1

Accelerating Innovation with Software Supply Chain Management Matthew BarkerTechnical Directormbarker@sonatype.com505-239-4008

@sonatype

@sonatype

106,000Organizations Analyzed

Source: 2015 State of the Software Supply Chain Report

@sonatype

We all have a

SOFTWARE SUPPLY CHAIN

@sonatype

POLLING QUESTION

What percent of modern apps are composed of open source components?

6

a. 10 - 20%b. 50 - 60%c. 80 - 90%

How Dependent on 3rd Parties Are We?

10% Custom Written Code

Typical Application

Open Source

Cloud ServicesClosed Source

90% From 3rd Parties

@sonatype

Need speed, efficiency & quality for agile, continuous DevOps?

Automate your software supply chain with three proven principles:

Use higher quality parts

Use better & fewer suppliers

Track what you use and where

@sonatype

CHANGE Typical component is

updated 3 - 4X per year.

985,000 OSS COMPONENTS

11 MILLION OSS USERS108,000 SUPPLIERS

Source: 2015 State of the Software Supply Chain Report@sonatype

POLLING QUESTION

How many open source suppliers do companies work with?

11

a. 5,372b. 7,601

c. 15,118

Suppliers Serving Manufacturers

Source: 2015 State of the Software Supply Chain Report

Orders(downloads)

Suppliers(artifacts)

Parts(versions)

Average 240,757 7,601 18,614

@sonatype

59% never repaired

41% 390 days (median 265 days).  CVSS 10s 224 days

<7The best were remediated in under a week.

Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

@sonatype

@sonatype

Sample of Open Source Repositories

2014Volume of

Download RequestsCentral.sonatype.org 17,213,084,947

Npmjs.org 15,460,748,856

NuGetGallery.com 280,124,916

Bintray.com 250,000,000

Source: 2015 State of the Software Supply Chain Report

@sonatype

Source: 2015 State of the Software Supply Chain Report

PublicRepos

Local Repo

Build Tool

Public Repos

Build Tool

PATTERN #1

PATTERN #2

@sonatype

POLLING QUESTION

What percent of components are sourced from repository managers vs.

other tools?

17

a. 25%b. 55%c. 95%

Source: 2015 State of the Software Supply Chain Report

PublicRepos

Local Repo

Build Tool

Public Repos

Build Tool

95%of downloads

5%of downloads

@sonatype

19

Source: 2015 State of the Software Supply Chain Report

240,000Components Downloaded Annually

@sonatype

POLLING QUESTION

What percent of organizations do not have a policy governing quality and

integrity of components?

21

a. 25%b. 55%c. 95%

Q: Does your organization have an open source policy?

Half of organizations continue to run without an open source policy.

Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype

Orders Quality Control

Average downloads

# with known vulnerabilities

% with known vulnerabilities

% known vulnerabilities (2013 or older)

240,757 15,337 7.5% 66.3%

Download Volumes of Old CVEs

Source: 2015 State of the Software Supply Chain Report@sonatype

@sonatype

Analysis of 1,500+ Applications

106 components

24 known

vulnerabilities

9restrictive licenses

@sonatype

What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …

They could choose

any supplier they want for

any given part, regardless of

quality.

Any part can be chosen

even if it is outdated or known to be

unsafe.

Since there is no visibility, it is

very slow and costly

to recalla part.

There is no quality

control or consistency from car to car.

There is no inventory

of the parts that were used, or

where.

1

2

3 Create a software Bill of Materials for your application

Design a frictionless, automated, “continuous” approach

Choose good components from the start - empower developers with the right information at the right time

@sonatype

Shift Left= ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

CHOOSE GOOD COMPONENTS FROM THE START

@sonatype

CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD

Jenkins integration run history and status of each build, across multiple applications.

Builds might be stable or unstable. Also shows build success and failures.

Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.

@sonatype

CREATE A SOFTWARE BILL OF MATERIALS

bit.ly/softwareBOM

5MINUTES

@sonatype

Supply chain advantage

Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned

System, by Ananth Iyer and Sridhar Seshadri

John WillisDevOps Days Core

Organizer

Gareth RushgrovePuppet Labs

Nigel SimpsonF-100 Entertainment Giant

@sonatype

@sonatype

Back to the Cars… What’s this got to do with software???

Use fewer and better suppliers Choose high quality parts Track what parts are used and where

Quality, speed, remediation time

Debt, rework, negative branding

Collaboration and governance to create value!