the hidden risk of component based software development
DESCRIPTION
By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. Discovering a security issue is half the battle. Transitive and hidden dependencies make it extremely difficult to assign responsibility to propagate fixes throughout the component chain.TRANSCRIPT
The Component Lifecycle Management Company
What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development
Ryan Berg, CSO Sonatype
Send Tweets to #CSORisk
The Component Lifecycle Management Company
>80% of a typical application
is assembled from
open source & proprietary
components
Assembled Written
The Component Lifecycle Management Company The Component Lifecycle Management Company
The Ice-Caps are Melting
The Component Lifecycle Management Company
Development Must Keep Up with Pace Of Innovation
Development must change
The Component Lifecycle Management Company
By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010.
Predicts 2011:
Open-Source Software, the
Power Behind the Throne
November 2010
Unique Components per Month
Global 100 Financial Institution
0
1,500
3,000
4,500
6,000
Jan Feb Mar Apr May Jun Jul Aug Sep Oct NovDec
Components are Everywhere
The Component Lifecycle Management Company
“But we don’t use Open Source”
It’s no longer a question
of whether you use
OSS, it’s how many
components are being
used & where
The Component Lifecycle Management Company
downloads of insecure
versions of the
31 most popular
security libraries and
web frameworks
46,000,000
Uncontrolled, Unmanaged Risk
organizations
downloaded a version
of the Struts
framework with a
‘severe’ security flaw
18,000 organizations
downloaded versions of
Struts 1.x with known
security flaws (most
classified as ‘severe’).
4,000
What You Don’t Know Can and Will Hurt You
The Component Lifecycle Management Company
• Discovering a security issue
is half the battle
• Transitive and hidden
dependencies make it
extremely difficult to assign
responsibility to propagate
fixes throughout the
component chain
No “Throat to Choke”
The Component Lifecycle Management Company
Complexity Diversity Volume Change
One component may
rely on 00s
of others
40,000 Projects
200MM Classes
400K Components
Typical Enterprise
Consumes
000s of
Components Monthly
Typical Component
is Updated 4X
per Year
A Multi-faceted Challenge
The Component Lifecycle Management Company
Success Requires Discipline
The Component Lifecycle Management Company
The Problem is Not Problem Discovery
• When our software development
ecosystem looks like this it is
easy to find problems
• The real challenge is to develop
at scale and deliver continuous
value continuously when
everything else is a mess
The Component Lifecycle Management Company
Current State
No Visibility
No Control
No Fix
No visibility to what components are used, where they are used and where there is risk
No way to govern/enforce component usage.
Policies are not integrated with development .
No efficient way to fix existing flaws.
The Component Lifecycle Management Company
Practical Solutions Require a Practical Approach
The Component Lifecycle Management Company
“Haven’t I heard this story before?”
The Component Lifecycle Management Company
It’s Not a One Trick Pony
The Component Lifecycle Management Company
You can’t begin if you don’t know where to start, and
you can’t start if you don’t know what you have.
Accurate Identification
The Component Lifecycle Management Company
Build Deploy Integrate Development Repositories
Non-vetted components
enter the dev process from
many sources
Components Can be Compromised
Components can be
compromised throughout
the lifecycle
Component Repositories
The Component Lifecycle Management Company
Component Lifecycle Management
Development Repositories
Development Repo
The Component Lifecycle Management Company
Data Driven Policies Facilitate Governance
Data Feeds Security License Quality
POLICY
Policy Management
Reporting
Alerts
Rule-based Policies Workflow
Custom
The Component Lifecycle Management Company
Sonatype Governed Development
Informs and governs the software
supply chain with security, popularity,
and licensing information, developer-
friendly policy enforcement, and early
flaw detection and prevention.
• Optimal component selection
provides clean starting point
minimizing downstream issues
• Centralized policy administration
with local enforcement ensures
effective governance & compliance
• Early problem detection &
remediation ensures fast, trusted
application delivery with low cost
• Inventory capability provides basis
for effective management &
monitoring
The Component Lifecycle Management Company
Sonatype Monitoring & Remediation
Provides a fast-path to discovering and
fixing at-risk applications by precisely
identifying component flaws and offering
flexible remediation options.
• Constant monitoring of applications
ensures continuous trust.
• Triage capability helps prioritize
critical work.
• Flexible remediation enables fast
response to application problems.
• Reporting & analysis capability
supports audit and regulatory
requirements.
The Component Lifecycle Management Company
Patch Replace
The Patch vs. Replace Dilemma
• Investigate severity of security vulnerability
• Determine project status (under active maintenance)
• Find patch (is it available?)
• Determine impact of patch (assess API compatibility, etc.)
• Re-certify
The Component Lifecycle Management Company
Security is a Matter of Priorities
Development Operations Security
Features Performance Security
Usability Reliability/Scalability Compliance
Performance Compliance Everything Else
Reliability/Scalability Security
Maintainability Maintainability
Security Features/Usability
Compliance
The Component Lifecycle Management Company
Building A Better Bridge Between Dev, Ops and Security
• Need to recognize that the
priorities are different
• Tooling needs to adopt the
practice of the practitioner not
the other way around
• A Tool is not a process and a
process is not a tool learn to
leverage both.
The Component Lifecycle Management Company
www.sonatype.com/Products/App
lication-Health-Check/Analyze-
Your-App
www.sonatype.com/Contact-Us
For More Information: Free Risk Assessment