The Hidden Risk of Component Based Software Development
0 likes1,131 views
This document discusses the risks of component-based software development and the need for component lifecycle management. It notes that 80% of applications are assembled from open source and third-party components, but many organizations lack visibility into what components they use and where they may pose security risks. It argues that successful development at scale requires managing the entire lifecycle of components from identification and selection to ongoing monitoring and remediation of flaws. The document presents the Sonatype solution for component lifecycle management to help organizations gain control and governance over their use of software components.
The Hidden Risk of Component Based Software Development
- 2. What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development Ryan Berg, CSO Sonatype Send Tweets to #CSORisk The Component Lifecycle Management Company
- 3. 80% > Written Assembled of a typical application is assembled from open source & proprietary components The Component Lifecycle Management Company
- 4. The Ice-Caps are Melting The Component Lifecycle Management Company
- 5. Development Must Keep Up with Pace Of Innovation Development must change The Component Lifecycle Management Company
- 6. Components are Everywhere By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. Predicts 2011: Open-Source Software, the Power Behind the Throne November 2010 Global 100 Financial Institution 6,000 4,500 3,000 1,500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Unique Components per Month The Component Lifecycle Management Company
- 7. “But we don’t use Open Source” It’s no longer a question of whether you use OSS, it’s how many components are being used & where The Component Lifecycle Management Company
- 8. What You Don’t Know Can and Will Hurt You 46,000,000 18,000 4,000 downloads of insecure versions of the 31 most popular security libraries and web frameworks organizations downloaded a version of the Struts framework with a ‘severe’ security flaw organizations downloaded versions of Struts 1.x with known security flaws (most classified as ‘severe’). Uncontrolled, Unmanaged Risk The Component Lifecycle Management Company
- 9. No “Throat to Choke” • Discovering a security issue is half the battle • Transitive and hidden dependencies make it extremely difficult to assign responsibility to propagate fixes throughout the component chain The Component Lifecycle Management Company
- 10. A Multi-faceted Challenge Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year The Component Lifecycle Management Company
- 11. Success Requires Discipline The Component Lifecycle Management Company
- 12. The Problem is Not Problem Discovery • When our software development ecosystem looks like this it is easy to find problems • The real challenge is to develop at scale and deliver continuous value continuously when everything else is a mess The Component Lifecycle Management Company
- 13. Current State No No visibility to what components are used, where they are used and where there is risk No No way to govern/enforce component usage. Policies are not integrated with development . Visibility Control No No efficient way to fix existing flaws. Fix The Component Lifecycle Management Company
- 14. Practical Solutions Require a Practical Approach The Component Lifecycle Management Company
- 15. “Haven’t I heard this story before?” The Component Lifecycle Management Company
- 16. It’s Not a One Trick Pony The Component Lifecycle Management Company
- 17. Accurate Identification You can’t begin if you don’t know where to start, and you can’t start if you don’t know what you have. The Component Lifecycle Management Company
- 18. Components Can be Compromised Component Repositories Non-vetted components enter the dev process from many sources Development Repositories Integrate Build Deploy Components can be compromised throughout the lifecycle The Component Lifecycle Management Company
- 19. Component Lifecycle Management Development Repo Development Repositories The Component Lifecycle Management Company
- 20. Data Driven Policies Facilitate Governance Data Feeds Security License Quality Custom Policy Management Workflow Reporting Rule-based Policies Alerts POLICY The Component Lifecycle Management Company
- 21. Sonatype Governed Development Informs and governs the software supply chain with security, popularity, and licensing information, developerfriendly policy enforcement, and early flaw detection and prevention. • Optimal component selection provides clean starting point minimizing downstream issues • Centralized policy administration with local enforcement ensures effective governance & compliance • Early problem detection & remediation ensures fast, trusted application delivery with low cost • Inventory capability provides basis for effective management & monitoring The Component Lifecycle Management Company
- 22. Sonatype Monitoring & Remediation Provides a fast-path to discovering and fixing at-risk applications by precisely identifying component flaws and offering flexible remediation options. • Constant monitoring of applications ensures continuous trust. • Triage capability helps prioritize critical work. • Flexible remediation enables fast response to application problems. • Reporting & analysis capability supports audit and regulatory requirements. The Component Lifecycle Management Company
- 23. The Patch vs. Replace Dilemma Patch • • • • • Replace Investigate severity of security vulnerability Determine project status (under active maintenance) Find patch (is it available?) Determine impact of patch (assess API compatibility, etc.) Re-certify The Component Lifecycle Management Company
- 24. Security is a Matter of Priorities Development Operations Security Features Performance Security Usability Reliability/Scalability Compliance Performance Compliance Everything Else Reliability/Scalability Security Maintainability Maintainability Security Features/Usability Compliance The Component Lifecycle Management Company
- 25. Building A Better Bridge Between Dev, Ops and Security • Need to recognize that the priorities are different • Tooling needs to adopt the practice of the practitioner not the other way around • A Tool is not a process and a process is not a tool learn to leverage both. The Component Lifecycle Management Company
- 26. For More Information: Free Risk Assessment www.sonatype.com/Products/App lication-Health-Check/AnalyzeYour-App www.sonatype.com/Contact-Us The Component Lifecycle Management Company