This document discusses the risks of component-based software development and the need for component lifecycle management. It notes that 80% of applications are assembled from open source and third-party components, but many organizations lack visibility into what components they use and where they may pose security risks. It argues that successful development at scale requires managing the entire lifecycle of components from identification and selection to ongoing monitoring and remediation of flaws. The document presents the Sonatype solution for component lifecycle management to help organizations gain control and governance over their use of software components.
Gen AI in Business - Global Trends Report 2024.pdf
The Hidden Risk of Component Based Software Development
1.
2. What You Don’t Know Will Hurt You
The Hidden Risk of Component Based Software Development
Ryan Berg, CSO Sonatype
Send Tweets to #CSORisk
The Component Lifecycle Management Company
3. 80%
>
Written
Assembled
of a typical application
is assembled from
open source & proprietary
components
The Component Lifecycle Management Company
4. The Ice-Caps are Melting
The Component Lifecycle Management Company
5. Development Must Keep Up with Pace Of Innovation
Development must change
The Component Lifecycle Management Company
6. Components are Everywhere
By 2016, OSS will be included in
mission-critical software portfolios
within 99% of Global 2000
enterprises, up from 75% in 2010.
Predicts 2011:
Open-Source Software, the
Power Behind the Throne
November 2010
Global 100 Financial Institution
6,000
4,500
3,000
1,500
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Unique Components per Month
The Component Lifecycle Management Company
7. “But we don’t use Open Source”
It’s no longer a question
of whether you use
OSS, it’s how many
components are being
used & where
The Component Lifecycle Management Company
8. What You Don’t Know Can and Will Hurt You
46,000,000
18,000
4,000
downloads of insecure
versions of the
31 most popular
security libraries and
web frameworks
organizations
downloaded a version
of the Struts
framework with a
‘severe’ security flaw
organizations
downloaded versions of
Struts 1.x with known
security flaws (most
classified as ‘severe’).
Uncontrolled, Unmanaged Risk
The Component Lifecycle Management Company
9. No “Throat to Choke”
• Discovering a security issue
is half the battle
• Transitive and hidden
dependencies make it
extremely difficult to assign
responsibility to propagate
fixes throughout the
component chain
The Component Lifecycle Management Company
10. A Multi-faceted Challenge
Complexity
Diversity
Volume
Change
One component may
rely on 00s
of others
40,000 Projects
200MM Classes
400K Components
Typical Enterprise
Consumes
000s of
Components Monthly
Typical Component
is Updated 4X
per Year
The Component Lifecycle Management Company
12. The Problem is Not Problem Discovery
• When our software development
ecosystem looks like this it is
easy to find problems
• The real challenge is to develop
at scale and deliver continuous
value continuously when
everything else is a mess
The Component Lifecycle Management Company
13. Current State
No
No visibility to what components are used,
where they are used and where there is risk
No
No way to govern/enforce component usage.
Policies are not integrated with development .
Visibility
Control
No
No efficient way to fix existing flaws.
Fix
The Component Lifecycle Management Company
15. “Haven’t I heard this story before?”
The Component Lifecycle Management Company
16. It’s Not a One Trick Pony
The Component Lifecycle Management Company
17. Accurate Identification
You can’t begin if you don’t know where to start, and
you can’t start if you don’t know what you have.
The Component Lifecycle Management Company
18. Components Can be Compromised
Component Repositories
Non-vetted components
enter the dev process from
many sources
Development Repositories
Integrate
Build
Deploy
Components can be
compromised throughout
the lifecycle
The Component Lifecycle Management Company
20. Data Driven Policies Facilitate Governance
Data Feeds
Security
License
Quality
Custom
Policy Management
Workflow
Reporting
Rule-based Policies
Alerts
POLICY
The Component Lifecycle Management Company
21. Sonatype Governed Development
Informs and governs the software
supply chain with security, popularity,
and licensing information, developerfriendly policy enforcement, and early
flaw detection and prevention.
• Optimal component selection
provides clean starting point
minimizing downstream issues
• Centralized policy administration
with local enforcement ensures
effective governance & compliance
• Early problem detection &
remediation ensures fast, trusted
application delivery with low cost
• Inventory capability provides basis
for effective management &
monitoring
The Component Lifecycle Management Company
22. Sonatype Monitoring & Remediation
Provides a fast-path to discovering and
fixing at-risk applications by precisely
identifying component flaws and offering
flexible remediation options.
• Constant monitoring of applications
ensures continuous trust.
• Triage capability helps prioritize
critical work.
• Flexible remediation enables fast
response to application problems.
• Reporting & analysis capability
supports audit and regulatory
requirements.
The Component Lifecycle Management Company
23. The Patch vs. Replace Dilemma
Patch
•
•
•
•
•
Replace
Investigate severity of security vulnerability
Determine project status (under active maintenance)
Find patch (is it available?)
Determine impact of patch (assess API compatibility, etc.)
Re-certify
The Component Lifecycle Management Company
24. Security is a Matter of Priorities
Development
Operations
Security
Features
Performance
Security
Usability
Reliability/Scalability
Compliance
Performance
Compliance
Everything Else
Reliability/Scalability
Security
Maintainability
Maintainability
Security
Features/Usability
Compliance
The Component Lifecycle Management Company
25. Building A Better Bridge Between Dev, Ops and Security
• Need to recognize that the
priorities are different
• Tooling needs to adopt the
practice of the practitioner not
the other way around
• A Tool is not a process and a
process is not a tool learn to
leverage both.
The Component Lifecycle Management Company
26. For More Information: Free Risk Assessment
www.sonatype.com/Products/App
lication-Health-Check/AnalyzeYour-App
www.sonatype.com/Contact-Us
The Component Lifecycle Management Company