Accelerating innovation with software supply chain management
Download as PPTX, PDF1 like487 views
The document discusses the importance of software supply chain management, emphasizing that modern applications heavily rely on open source components, with 90% of their parts sourced from third parties. It highlights the need for organizations to automate their supply chains by using high-quality components, managing fewer suppliers, and implementing a policy for quality and integrity. The text advocates for a structured approach akin to manufacturing, suggesting that companies should have a clear visibility and control over their software components to improve efficiency and mitigate risks.
Accelerating innovation with software supply chain management
- 1. 1 Accelerating Innovation with Software Supply Chain Management Matthew Barker Technical Director mbarker@sonatype.com 505-239-4008
- 2. @sonatype
- 3. @sonatype
- 4. 106,000Organizations Analyzed Source: 2015 State of the Software Supply Chain Report @sonatype
- 5. We all have a SOFTWARE SUPPLY CHAIN @sonatype
- 6. POLLING QUESTION What percent of modern apps are composed of open source components? 6 a. 10 - 20% b. 50 - 60% c. 80 - 90%
- 7. How Dependent on 3rd Parties Are We? 10% Custom Written Code Typical Application Open Source Cloud Services Closed Source 90% From 3rd Parties @sonatype
- 8. Need speed, efficiency & quality for agile, continuous DevOps? Automate your software supply chain with three proven principles: Use higher quality parts Use better & fewer suppliers Track what you use and where
- 9. @sonatype
- 10. CHANGE Typical component is updated 3 - 4X per year. 985,000 OSS COMPONENTS 11 MILLION OSS USERS108,000 SUPPLIERS Source: 2015 State of the Software Supply Chain Report @sonatype
- 11. POLLING QUESTION How many open source suppliers do companies work with? 11 a. 5,372 b. 7,601 c. 15,118
- 12. Suppliers Serving Manufacturers Source: 2015 State of the Software Supply Chain Report Orders (downloads) Suppliers (artifacts) Parts (versions) Average 240,757 7,601 18,614 @sonatype
- 13. 59% never repaired 41% 390 days (median 265 days). CVSS 10s 224 days <7 The best were remediated in under a week. Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf @sonatype
- 14. @sonatype
- 15. Sample of Open Source Repositories 2014 Volume of Download Requests Central.sonatype.org 17,213,084,947 Npmjs.org 15,460,748,856 NuGetGallery.com 280,124,916 Bintray.com 250,000,000 Source: 2015 State of the Software Supply Chain Report @sonatype
- 16. Source: 2015 State of the Software Supply Chain Report Public Repos Local Repo Build Tool Public Repos Build Tool PATTERN #1 PATTERN #2 @sonatype
- 17. POLLING QUESTION What percent of components are sourced from repository managers vs. other tools? 17 a. 25% b. 55% c. 95%
- 18. Source: 2015 State of the Software Supply Chain Report Public Repos Local Repo Build Tool Public Repos Build Tool 95% of downloads 5% of downloads @sonatype
- 19. 19
- 20. Source: 2015 State of the Software Supply Chain Report 240,000Components Downloaded Annually @sonatype
- 21. POLLING QUESTION What percent of organizations do not have a policy governing quality and integrity of components? 21 a. 25% b. 55% c. 95%
- 22. Q: Does your organization have an open source policy? Half of organizations continue to run without an open source policy. Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey @sonatype
- 23. Orders Quality Control Average downloads # with known vulnerabilities % with known vulnerabilities % known vulnerabilities (2013 or older) 240,757 15,337 7.5% 66.3% Download Volumes of Old CVEs Source: 2015 State of the Software Supply Chain Report @sonatype
- 24. @sonatype
- 25. Analysis of 1,500+ Applications 106 components 24 known vulnerabilities 9 restrictive licenses @sonatype
- 26. What if manufacturers built cars the way we build software: without supply chain visibility, process and automation … They could choose any supplier they want for any given part, regardless of quality. Any part can be chosen even if it is outdated or known to be unsafe. Since there is no visibility, it is very slow and costly to recall a part. There is no quality control or consistency from car to car. There is no inventory of the parts that were used, or where.
