Webinar: "Il software: la strategia vincente sta nella qualità"
•Transferir como PPTX, PDF•
1 gostou•173 visualizações
Con i sempre più numerosi security breaches che si verificano ogni settimana, è di vitale importanza che la sicurezza e il DevOps lavorino insieme per integrare e semplificare il delivery, bilanciando la velocità e la sicurezza senza alcun compromesso. Implementa la tua strategia DevOps, senza rinunciare alla sicurezza e alla qualità del software.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Webinar: "Il software: la strategia vincente sta nella qualità"
Semelhante a Webinar: "Il software: la strategia vincente sta nella qualità" (20)
Mais de Emerasoft, solutions to collaborate
Mais de Emerasoft, solutions to collaborate (20)
Último
Último (20)
Webinar: "Il software: la strategia vincente sta nella qualità"
- 2. • Emerasoft srl • Mission • Vision • Solutions Monica Burzio– Emerasoft Ugo Ciracì – Emerasoft Steve Millard - Sonatype Emerasoft Srl
- 3. Data di nascita: 2005 Dove siamo: Via Po, 1 – Torino Piazzale Luigi Sturzo, 15 - Roma “Il nostro impegno è nella costante ricerca della migliore soluzione per il cliente, garantendo eccellenza nella qualità di servizi e prodotti proposti. La nostra promessa è di svolgere il nostro lavoro con costanza e passione” Emerasoft Srl
- 4. DevOps IoT Testing ALM SOA Business Intelligence Security University ALM+PLM standard compliance BRMS User Experience SS4B Enterprise Mobility agile IoD BPM OpenSource APIUsability Compliance Management ITSM Solutions
- 5. DevOps IoT Testing ALM SOA Business Intelligence Security University ALM+PLM standard compliance BRMS User Experience SS4B Enterprise Mobility agile IoD BPM OpenSource APIUsability Compliance Management ITSM Solutions
- 6. Agenda Webinar: “Il software: la strategia vincente sta nella qualità” APRILE • La Supply Chain del software • Devops e sicurezza: lo scenario attuale • Sonatype Nexus per un software di qualità • Q&A Il webinar di oggi Ugo Ciracì DevOps Specialist @Emerasoft NOVEMBRE 8 Steve Millard International Partner Business Manager @Sonatype
- 7. 2017 State of the Software Supply Chain
- 8. Say Hello to Your Software Supply Chain… State of the Software Supply Chain
- 9. 1,096 new projects per day 10,000 new versions per day 14x releases per year • 3M npm components • 2M Java components • 900K NuGet components • 870K PyPI components State of the Software Supply Chain
- 10. 59 52 State of the Software Supply Chain
- 11. 80% to 90% of modern apps consist of assembled components. State of the Software Supply Chain
- 12. State of the Software Supply Chain
- 13. 80% to 90% of modern operations consist of assembled containers. Containers Hand-built applications and infrastructure State of the Software Supply Chain
- 14. NOT ALL PARTS ARE CREATED EQUAL State of the Software Supply Chain
- 15. 233 days MeanTTR 119 days MedianTTR 122,802 components with known vulnerabilities 19,445 15.8% fixed the vulnerability TIME TO REPAIR OSS COMPONENTS State of the Software Supply Chain
- 16. zero days mean time to repair CVE ID: CVE- 2017-5638 March 7 Apache fixed the vulnerability March 7 APACHE STRUTS2 MEAN TIME TO REPAIR State of the Software Supply Chain
- 17. @weekstweets State of the Software Supply Chain
- 18. 6-IN-10 HAVE OPEN SOURCE POLICIES State of the Software Supply Chain
- 19. 125,701 Java component downloads annually 7,428 5.8% with known vulnerabilities 7,500 ORGANIZATIONS ANALYZED State of the Software Supply Chain
- 20. DEFECT PERCENTAGES FOR JAVASCRIPT State of the Software Supply Chain
- 21. 5 Month Opportunity to Take Corrective Action Large Scale Exploit March 10 Equifax applications breached through Struts2 vulnerability AprMar May Jun Jul Aug Sept March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 July 29 Breach is discovered by Equifax. Sept 7 A new RCE vulnerability is announced and fixed. CVE-2017-9805 Probing Hack Crisis Management Il caso: Equifax
- 22. TIME TO RESPOND BEFORE EXPLOITSource: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016) Year of Date Reported 2006 2007 2008 2009 2010 2011 2012 2013 2104 2015 10 20 30 40 50 0 AverageDaystoExploit Average 45 15 2017 Il caso: Equifax
- 23. 9 years later, vulnerable versions of Bouncy Castle were downloaded… 11M CVE-2007-6721 CVSS Base Score: 10.0 HIGH Exploitability Subscore: 10.0 23M 2007 2016 BOUNCY CASTLE Bouncy Castle
- 24. 18,330,958 78% downloads were vulnerable COMMONS COLLECTION CWE-502 23,476,966 total downloads in 2016 Software Supply Chain
- 25. Trusted Partially Trusted Untrusted Reliably sourced without any digital risk accessing Some attributes of trust but no confirmation No demonstrabl e proof of trust Level of trust Burdentoverifyandlevelofrisk Source: Gartner, May 2017 HOW OLOGY AND PRESS HELP? Software Supply Chain
- 26. Trusted Partially Trusted Untrusted Reliably sourced without any digital risk accessing Some attributes of trust but no confirmation No demonstrabl e proof of trust Level of trust Burdentoverifyandlevelofrisk Source: Gartner, May 2017 HOW OLOGY AND PRESS HELP? Software Supply Chain
- 27. TRUSTED SOFTWARE SUPPLY CHAINS Software Supply Chain
- 28. THE REWARDS ARE IMPRESSIVE 90% improvement in time to deploy 34,000 hours saved in 90 days 48% increase in application quality Software Supply Chain
- 29. Businesses decide where and how to invest in cybersecurity based on a cost-benefit assessment but they are ultimately liable for the security of their data and systems. U.K.’s National Cyber Security Strategy 2016 - 2021
