SlideShare uma empresa Scribd logo

The Hidden Risk of Component Based Software Development

Sonatype
Sonatype

This document discusses the risks of component-based software development and the need for component lifecycle management. It notes that 80% of applications are assembled from open source and third-party components, but many organizations lack visibility into what components they use and where they may pose security risks. It argues that successful development at scale requires managing the entire lifecycle of components from identification and selection to ongoing monitoring and remediation of flaws. The document presents the Sonatype solution for component lifecycle management to help organizations gain control and governance over their use of software components.

TecnologiaNegócios
1 de 27
Baixar para ler offline
What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development Ryan Berg, CSO Sonatype Send Tweets to #CSORisk The Component Lifecycle Management Company
80% > Written Assembled of a typical application is assembled from open source & proprietary components The Component Lifecycle Management Company
The Ice-Caps are Melting The Component Lifecycle Management Company
Development Must Keep Up with Pace Of Innovation Development must change The Component Lifecycle Management Company
Components are Everywhere By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. Predicts 2011: Open-Source Software, the Power Behind the Throne November 2010 Global 100 Financial Institution 6,000 4,500 3,000 1,500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Unique Components per Month The Component Lifecycle Management Company
“But we don’t use Open Source” It’s no longer a question of whether you use OSS, it’s how many components are being used & where The Component Lifecycle Management Company
What You Don’t Know Can and Will Hurt You 46,000,000 18,000 4,000 downloads of insecure versions of the 31 most popular security libraries and web frameworks organizations downloaded a version of the Struts framework with a ‘severe’ security flaw organizations downloaded versions of Struts 1.x with known security flaws (most classified as ‘severe’). Uncontrolled, Unmanaged Risk The Component Lifecycle Management Company
No “Throat to Choke” • Discovering a security issue is half the battle • Transitive and hidden dependencies make it extremely difficult to assign responsibility to propagate fixes throughout the component chain The Component Lifecycle Management Company
A Multi-faceted Challenge Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year The Component Lifecycle Management Company
Success Requires Discipline The Component Lifecycle Management Company
The Problem is Not Problem Discovery • When our software development ecosystem looks like this it is easy to find problems • The real challenge is to develop at scale and deliver continuous value continuously when everything else is a mess The Component Lifecycle Management Company
Current State No No visibility to what components are used, where they are used and where there is risk No No way to govern/enforce component usage. Policies are not integrated with development . Visibility Control No No efficient way to fix existing flaws. Fix The Component Lifecycle Management Company
Practical Solutions Require a Practical Approach The Component Lifecycle Management Company
“Haven’t I heard this story before?” The Component Lifecycle Management Company
It’s Not a One Trick Pony The Component Lifecycle Management Company
Accurate Identification You can’t begin if you don’t know where to start, and you can’t start if you don’t know what you have. The Component Lifecycle Management Company
Components Can be Compromised Component Repositories Non-vetted components enter the dev process from many sources Development Repositories Integrate Build Deploy Components can be compromised throughout the lifecycle The Component Lifecycle Management Company
Component Lifecycle Management Development Repo Development Repositories The Component Lifecycle Management Company
Data Driven Policies Facilitate Governance Data Feeds Security License Quality Custom Policy Management  Workflow Reporting Rule-based Policies Alerts POLICY The Component Lifecycle Management Company
Sonatype Governed Development Informs and governs the software supply chain with security, popularity, and licensing information, developerfriendly policy enforcement, and early flaw detection and prevention. • Optimal component selection provides clean starting point minimizing downstream issues • Centralized policy administration with local enforcement ensures effective governance & compliance • Early problem detection & remediation ensures fast, trusted application delivery with low cost • Inventory capability provides basis for effective management & monitoring The Component Lifecycle Management Company
Sonatype Monitoring & Remediation Provides a fast-path to discovering and fixing at-risk applications by precisely identifying component flaws and offering flexible remediation options. • Constant monitoring of applications ensures continuous trust. • Triage capability helps prioritize critical work. • Flexible remediation enables fast response to application problems. • Reporting & analysis capability supports audit and regulatory requirements. The Component Lifecycle Management Company
The Patch vs. Replace Dilemma Patch • • • • • Replace Investigate severity of security vulnerability Determine project status (under active maintenance) Find patch (is it available?) Determine impact of patch (assess API compatibility, etc.) Re-certify The Component Lifecycle Management Company
Security is a Matter of Priorities Development Operations Security Features Performance Security Usability Reliability/Scalability Compliance Performance Compliance Everything Else Reliability/Scalability Security Maintainability Maintainability Security Features/Usability Compliance The Component Lifecycle Management Company
Building A Better Bridge Between Dev, Ops and Security • Need to recognize that the priorities are different • Tooling needs to adopt the practice of the practitioner not the other way around • A Tool is not a process and a process is not a tool learn to leverage both. The Component Lifecycle Management Company
For More Information: Free Risk Assessment www.sonatype.com/Products/App lication-Health-Check/AnalyzeYour-App www.sonatype.com/Contact-Us The Component Lifecycle Management Company
The Hidden Risk of Component Based Software Development

Recomendados

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleSeniorStoryteller
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar finalDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops PracticeThe Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops Practicematthewabq
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesSynopsys Software Integrity Group
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaPositive Hack Days
 

Recomendados

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleSeniorStoryteller
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar finalDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and PredictionsDevOps.com
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
 
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops PracticeThe Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops Practicematthewabq
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesSynopsys Software Integrity Group
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaPositive Hack Days
 
Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Puppet
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowWhiteSource
 
Cloud Survey
Cloud SurveyCloud Survey
Cloud SurveyTim Pickard
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementWhiteSource
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOpsManasi Mali
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testingjananya213
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - InglêsDeServ - Tecnologia e Servços
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 
Enterprise Security APIs
Enterprise Security APIsEnterprise Security APIs
Enterprise Security APIsAdam Migus
 
Why the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedWhy the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedLogi Analytics
 
Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Nawaz Dhandala
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the EnterprisePuppet
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSonatype
 
Collaborative Mobile Test Automation
Collaborative Mobile Test AutomationCollaborative Mobile Test Automation
Collaborative Mobile Test AutomationKeynote Mobile Testing
 
Software testing trends for 2019
Software testing trends for 2019Software testing trends for 2019
Software testing trends for 2019BugRaptors
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?QASource
 
Future Of Software Testing
Future Of Software TestingFuture Of Software Testing
Future Of Software Testing99tests
 
How IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsHow IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsDreamforce
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Smart ERP Solutions, Inc.
 

Mais conteúdo relacionado

Mais procurados

Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Puppet
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowWhiteSource
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementWhiteSource
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOpsManasi Mali
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeVeracode
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testingjananya213
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementSonatype
 
Enterprise Security APIs
Enterprise Security APIsEnterprise Security APIs
Enterprise Security APIsAdam Migus
 
Why the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedWhy the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedLogi Analytics
 
Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Nawaz Dhandala
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the EnterprisePuppet
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSonatype
 
Software testing trends for 2019
Software testing trends for 2019Software testing trends for 2019
Software testing trends for 2019BugRaptors
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?QASource
 
Future Of Software Testing
Future Of Software TestingFuture Of Software Testing
Future Of Software Testing99tests
 

Mais procurados (20)

Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
 
Cloud Survey
Cloud SurveyCloud Survey
Cloud Survey
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOps
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Enterprise Security APIs
Enterprise Security APIsEnterprise Security APIs
Enterprise Security APIs
 
Why the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedWhy the Future of Analytics Is Embedded
Why the Future of Analytics Is Embedded
 
Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform.
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
 
Collaborative Mobile Test Automation
Collaborative Mobile Test AutomationCollaborative Mobile Test Automation
Collaborative Mobile Test Automation
 
