TOP HIGHLIGHTS & BENCHMARKS

Derek E. WeeksVP and DevOps Advocate

1

RESEARCH COVERED BY

DevOps Leadership Series & Contributing Author

Upcoming Speaking Engagements:

LISA15 | USENIX (Nov. 12, 2015 - DC)OWASP NYC CyberSocial (September 16, 2015 - NYC)Atlanta Java Users Group (Sept. 15, 2015 - Atlanta)HP Protect (Sept. 3, 2015 - DC)

@weekstweets

@sonatype

@sonatype

106,000Organizations Analyzed

@sonatype

Source: 2015 State of the Software Supply Chain Report

We all have a

SOFTWARE SUPPLY CHAIN

@sonatype

Modern software development HAS CHANGED

Our process

HASN’T CHANGEDENOUGH

@sonatype

John WillisDevOps Days Core Organizer

Gareth RushgrovePuppet Labs

Nigel SimpsonF-100 Entertainment Giant

@sonatype

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B 17B2014

@sonatype

Open Source Download Requests…

Source: 2015 State of the Software Supply Chain Report

POLLING QUESTION

What percent of modern apps are composed of open source components?

a. 10 - 20%b. 50 - 60%c. 80 - 90%

10

How Dependent on 3rd Parties Are We?

10% Custom Written Code

Typical Application

Open Source

Cloud Services

Closed Source

90% From 3rd Parties

@sonatype

Better and fewer

suppliers

Higher qualityparts

Improved visibility

and traceability

3 savings inmodern supply chains Automation

@sonatype

@sonatype

CHANGETypical component is

updated 3 - 4X per year.

985,000 OSS COMPONENTS

11 MILLION OSS USERS108,000 SUPPLIERS

@sonatype Source: 2015 State of the Software Supply Chain Report

POLLING QUESTION

How many open source suppliers do companies work with?

a. 5,372b. 7,601

c. 15,118

15

Suppliers Serving Manufacturers

Orders(downloads)

Suppliers(artifacts)

Parts(versions)

Average 240,757 7,601 18,614

@sonatype

Source: 2015 State of the Software Supply Chain Report

41%390 days (median 265days). CVSS 10s 224 days

59% never repaired

<7The best were remediated in under a week.

@sonatype

Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

@sonatype

@sonatype

Source: modulecounts.com

Sample of Open Source Repositories

2014Volume of

Download RequestsCentral.sonatype.org 17,213,084,947

Npmjs.org 15,460,748,856

NuGetGallery.com 280,124,916

Bintray.com 250,000,000

@sonatype

Source: 2015 State of the Software Supply Chain Report

CHANGETypical component is

updated 3 - 4X per year.

Unlike COTS, there is no clear, effective

COMMUNICATION channel

…but there can be.

985,000 OSS COMPONENTS

11 MILLION OSS USERS

@sonatype

Repository Managers Accessing the Central Repository

@sonatype

Source: 2015 State of the Software Supply Chain Report

PublicRepos

Local Repo

Build Tool

Public Repos

Build Tool

PATTERN #1

PATTERN #2

@sonatype Source: 2015 State of the Software Supply Chain Report

POLLING QUESTION

What percent of components are sourced from public repositories?

a. 25%b. 55%c. 95%

24

PublicRepos

Local Repo

Build Tool

Public Repos

Build Tool

95%of downloads

5%of downloads

@sonatype Source: 2015 State of the Software Supply Chain Report

26

100-200Cycle Time: Minutes-Hours

@sonatype

240,000Components Downloaded Annually

@sonatype Source: 2015 State of the Software Supply Chain Report

POLLING QUESTION

What percent of organizations do not have a policy governing quality and

integrity of components?

a. 25%b. 55%c. 95%

29

Q: Does your organization have an open source policy?

Half of organizations continue to run without an open source policy.

Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype

If it does not fit,it does not get done.

@sonatype

Orders Quality Control

Average downloads

# with known vulnerabilities

% with known vulnerabilities

% known vulnerabilities(2013 or older)

240,757 15,337 7.5% 66.3%

Download Volumes of Old CVEs

@sonatypeSource: 2015 State of the Software Supply Chain Report

Outdated Versions Downloaded

@sonatypeSource: 2015 State of the Software Supply Chain Report

@sonatype

Image Source: caranddriver.com

@sonatype

@sonatype

Analysis of 1,500+ Applications

106components

24 known

vulnerabilities

9restrictive licenses

@sonatype

v

1

2

3 Create a software Bill of Materials for one application

Design a frictionless, automated, “continuous” approach

Empower developers with the right information at the right time

@sonatype

CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD

Jenkins integration run history and status of each build, across multiple applications.

Builds might be stable or unstable. Also shows build success and failures.

Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.

@sonatype

Shift Left= ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

EMPOWER DEVELOPERS FROM THE START

@sonatype

CREATE A SOFTWARE BILL OF MATERIALS

bit.ly/softwareBOM

5MINUTES

@sonatype

YOU ALL GET A COPY TODAY!

IT’S TIME WE IMPROVE OURSOFTWARE SUPPLY CHAINS