software supply chain management: gaining velocity without losing control
TRANSCRIPT
1
Software supply chain management: Gaining velocity without losing control
Yu-Chen HsuehCustomer Success [email protected](408)881-3894
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
@sonatype
Need speed, efficiency & quality for agile, continuous DevOps?
Automate your software supply chain with three proven principles:
Use higher
quality parts
Use better & fewer
suppliers
Track what you use
and where
CHANGETypical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: 2015 State of the Software Supply Chain Report@sonatype
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders
(downloads)
Suppliers
(artifacts)
Parts
(versions)
Average 240,757 7,601 18,614
@sonatype
59% never repaired
41%390 days (median 265
days). CVSS 10s 224 days
<7The best were remediated in
under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
Sample of
Open Source
Repositories
2014
Volume of
Download Requests
Central.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
@sonatype
Repository Managers Accessing the Central Repository
Source: 2015 State of the Software Supply Chain Report
@sonatype
Source: 2015 State of the Software Supply Chain Report
Public
Repos
Local
Repo
Build
Tool
Public
Repos
Build
Tool95%
of downloads
5%of downloads
@sonatype
Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype
Orders Quality Control
Average
downloads
# with known
vulnerabilities
% with known
vulnerabilities
% known
vulnerabilities
(2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report@sonatype
Analysis of 1,500+ Applications
106components
24 known
vulnerabilities
9restrictive
licenses
@sonatype
What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …
They could choose
any supplier they want for
any given part, regardless of
quality.
Any part can be chosen
even if it is outdated or known to be
unsafe.
Since there is no visibility, it is
very slow and costly
to recalla part.
There is no quality
control or consistency from car to car.
There is no inventory
of the parts that were used, or
where.
1
2
3Create a software Bill of
Materials for your application
Design a frictionless, automated,
“continuous” approach
Empower developers with the
right information at the right time
@sonatype
Supply chain advantage
Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri