software supply chain management: gaining velocity without losing control

1

Software supply chain management: Gaining velocity without losing control

Yu-Chen HsuehCustomer Success [email protected](408)881-3894

mailto:[email protected]

@sonatype

106,000Organizations Analyzed

Source: 2015 State of the Software Supply Chain Report

@sonatype

We all have a

SOFTWARE SUPPLY CHAIN

@sonatype

How Dependent on 3rd Parties Are We?

10% Custom Written Code

Typical Application

Open Source

Cloud Services

Closed Source

90% From 3rd Parties

@sonatype

Need speed, efficiency & quality for agile, continuous DevOps?

Automate your software supply chain with three proven principles:

Use higher

quality parts

Use better & fewer

suppliers

Track what you use

and where

@sonatype

CHANGETypical component is

updated 3 - 4X per year.

985,000 OSS COMPONENTS

11 MILLION OSS USERS108,000 SUPPLIERS

Source: 2015 State of the Software Supply Chain Report@sonatype

Suppliers Serving Manufacturers


Orders

(downloads)

Suppliers

(artifacts)

Parts

(versions)

Average 240,757 7,601 18,614

@sonatype

59% never repaired

41%390 days (median 265

days). CVSS 10s 224 days

<7The best were remediated in

under a week.

Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

@sonatype

https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

@sonatype

Source: modulecounts.com

@sonatype

Sample of

Open Source

Repositories

2014

Volume of

Download Requests

Central.sonatype.org 17,213,084,947

Npmjs.org 15,460,748,856

NuGetGallery.com 280,124,916

Bintray.com 250,000,000


@sonatype

Repository Managers Accessing the Central Repository


@sonatype


Public

Repos

Local

Repo

Build

Tool

Public

Repos

Build

Tool95%

of downloads

5%of downloads

@sonatype

100-200

Cycle Time: Minutes-Hours

@sonatype


240,000Components Downloaded Annually

@sonatype

Q: Does your organization have an open source policy?

Half of organizations continue to run without an open source policy.

Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype

If it does not fit,it does not get done.

@sonatype

Orders Quality Control

Average

downloads

# with known

vulnerabilities

% with known

vulnerabilities

% known

vulnerabilities

(2013 or older)

240,757 15,337 7.5% 66.3%

Download Volumes of Old CVEs

Source: 2015 State of the Software Supply Chain Report@sonatype

Image Source: caranddriver.com

@sonatype

@sonatype

Analysis of 1,500+ Applications

106components

24 known

vulnerabilities

9restrictive

licenses

@sonatype

What if manufacturers built cars the way we build software:without supply chain visibility, process and automation …

They could choose

any supplier they want for

any given part, regardless of

quality.

Any part can be chosen

even if it is outdated or known to be

unsafe.

Since there is no visibility, it is

very slow and costly

to recalla part.

There is no quality

control or consistency from car to car.

There is no inventory

of the parts that were used, or

where.

1

2

3Create a software Bill of

Materials for your application

Design a frictionless, automated,

“continuous” approach

Empower developers with the

right information at the right time

@sonatype

CREATE A SOFTWARE BILL OF MATERIALS

bit.ly/softwareBOM

5MINUTES

@sonatype

Supply chain advantage

Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri

IT’S TIME WE IMPROVE OUR

SOFTWARE SUPPLY CHAINS

…

LEVERAGING COLLABORATION + GOVERNANCE TO CREATE VALUE!