’S TIME WE IMPROVE OUR SOFTWARE SUPPLY CHAINS
Editor's Notes
- #8: We are in the business of open source governance, management and compliance (add in slide or on cover slide) Your Company Runs on Software – it must be trusted
- #15: The suppliers and the manufacturers need to share information. And right now that communication channel is not only broken, it simply doesn’t exist. Components are updated an average of 4X a year to fix issues, but how do the manufacturers even learn about it? …….. Supply chain management at Toyota was transformational. They went from being a textile company to the world’s leading automobile manufacturer, largely because of these improvements and these principles. And even today, the effect of their philosophy is pretty remarkable to me. For example, Toyota-wide, they have 226 suppliers. General Motors has 5,500. And so imagine the efficiencies of only having to deal with 226 suppliers as opposed to 5,000. And what’s further to that, is that GM produces 54% of the content of their vehicles and Toyota produces 27%. So, GM has 1/20th the suppliers, and yet they produce half of the content of their vehicles. And so it’s no surprise that a Volt costs $40,000 and a Prius $20,000. And the Prius sells 20,000 units a month and GM sells 1,700.
- #22: The suppliers and the manufacturers need to share information. And right now that communication channel is not only broken, it simply doesn’t exist. Components are updated an average of 4X a year to fix issues, but how do the manufacturers even learn about it? …….. Supply chain management at Toyota was transformational. They went from being a textile company to the world’s leading automobile manufacturer, largely because of these improvements and these principles. And even today, the effect of their philosophy is pretty remarkable to me. For example, Toyota-wide, they have 226 suppliers. General Motors has 5,500. And so imagine the efficiencies of only having to deal with 226 suppliers as opposed to 5,000. And what’s further to that, is that GM produces 54% of the content of their vehicles and Toyota produces 27%. So, GM has 1/20th the suppliers, and yet they produce half of the content of their vehicles. And so it’s no surprise that a Volt costs $40,000 and a Prius $20,000. And the Prius sells 20,000 units a month and GM sells 1,700.
- #28: Cycle Time Squeeze Work Arounds Batch Scans Rework Exposure
- #32: Cycle Time Squeeze Work Arounds Batch Scans Rework Exposure
- #42: First of all… when you can clearly see the threat levels of components in your IDE, you can easily shift to a safer one. The area here in the lower right works like a slider… you simply slide to the right to identify a safer, accepted version of a component. So you see, you not only see a potential problem early one, but you also see the solution. Better yet… ========= Click onto pane and zoom in and zoom out Guide your eyes to the RIGHT…. This is a normal Developer IDE called Eclipse… Sonatype made a PLUGIN within it to show a developer the component BEFORE before they choose or commit to ELECTIVE/AVOIDABLE Risk/AttackSurface/Complexity/LegalIssues … The RED chain (e.g.) is every version of Strut2-core…. And if you move RIGHT far enough…. It will lack KNOW CRITICAL vulnerabilities. The Green bar charts are the download popularity… which doesn’t speak at all to SECURITY… but may give people more comfort that it is stable and being used. License rsik is based on self-defined policy – we track if the use of this license can cause your whole website to now be FREE common opensource – like GPL… which might be very bad for you… and a DIFFERENT type of risk…
- #44: When do you have an hour to spare?