- 27. 1 2 3 Create a software Bill of Materials for your application Design a frictionless, automated, “continuous” approach Choose good components from the start - empower developers with the right information at the right time @sonatype
- 28. Shift Left= ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy CHOOSE GOOD COMPONENTS FROM THE START @sonatype
- 29. CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD Jenkins integration run history and status of each build, across multiple applications. Builds might be stable or unstable. Also shows build success and failures. Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard. @sonatype
- 30. CREATE A SOFTWARE BILL OF MATERIALS bit.ly/softwareBOM 5MINUTES @sonatype
- 31. Supply chain advantage Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri
- 32. John Willis DevOps Days Core Organizer Gareth Rushgrove Puppet Labs Nigel Simpson F-100 Entertainment Giant @sonatype
- 33. @sonatype Back to the Cars… What’s this got to do with software??? Use fewer and better suppliers Choose high quality parts Track what parts are used and where Quality, speed, remediation time Debt, rework, negative branding Collaboration and governance to create value!
Editor's Notes
- #2: Research provided by Derek Weeks, VP of Marketing, Sonatype and author of “2015 State of the Software Supply Chain Report”
- #3: We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry? I think the answer will be obvious!
- #4: A defective part as simple as a “nut or bolt” can create havoc in a finished product such as a car – it’s clear that each part matters!
- #5: Having a keen eye on the explosive utilization of OSS components, I was VERY interested to see the intersection of the traditional Supply Chain Management principles and how they were used in the software world. I knew there were problems, but after reading “2015 State of the Software Supply Chain” and “The Phoenix Project,” I was astonished to see that many, if not all, of the core Supply Chain Management principles have yet to be or are just starting to be applied to the software industry. The definition of supply chain management is “the collaboration, planning, execution, control, and monitoring of supply chain activities with the objective of creating value.” Probably the most important part of that definition is the collaboration between supply chain activities to create value. Devops and Continuous Delivery have great promise, but velocity without value is not going to cut it – or put another way, even if you are efficiently digging yourself into a hole, you still need to STOP DIGGING!
- #9: These are the principles that Toyota applies. Our customers strive to automate their software supply chain by using better and fewer suppliers, higher quality and secure parts—and confidently track the parts their using and their dependencies. Add wrap it up slide to position or products as solutions
- #11: The suppliers and the manufacturers need to share information. And right now that communication channel is not only broken, it simply doesn’t exist. Components are updated an average of 4X a year to fix issues, but how do the manufacturers even learn about it? …….. Supply chain management at Toyota was transformational. They went from being a textile company to the world’s leading automobile manufacturer, largely because of these improvements and these principles. And even today, the effect of their philosophy is pretty remarkable to me. For example, Toyota-wide, they have 226 suppliers. General Motors has 5,500. And so imagine the efficiencies of only having to deal with 226 suppliers as opposed to 5,000. And what’s further to that, is that GM produces 54% of the content of their vehicles and Toyota produces 27%. So, GM has 1/20th the suppliers, and yet they produce half of the content of their vehicles. And so it’s no surprise that a Volt costs $40,000 and a Prius $20,000. And the Prius sells 20,000 units a month and GM sells 1,700.
- #17: By not using a repo, it’s like going to the grocery store every time you need a glass of milk or a teaspoon of sugar.
- #27: The analogy is sobering, yet fairly close to the truth than one might imagine. Modern software development has evolved into a “software supply chain” where developers re-use open source components from vast public repositories. Unlike traditional supply chains, developer lack the automation and visibility needed to choose better and fewer suppliers, use the highest qualify parts and track what is used where.
- #28: So how do we change that!
- #29: First of all… when you can clearly see the threat levels of components in your IDE, you can easily shift to a safer one. The area here in the lower right works like a slider… you simply slide to the right to identify a safer, accepted version of a component. So you see, you not only see a potential problem early one, but you also see the solution. Better yet… ========= Click onto pane and zoom in and zoom out Guide your eyes to the RIGHT…. This is a normal Developer IDE called Eclipse… Sonatype made a PLUGIN within it to show a developer the component BEFORE before they choose or commit to ELECTIVE/AVOIDABLE Risk/AttackSurface/Complexity/LegalIssues … The RED chain (e.g.) is every version of Strut2-core…. And if you move RIGHT far enough…. It will lack KNOW CRITICAL vulnerabilities. The Green bar charts are the download popularity… which doesn’t speak at all to SECURITY… but may give people more comfort that it is stable and being used. License rsik is based on self-defined policy – we track if the use of this license can cause your whole website to now be FREE common opensource – like GPL… which might be very bad for you… and a DIFFERENT type of risk…
- #32: Toyota’s process innovations brought them enormous gains in productivity, predictability and long term competitive advantage. That is our mission for the world of software development.
- #33: You may know Gene Kim, the author of the Phoenix project - he certainly understands the value of managing your software supply chain!