- 30. 1. You are using more open source than you think 2. There are good parts and bad components 3. You are responsible for your component choices 4. The new normal for getting business requirements into production is 3 days 5. It’s time to have the conversation internally Five Takeaways
- 31. Contenuti disponibili su: Canale slideshare di Emerasoft Canale Youtube Emerasoft Visita il nostro sito emerasoft.com Contattaci: sales@emerasoft.com @ WWW Emerasoft Srl
- 32. Segui i nostri canali… www.emerasoft.com sales@emerasoft.com Emerasoft Srl via Po, 1 – 10124 Torino Piazzale Luigi Sturzo, 15 - 00144 Roma T +39 011 0120370 T +39 06 87811323 F +39 011 3710371 Grazie… Contatti
Notas do Editor
- Say hello to YOUR software supply chain, not “the software supply chain”; personalizing it more for the audience. For those of you that are unfamiliar with a software supply chain, it's really an allegate to the traditional supply chains used in manufacturing today. Those supply chains have suppliers that are building components. In the case of software development, that is the open-source [projects 00:07:53] that are building components, and making them freely available to developers around the world. [00:08:00] They're able to store and distribute those components in the large central warehouses, like the central repository that Sonatype is responsible for managing, but also repositories like rubygems.org, [pipi.org 00:08:16], thenugetgallery, etc. This is where the components are stored and available to the manufacturers, that are really the software development teams, that are consuming these components and downloading these components over the years. Those components are then used to create the finished goods, or the software applications, that organizations are then delivering to their customers. We'll continue to use this supply chain analogy for the software supply chain, then compare and contrast what's happening in traditional manufacturing, is to what's happening in software today.
- There's a really interesting site out there called moduleaccounts.com. It has a simple value, it keeps track of the number of different components, or packages that are available across the different development languages, from pipi, to nuget, to bower, to maven, components, etc. And it shows the increase in the number of these components that are available to the developer ecosystem, or the developer population, over time. We used some data from that site to see that over a thousand new open-source projects were created each day. People delivering a new kind of software, a new kind of component. Then, from the general population of all open-source projects worldwide, we were able to estimate that ten thousand new versions of components are introduced every day. There's this huge supply of components entering the ecosystem, and available to our software supply chains. When we look at the central repository that Sonatype manages, of maven style or java open-source components, we looked across 380 thousand open-source projects, and found that on average those projects were releasing fourteen new versions of their components every year. That's great from a supply chain aspect, that the suppliers are very active, actively releasing new software, actively releasing new innovations, and actively improving the software that they're making available to developers worldwide.
- Unfortunately, not all parts are equal... Some are healthy, some are not… …and all go bad over time (like milk, not like wine).
- [00:14:00] One of the things that we measured year over year, and we do do some year over year comparisons throughout the report, is that 6.2% of the downloads from the central repository last year out of the billions of downloads, had a known security vulnerability in them. This past year we saw 6.1% of the downloads had a known vulnerability. That's about one in sixteen of every component download has a known vulnerability in it.
- [00:14:00] One of the things that we measured year over year, and we do do some year over year comparisons throughout the report, is that 6.2% of the downloads from the central repository last year out of the billions of downloads, had a known security vulnerability in them. This past year we saw 6.1% of the downloads had a known vulnerability. That's about one in sixteen of every component download has a known vulnerability in it.
- in 2016 there were 197 GAVs related to bouncycastle downloaded a total of 23,412,020 times. 61 of thos GAVs were insecure, and those were downloaded 11,181,493 times
- for commons-collection, there were 25 GAVs downloaded a total of 23,476,966 times. 7 of those GAVs were insecure, and those were downloaded 18,330,958 times.
- [00:18:00] Part of those practices are how much hygiene are we building into our software supply chain? This year's report allowed us to get visibility from the downloads from the central warehouses, being 6% were known vulnerable, to components that were downloaded to repository managers. Imagine a local warehouse, if you will, for component parts used by developers. 5.6% of those downloads were known vulnerable. Then the finished goods, across the 25000 applications that we analyze, 6.8% of those components were known vulnerable. That means that the components that were downloaded ended up in the finished goods, or in the applications that are being shipped and shared with customers. Meaning, there's not enough vetting taking place from where we're sourcing components and bringing them into our organizations to what's ending up in the final products.
- If you are passing defects downstream, you are ultimately liable. Which side of history will you be on?
- If you are passing defects downstream, you are ultimately liable. Which side of history will you be on?