SlideShare a Scribd company logo

Sonatype Software Supply Chain 2017 - JAVA Users Group

R
Ravi Lachhman

The Tampa Java Users Group meeting in May 2017 highlighted the evolution of software development practices, noting a significant reliance on open source components in modern applications, which constitutes 80%-90% of their architecture. It discussed the risks associated with vulnerable components, revealing that a significant percentage of Java and JavaScript libraries had known security vulnerabilities, emphasizing the necessity for organizations to implement open source policies and maintain inventories of components used in applications. The presentation also stressed the importance of utilizing newer components to reduce defect density in software.

Technology
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Tampa JAVA Users Group May 2017 Ravi Lachhman – JAR Wrangler
1 COMPANIES DON’T WRITE; 2 3 SOFTWARE ANYMORE;
1990s Waterfall-Native 2000s Agile 2015 DevOps-Native
Utilizing billions of parts from open source communities... 80% to 90% of modern apps consist of assembled components.
“You cannot inspect quality into a product.” W. Edwards Deming Out of the Crisis 1982 5
THE BEST ARE BORROWING FROM DEMING
NOT ALL PARTS ARE CREATED EQUAL
Say Hello to Your Software Supply Chain…
1,152 new projects per day 10,000 new versions per day 14x releases per year
THE SSC INDEX Open Source Component Download Requests, The Central Repository, 2008 - 2016
DOWNLOAD RECORDS FOR 2014 2015 2016 4.6 BILLION 22.5 59.0
DOCKER HUB DOWNLOADS 1,000,000,000 2014 2015 2016 3,000,000,000 6,000,000,000 9,000,000,000 12,000,000,000 2017 2014 1M PULLS 2015 1B PULLS 2016 6B PULLS 2017 12B PULLS Source: DockerCon 2017 Keynote
2014 2015 2016 5.5%6.1%6.2% DEFECT DOWNLOAD RATIO FOR JAVA COMPONENTS
125,701 downloads orders 3,185 components - all versions parts 1,346 components suppliers Analysis of 7,500 organizations
125,701 downloads Analysis of 7500 organizations 7,248 5.8% known security vulnerabilities
Warehouses Manufacturers Finished Goods 6.1% component downloads are vulnerable 5.6% components in repository managers are vulnerable 6.8% components in applications are vulnerable
DEFECT RATIO FOR JAVASCRIPT Source: Thou Shalt Not Depend on Me: Analyzing the Use of Outdated JavaScript Libraries on the Web, © 2017 NDSS, Northeastern University 87% of handlebars inclusions were known vulnerable 37% of jQuery inclusions were known vulnerable 40% of Angular inclusions were known vulnerable 37% websites include at least one library with a known vulnerability
Source: 2014 Sonatype Open Source Development and Application Security Survey, and Sonatype’s 2017 DevSecOps Community survey ALMOST 4-IN-10 RUN WITHOUT AN OPEN SOURCE POLICY Q: Does your organization have an open source policy? 2014 2017 57% YES 58% YES
NEWER COMPONENTS MAKE BETTER SOFTWARE Analysis of components in 25,000 applications scans COMPONENTS BY YEAR DEFECT DENSITY 1 2 3 4 5 6 7 8 9 10 11 5% 10% 15% 20% 25% Component Age in Years 3X HIGHER DEFECT DENSITY
OLDER COMPONENTS DIE OFF Analysis of components in 25,000 applications scans INACTIVE PROJECTS (% on latest version) 1 2 3 4 5 6 7 8 9 10 11 5% 10% 15% 20% 25% Component Age in Years
TRACK AND TRACE Does your organization maintain an inventory of open source components used in production applications? (e.g., a software bill of materials)
Sonatype Software Supply Chain 2017 - JAVA Users Group
18,330,958 78% downloads were vulnerable COMMONS COLLECTION CWE-502 23,476,966 total downloads in 2016
2,731 organizations downloaded the vulnerable versions. STRUTS2 CVE-2017-5638 279,796 total downloads in 2016 Image Source: Canadian Revenue Agency, Wikipedia
Sonatype Software Supply Chain 2017 - JAVA Users Group
ZTTR (Zero Time to Remediation) EMPOWER DEVELOPERS FROM THE START @weekstweets
Create your own for free at bit.ly/softwareBOM @sonatype CREATE A SOFTWARE BILL OF MATERIALS
Get my slides. rlachhman@sonatype.com
Sonatype Software Supply Chain 2017 - JAVA Users Group

More Related Content

PPTX
From 0 to DevOps: Lessons Learned Moving from On-Prem to Cloud Native
Klaus Enzenhofer
 
