the hidden risk of component based software development

The Component Lifecycle Management Company

What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development

Ryan Berg, CSO Sonatype

Send Tweets to #CSORisk


>80% of a typical application

is assembled from

open source & proprietary

components

Assembled Written

The Component Lifecycle Management Company The Component Lifecycle Management Company

The Ice-Caps are Melting


Development Must Keep Up with Pace Of Innovation

Development must change


By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010.

Predicts 2011:

Open-Source Software, the

Power Behind the Throne

November 2010

Unique Components per Month

Global 100 Financial Institution

0

1,500

3,000

4,500

6,000

Jan Feb Mar Apr May Jun Jul Aug Sep Oct NovDec

Components are Everywhere


“But we don’t use Open Source”

It’s no longer a question

of whether you use

OSS, it’s how many

components are being

used & where


downloads of insecure

versions of the

31 most popular

security libraries and

web frameworks

46,000,000

Uncontrolled, Unmanaged Risk

organizations

downloaded a version

of the Struts

framework with a

‘severe’ security flaw

18,000 organizations

downloaded versions of

Struts 1.x with known

security flaws (most

classified as ‘severe’).

4,000

What You Don’t Know Can and Will Hurt You


• Discovering a security issue

is half the battle

• Transitive and hidden

dependencies make it

extremely difficult to assign

responsibility to propagate

fixes throughout the

component chain

No “Throat to Choke”


Complexity Diversity Volume Change

One component may

rely on 00s

of others

40,000 Projects

200MM Classes

400K Components

Typical Enterprise

Consumes

000s of

Components Monthly

Typical Component

is Updated 4X

per Year

A Multi-faceted Challenge


Success Requires Discipline


The Problem is Not Problem Discovery

• When our software development

ecosystem looks like this it is

easy to find problems

• The real challenge is to develop

at scale and deliver continuous

value continuously when

everything else is a mess


Current State

No Visibility

No Control

No Fix

No visibility to what components are used, where they are used and where there is risk

No way to govern/enforce component usage.

Policies are not integrated with development .

No efficient way to fix existing flaws.


Practical Solutions Require a Practical Approach


“Haven’t I heard this story before?”


It’s Not a One Trick Pony


You can’t begin if you don’t know where to start, and

you can’t start if you don’t know what you have.

Accurate Identification


Build Deploy Integrate Development Repositories

Non-vetted components

enter the dev process from

many sources

Components Can be Compromised

Components can be

compromised throughout

the lifecycle

Component Repositories


Component Lifecycle Management

Development Repositories

Development Repo


Data Driven Policies Facilitate Governance

Data Feeds Security License Quality

POLICY

Policy Management

Reporting

Alerts

Rule-based Policies Workflow

Custom


Sonatype Governed Development

Informs and governs the software

supply chain with security, popularity,

and licensing information, developer-

friendly policy enforcement, and early

flaw detection and prevention.

• Optimal component selection

provides clean starting point

minimizing downstream issues

• Centralized policy administration

with local enforcement ensures

effective governance & compliance

• Early problem detection &

remediation ensures fast, trusted

application delivery with low cost

• Inventory capability provides basis

for effective management &

monitoring


Sonatype Monitoring & Remediation

Provides a fast-path to discovering and

fixing at-risk applications by precisely

identifying component flaws and offering

flexible remediation options.

• Constant monitoring of applications

ensures continuous trust.

• Triage capability helps prioritize

critical work.

• Flexible remediation enables fast

response to application problems.

• Reporting & analysis capability

supports audit and regulatory

requirements.


Patch Replace

The Patch vs. Replace Dilemma

• Investigate severity of security vulnerability

• Determine project status (under active maintenance)

• Find patch (is it available?)

• Determine impact of patch (assess API compatibility, etc.)

• Re-certify


Security is a Matter of Priorities

Development Operations Security

Features Performance Security

Usability Reliability/Scalability Compliance

Performance Compliance Everything Else

Reliability/Scalability Security

Maintainability Maintainability

Security Features/Usability

Compliance


Building A Better Bridge Between Dev, Ops and Security

• Need to recognize that the

priorities are different

• Tooling needs to adopt the

practice of the practitioner not

the other way around

• A Tool is not a process and a

process is not a tool learn to

leverage both.


www.sonatype.com/Products/App

lication-Health-Check/Analyze-

Your-App

www.sonatype.com/Contact-Us

For More Information: Free Risk Assessment

http://www.sonatype.com/Products/Application-Health-Check/Analyze-Your-App











http://www.sonatype.com/Contact-Us






the hidden risk of component based software development

Technology

component flaws

optimal component selection

governenforce component

security issue

decunique components

known security flaws

opensource software

popular security libraries