Software testing trends for 2019
Software testing trends for 2019Software testing trends for 2019
Software testing trends for 2019
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
 
Future Of Software Testing
Future Of Software TestingFuture Of Software Testing
Future Of Software Testing
 

Semelhante a The Hidden Risk of Component Based Software Development

How IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsHow IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsDreamforce
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Smart ERP Solutions, Inc.
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Blankenship application insights overview
Blankenship application insights overviewBlankenship application insights overview
Blankenship application insights overviewJason Alinen
 
Software supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing controlSoftware supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing controlmatthewabq
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Microsoft 365 Developer
 
Lean Systems Thinking Bob Marshall
Lean Systems Thinking Bob MarshallLean Systems Thinking Bob Marshall
Lean Systems Thinking Bob MarshallValtech UK
 
Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011GetApp
 
Recent and-future-trends spm
Recent and-future-trends spmRecent and-future-trends spm
Recent and-future-trends spmPrakash Poudel
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
IT Symposium Agile
IT Symposium AgileIT Symposium Agile
IT Symposium AgileMatt Holitza
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Peter Marshall
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringEmma Kelly
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023RTTS
 
Software Testing Principles
Software Testing PrinciplesSoftware Testing Principles
Software Testing PrinciplesKanoah
 
Most Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdfMost Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdfInsightsSuccess4
 

Semelhante a The Hidden Risk of Component Based Software Development (20)

How IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsHow IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build Apps
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
 
Fundamentals of Deploy and Release
Fundamentals of Deploy and ReleaseFundamentals of Deploy and Release
Fundamentals of Deploy and Release
 
Blankenship application insights overview
Blankenship application insights overviewBlankenship application insights overview
Blankenship application insights overview
 
Software supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing controlSoftware supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing control
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019
 
Lean Systems Thinking Bob Marshall
Lean Systems Thinking Bob MarshallLean Systems Thinking Bob Marshall
Lean Systems Thinking Bob Marshall
 
Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011
 
Recent and-future-trends spm
Recent and-future-trends spmRecent and-future-trends spm
Recent and-future-trends spm
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Enterprise DevOps
Enterprise DevOpsEnterprise DevOps
Enterprise DevOps
 
IT Symposium Agile
IT Symposium AgileIT Symposium Agile
IT Symposium Agile
 
ITIL Guide for DevOps
ITIL Guide for DevOpsITIL Guide for DevOps
ITIL Guide for DevOps
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023
 
Software Testing Principles
Software Testing PrinciplesSoftware Testing Principles
Software Testing Principles
 
Use the Right Tools to Avoid the DevOps Culture Clash
Use the Right Tools to Avoid the DevOps Culture ClashUse the Right Tools to Avoid the DevOps Culture Clash
Use the Right Tools to Avoid the DevOps Culture Clash
 
Most Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdfMost Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdf
 

Mais de Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxSonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOpsSonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps SurveySonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseSonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesSonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandSonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealSonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way ForwardSonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizSonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanSonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsSonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsSonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using AnsibleSonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsSonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure AutomationSonatype
 