PPTX
DevOps for AI Apps
Richin Jain
 
PPTX
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
PDF
A DevOps State of Mind with Microservices, Containers and Kubernetes
All Things Open
 
PPTX
Boston DevOps Days 2016: Implementing Metrics Driven DevOps - Why and How
Andreas Grabner
 
PDF
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
PPTX
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 
PPTX
Performance Metrics Driven CI/CD - Introduction to Continuous Innovation and ...
Mike Villiger
 
From 0 to DevOps: Lessons Learned Moving from On-Prem to Cloud Native
Klaus Enzenhofer
 
DevOps for AI Apps
Richin Jain
 
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
A DevOps State of Mind with Microservices, Containers and Kubernetes
All Things Open
 
Boston DevOps Days 2016: Implementing Metrics Driven DevOps - Why and How
Andreas Grabner
 
Continuous Security: Using Automation to Expand Security's Reach
Matt Tesauro
 
DevOps Days Toronto: From 6 Months Waterfall to 1 hour Code Deploys
Andreas Grabner
 
Performance Metrics Driven CI/CD - Introduction to Continuous Innovation and ...
Mike Villiger
 

What's hot (18)

PPTX
Metrics Driven DevOps - Automate Scalability and Performance Into your Pipeline
Andreas Grabner
 
PPTX
DevOps Pipelines and Metrics Driven Feedback Loops
Andreas Grabner
 
PPTX
How to explain DevOps to your mom
Andreas Grabner
 
PDF
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
PPTX
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps_Fest
 
PPTX
Facilitating DevOps Execution in an All Digital Environment
Kurt Andersen
 
PDF
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
PPTX
Applying AI to Performance Engineering: Shift-Left, Shift-Right, Self-Healing
Andreas Grabner
 
PPTX
Global DevOps BootCamp
Vicente Gerardo Guzman Lucio
 
PPTX
Spring Webflux
Carlos E. Salazar
 
PDF
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
PPTX
The Role of Automation in the Journey to Continuous Delivery
XebiaLabs
 
PDF
Metrics driven dev ops 2017
Jerry Tan
 
PDF
Continuously serving the developer community with Continuous Integration and...
Thoughtworks
 
PDF
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
PDF
Microservices 101: From DevOps to Docker and beyond
Donnie Berkholz
 
PPTX
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
PPTX
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
Gene Kim
 
Metrics Driven DevOps - Automate Scalability and Performance Into your Pipeline
Andreas Grabner
 
DevOps Pipelines and Metrics Driven Feedback Loops
Andreas Grabner
 
How to explain DevOps to your mom
Andreas Grabner
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS
 
DevOps Fest 2020. Kohsuke Kawaguchi. GitOps, Jenkins X & the Future of CI/CD
DevOps_Fest
 
Facilitating DevOps Execution in an All Digital Environment
Kurt Andersen
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Matt Tesauro
 
Applying AI to Performance Engineering: Shift-Left, Shift-Right, Self-Healing
Andreas Grabner
 
Global DevOps BootCamp
Vicente Gerardo Guzman Lucio
 
Spring Webflux
Carlos E. Salazar
 
Taking the Best of Agile, DevOps and CI/CD into security
Matt Tesauro
 
The Role of Automation in the Journey to Continuous Delivery
XebiaLabs
 
Metrics driven dev ops 2017
Jerry Tan
 
Continuously serving the developer community with Continuous Integration and...
Thoughtworks
 
DevSecOps Fundamentals and the Scars to Prove it.
Matt Tesauro
 
Microservices 101: From DevOps to Docker and beyond
Donnie Berkholz
 
DOES SFO 2016 - Scott Willson - Top 10 Ways to Fail at DevOps
Gene Kim
 
DOES SFO 2016 - Daniel Perez - Doubling Down on ChatOps in the Enterprise
Gene Kim
 
Ad

Similar to Sonatype Software Supply Chain 2017 - JAVA Users Group (20)

PDF
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
PROIDEA
 
PDF
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace
 
PPTX
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
Sencha
 
PPTX
Sencha Tooling - Senchacon Conference
Sandeep Adwankar
 
PDF
A Story of Cultural Change: PayPal's 2 Year Journey to 150,000 Containers wit...
Docker, Inc.
 
PDF
AppSec Pipelines and Event based Security
Matt Tesauro
 
PDF
Alibaba Cloud Conference 2016 - Docker Enterprise
John Willis
 
PDF
How React Native has changed Web and Mobile Application Development, Engineer...
engineermaste solution
 
PDF
Why big organizations like tesla, facebook, walmart, skype are using react na...
MoonTechnolabsPvtLtd
 
PPTX
Docker Bday #5, SF Edition: Introduction to Docker
Docker, Inc.
 
