Competitive software organizations require high velocity production, operational efficiency, and continuous innovation – often achieved by sacrificing product quality, development process visibility, and corporate governance. As OSS consumption increases, such compromises are less acceptable as they render organizations blind to the building blocks comprising their software, thus accumulating technical debt and introducing risky defects. Learn how a holistic, automatable supply chain management approach to software improves product quality, OSS governance and mean-time-to-repair.
6. How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
@sonatype
7. Need speed, efficiency & quality for agile,
continuous DevOps?
Automate your software supply chain with three proven principles:
Use higher
quality parts
Use better & fewer
suppliers
Track what you use
and where
9. CHANGE
Typical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: 2015 State of the Software Supply Chain Report
@sonatype
10. Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders
(downloads)
Suppliers
(artifacts)
Parts
(versions)
Average 240,757 7,601 18,614
@sonatype
11. 59%
never repaired
41%
390 days (median 265
days). CVSS 10s 224 days
<7
The best were remediated in
under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
14. Sample of
Open Source
Repositories
2014
Volume of
Download Requests
Central.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
@sonatype
15. Repository Managers Accessing the Central Repository
Source: 2015 State of the Software Supply Chain Report
@sonatype
16. Source: 2015 State of the Software Supply Chain Report
Public
Repos
Local
Repo
Build
Tool
Public
Repos
Build
Tool
95%
of downloads
5%
of downloads
@sonatype
19. Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
20. Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey
@sonatype
21. If it does not fit,
it does not get done.
@sonatype
22. Orders Quality Control
Average
downloads
# with known
vulnerabilities
% with known
vulnerabilities
% known
vulnerabilities
(2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report
@sonatype
27. What if manufacturers built cars the way we build software:
without supply chain visibility, process and automation …
They could
choose
any supplier
they want for
any given part,
regardless of
quality.
Any part
can be chosen
even if it is
outdated or
known to be
unsafe.
Since there is no
visibility, it is
very
slow and costly
to recall
a part.
There is
no quality
control
or consistency
from car to car.
There is
no inventory
of the parts that
were used, or
where.
28. 1
2
3
Create a software Bill of
Materials for your application
Design a frictionless, automated,
“continuous” approach
Empower developers with the
right information at the right time
@sonatype
29. CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM
5MINUTES
@sonatype
30. Supply chain advantage
Source: Toyota Supply Chain Management: A Strategic Approach to
Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri
31. IT’S TIME WE IMPROVE OUR
SOFTWARE SUPPLY CHAINS
…
LEVERAGING COLLABORATION + GOVERNANCE
TO CREATE VALUE!