Mais de Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

The Hidden Risk of Component Based Software Development

  • 1.
  • 2. What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development Ryan Berg, CSO Sonatype Send Tweets to #CSORisk The Component Lifecycle Management Company
  • 3. 80% > Written Assembled of a typical application is assembled from open source & proprietary components The Component Lifecycle Management Company
  • 4. The Ice-Caps are Melting The Component Lifecycle Management Company
  • 5. Development Must Keep Up with Pace Of Innovation Development must change The Component Lifecycle Management Company
  • 6. Components are Everywhere By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. Predicts 2011: Open-Source Software, the Power Behind the Throne November 2010 Global 100 Financial Institution 6,000 4,500 3,000 1,500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Unique Components per Month The Component Lifecycle Management Company
  • 7. “But we don’t use Open Source” It’s no longer a question of whether you use OSS, it’s how many components are being used & where The Component Lifecycle Management Company
  • 8. What You Don’t Know Can and Will Hurt You 46,000,000 18,000 4,000 downloads of insecure versions of the 31 most popular security libraries and web frameworks organizations downloaded a version of the Struts framework with a ‘severe’ security flaw organizations downloaded versions of Struts 1.x with known security flaws (most classified as ‘severe’). Uncontrolled, Unmanaged Risk The Component Lifecycle Management Company
  • 9. No “Throat to Choke” • Discovering a security issue is half the battle • Transitive and hidden dependencies make it extremely difficult to assign responsibility to propagate fixes throughout the component chain The Component Lifecycle Management Company
  • 10. A Multi-faceted Challenge Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year The Component Lifecycle Management Company
  • 11. Success Requires Discipline The Component Lifecycle Management Company
  • 12. The Problem is Not Problem Discovery • When our software development ecosystem looks like this it is easy to find problems • The real challenge is to develop at scale and deliver continuous value continuously when everything else is a mess The Component Lifecycle Management Company
  • 13. Current State No No visibility to what components are used, where they are used and where there is risk No No way to govern/enforce component usage. Policies are not integrated with development . Visibility Control No No efficient way to fix existing flaws. Fix The Component Lifecycle Management Company
  • 14. Practical Solutions Require a Practical Approach The Component Lifecycle Management Company
  • 15. “Haven’t I heard this story before?” The Component Lifecycle Management Company
  • 16. It’s Not a One Trick Pony The Component Lifecycle Management Company
  • 17. Accurate Identification You can’t begin if you don’t know where to start, and you can’t start if you don’t know what you have. The Component Lifecycle Management Company
  • 18. Components Can be Compromised Component Repositories Non-vetted components enter the dev process from many sources Development Repositories Integrate Build Deploy Components can be compromised throughout the lifecycle The Component Lifecycle Management Company
  • 19. Component Lifecycle Management Development Repo Development Repositories The Component Lifecycle Management Company
  • 20. Data Driven Policies Facilitate Governance Data Feeds Security License Quality Custom Policy Management  Workflow Reporting Rule-based Policies Alerts POLICY The Component Lifecycle Management Company
  • 21. Sonatype Governed Development Informs and governs the software supply chain with security, popularity, and licensing information, developerfriendly policy enforcement, and early flaw detection and prevention. • Optimal component selection provides clean starting point minimizing downstream issues • Centralized policy administration with local enforcement ensures effective governance & compliance • Early problem detection & remediation ensures fast, trusted application delivery with low cost • Inventory capability provides basis for effective management & monitoring The Component Lifecycle Management Company
  • 22. Sonatype Monitoring & Remediation Provides a fast-path to discovering and fixing at-risk applications by precisely identifying component flaws and offering flexible remediation options. • Constant monitoring of applications ensures continuous trust. • Triage capability helps prioritize critical work. • Flexible remediation enables fast response to application problems. • Reporting & analysis capability supports audit and regulatory requirements. The Component Lifecycle Management Company
  • 23. The Patch vs. Replace Dilemma Patch • • • • • Replace Investigate severity of security vulnerability Determine project status (under active maintenance) Find patch (is it available?) Determine impact of patch (assess API compatibility, etc.) Re-certify The Component Lifecycle Management Company
  • 24. Security is a Matter of Priorities Development Operations Security Features Performance Security Usability Reliability/Scalability Compliance Performance Compliance Everything Else Reliability/Scalability Security Maintainability Maintainability Security Features/Usability Compliance The Component Lifecycle Management Company
  • 25. Building A Better Bridge Between Dev, Ops and Security • Need to recognize that the priorities are different • Tooling needs to adopt the practice of the practitioner not the other way around • A Tool is not a process and a process is not a tool learn to leverage both. The Component Lifecycle Management Company
  • 26. For More Information: Free Risk Assessment www.sonatype.com/Products/App lication-Health-Check/AnalyzeYour-App www.sonatype.com/Contact-Us The Component Lifecycle Management Company