PDF
Open source-in-security-critical-environments
DESMOND YUEN
 
PDF
Open Source in Security-Critical Environments
Priyanka Aash
 
PDF
The Enterprise Case for Node.js
NodejsFoundation
 
PPT
Why react native is the best choice for app development process
Orange Mantra
 
PPTX
DockerCon EU 2017 - General Session Day 2
Docker, Inc.
 
PDF
Continuuity Presents at Under the Radar 2013
Dealmaker Media
 
PPTX
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
PDF
Spring Boot & Spring Cloud on PAS- Nate Schutta (1/2)
VMware Tanzu
 
PDF
When Developers Operate and Operators Develop
Adrian Cockcroft
 
PDF
Yohanes Widi Sono - Modern Development for Business Agility
Agile Impact Conference
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
PROIDEA
 
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace
 
SenchaCon 2016: Cross-Platform Mobile App Development with Cordova and Visual...
Sencha
 
Sencha Tooling - Senchacon Conference
Sandeep Adwankar
 
A Story of Cultural Change: PayPal's 2 Year Journey to 150,000 Containers wit...
Docker, Inc.
 
AppSec Pipelines and Event based Security
Matt Tesauro
 
Alibaba Cloud Conference 2016 - Docker Enterprise
John Willis
 
How React Native has changed Web and Mobile Application Development, Engineer...
engineermaste solution
 
Why big organizations like tesla, facebook, walmart, skype are using react na...
MoonTechnolabsPvtLtd
 
Docker Bday #5, SF Edition: Introduction to Docker
Docker, Inc.
 
Open source-in-security-critical-environments
DESMOND YUEN
 
Open Source in Security-Critical Environments
Priyanka Aash
 
The Enterprise Case for Node.js
NodejsFoundation
 
Why react native is the best choice for app development process
Orange Mantra
 
DockerCon EU 2017 - General Session Day 2
Docker, Inc.
 
Continuuity Presents at Under the Radar 2013
Dealmaker Media
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
Docker, Inc.
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (1/2)
VMware Tanzu
 
When Developers Operate and Operators Develop
Adrian Cockcroft
 
Yohanes Widi Sono - Modern Development for Business Agility
Agile Impact Conference
 
Ad

More from Ravi Lachhman (12)

PPTX
DevOps Days ATL 2022 - Ravi Lachhman
Ravi Lachhman
 
PPTX
DevOps vs SRE - CI/CD Pipelines Bridging the Gap
Ravi Lachhman
 
PPTX
What Can We Learn about KBBQ and Kubernetes
Ravi Lachhman
 
PDF
Machine Learning for Continuous Delivery
Ravi Lachhman
 
PPTX
Doughnut Dilemma - SRECon
Ravi Lachhman
 
PPTX
AWS re:Invent - AIOps - What do you say you do here
Ravi Lachhman
 
PPTX
CloudNativeCon Stability in an Unstable World
Ravi Lachhman
 
PPTX
Caribbean Developers Conference - 201K8s
Ravi Lachhman
 
PDF
Twelve Factor App vs Twelve Layer Burrito
Ravi Lachhman
 
PPTX
Js Conf 2018 - Confessions of a JEE Addict
Ravi Lachhman
 
PDF
Someone Call the Operator - ATL K8's Meetup
Ravi Lachhman
 
PDF
CloudBees and Sonatype - MeetUp
Ravi Lachhman
 
DevOps Days ATL 2022 - Ravi Lachhman
Ravi Lachhman
 
DevOps vs SRE - CI/CD Pipelines Bridging the Gap
Ravi Lachhman
 
What Can We Learn about KBBQ and Kubernetes
Ravi Lachhman
 
Machine Learning for Continuous Delivery
Ravi Lachhman
 
Doughnut Dilemma - SRECon
Ravi Lachhman
 
AWS re:Invent - AIOps - What do you say you do here
Ravi Lachhman
 
CloudNativeCon Stability in an Unstable World
Ravi Lachhman
 
Caribbean Developers Conference - 201K8s
Ravi Lachhman
 
Twelve Factor App vs Twelve Layer Burrito
Ravi Lachhman
 
Js Conf 2018 - Confessions of a JEE Addict
Ravi Lachhman
 
Someone Call the Operator - ATL K8's Meetup
Ravi Lachhman
 
CloudBees and Sonatype - MeetUp
Ravi Lachhman
 

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Teaching material agriculture food technology
LiaRayya
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
A Presentation on Artificial Intelligence
memembruh336
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Cloud computing and distributed systems.
kkkkkhan
 

Sonatype Software Supply Chain 2017 - JAVA Users Group