Your SlideShare is downloading. ×
Golden Repository
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Golden Repository

241
views

Published on

Understand the ecosystem of modern software development and the opportunities to transform the historical conflict between developing feature-rich applications quickly for operational benefit, and the …

Understand the ecosystem of modern software development and the opportunities to transform the historical conflict between developing feature-rich applications quickly for operational benefit, and the increasing need for applications to be developed methodically, securely, in ways that reduce organizational risk.

Published in: Technology, Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
241
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Pleasantries…We are here to discuss the ecosystem of modern software development and the opportunities to transform the historical conflict between developing feature-rich applications quickly for operational benefit, and the increasing need for applications to be developed methodically, securely, in ways that reduce organizational risk.
  • Use this section of slides when presenting to a application development audience.
  • Sonatype automated policy management provides guidance/enforcement throughout the entire lifecycleCentral Administration: Centralized policy administration provides enterprise-wide risk managementFlexible Enforcement: Stage appropriate guidance / enforcement provides flexibility while ensuring securityThis approach allows you to leverage that guide the developer vs. implementing a rigid, laborious approval laden process that stymies development or encourage the developer to bypass the policy.DETAILSonatype leverages a meta-data approach to drive policies that can be enforced at various points throughout the software development lifecycle.Security, licensing, and quality related data that describe the components are used to create the policies.Policies and created and managed centrally and “enforced” locally.Local enforcement means that the policy actions are integrated directly into the development tools – repo manager, IDEs, CI, etc.Since Sonatype provides benefit to the developers directly within their tools, the policy approach is un-obtrusive – and since the “enforcement” actions are flexible, it doesn’t force a rigid “yes you can or no you can’t use this component”. This approach ensures collaboration between all parties and eliminates the developers from working around the system.+++Most security solutions are plagued by developer resistance… the tools are designed for highly trained security professionals that are focused on identification. The security professionals then report “violations” to the developers. The developers resist this approach because it tends to be adversarial and the information that is provided by the security team is not directly actionable, takes a lot of time to weed through, and does not come with explicit remediation actions.The Sonatype approach provides direct benefit to the developer…Information is provided early in the lifecycle (including initial recommendations on what component to use).Information that is provided is KNOWN information, it is highly trustworthy and directly relevant.Information is actionable – Information is delivered in the appropriate tool – this provides flexibility based on policy (developers have the flexibility to work with new components early in the lifecycle while production systems can be protected as the applications get closer to production).
  • Sonatype automated policy management provides guidance/enforcement throughout the entire lifecycleCentral Administration: Centralized policy administration provides enterprise-wide risk managementFlexible Enforcement: Stage appropriate guidance / enforcement provides flexibility while ensuring securityThis approach allows you to leverage that guide the developer vs. implementing a rigid, laborious approval laden process that stymies development or encourage the developer to bypass the policy.DETAILSonatype leverages a meta-data approach to drive policies that can be enforced at various points throughout the software development lifecycle.Security, licensing, and quality related data that describe the components are used to create the policies.Policies and created and managed centrally and “enforced” locally.Local enforcement means that the policy actions are integrated directly into the development tools – repo manager, IDEs, CI, etc.Since Sonatype provides benefit to the developers directly within their tools, the policy approach is un-obtrusive – and since the “enforcement” actions are flexible, it doesn’t force a rigid “yes you can or no you can’t use this component”. This approach ensures collaboration between all parties and eliminates the developers from working around the system.+++Most security solutions are plagued by developer resistance… the tools are designed for highly trained security professionals that are focused on identification. The security professionals then report “violations” to the developers. The developers resist this approach because it tends to be adversarial and the information that is provided by the security team is not directly actionable, takes a lot of time to weed through, and does not come with explicit remediation actions.The Sonatype approach provides direct benefit to the developer…Information is provided early in the lifecycle (including initial recommendations on what component to use).Information that is provided is KNOWN information, it is highly trustworthy and directly relevant.Information is actionable – Information is delivered in the appropriate tool – this provides flexibility based on policy (developers have the flexibility to work with new components early in the lifecycle while production systems can be protected as the applications get closer to production).
  • Now that we have discussed how the application process has changed let’s explore how Sonatype helps you speed the development process while mitigating security, licensing and quality concerns. We’ll take a look at how Sonatype:ensures the integrity of the components that you download from Central.uses policy to guide the development effort.identify & prioritize exposures so that they can be easily eliminated (fix) monitor production applications for newly discovered vulnerabilities
  • Now that we have discussed how the application process has changed let’s explore how Sonatype helps you speed the development process while mitigating security, licensing and quality concerns. We’ll take a look at how Sonatype:ensures the integrity of the components that you download from Central.uses policy to guide the development effort.identify & prioritize exposures so that they can be easily eliminated (fix) monitor production applications for newly discovered vulnerabilities
  • Use this section of slides when presenting to a application development audience.
  • Now that we have discussed how the application process has changed let’s explore how Sonatype helps you speed the development process while mitigating security, licensing and quality concerns. We’ll take a look at how Sonatype:ensures the integrity of the components that you download from Central.uses policy to guide the development effort.identify & prioritize exposures so that they can be easily eliminated (fix) monitor production applications for newly discovered vulnerabilities
  • Use this section of slides when presenting to a application development audience.
  • There’s so much that ECM is and can do for your business.ECM is a strategic necessity that puts you in control of your business and enables you to Every conceivable business article or book mentions the importance of information in the so called “new economy” but very few organisations actually manage information as a strategic resource – those who do are market leaders.In the end it boils down to improved financial performance and genuine competitive differentiation.
  • Use this section of slides when presenting to a application development audience.
  • Transcript

    • 1. The Golden Repository of Yesterday is NOT the Answer Go Fast. Be Secure. The Webinar will start at 12 PM EDT Tweet your thoughts: #sonatype The Component Lifecycle Management Company
    • 2. The Component Revolution 8,000 7,000 6,000 Requests in Millions 5,000 4,000 3,000 2,000 8 Billion 1,000 Requests in 2012 2001 #sonatype 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 The Component Lifecycle Management Company
    • 3. The Need for Repository Management Why Use a Repository? Reduce Build Times by proxying cloud repositories and caching components locally. Improve Collaboration by providing a central location to store, manage, and share common components used across developers and teams. Enhance Control by providing a mechanism to observe, manager, and govern component usage. #sonatype The Component Lifecycle Management Company
    • 4. Foundation for Agile, Component-Based Development #sonatype The Component Lifecycle Management Company
    • 5. Nexus Pro Go Beyond Basic Repository Management Know Your Components with Repository Health Check. Gain Control with automated controls for component management. Ensure Security with access controls and secure connectivity to the Central Repository. Scale with Ease with smart proxy to ensure your repos are always available and your teams are in sync. Manage All Your Components with support for .NET / Nuget repositories. #sonatype The Component Lifecycle Management Company
    • 6. Why Yesterday’s Golden Rep isn’t so Golden
    • 7. Developers Will Bypass Your Repository #sonatype The Component Lifecycle Management Company
    • 8. Repo-Only Approaches Aren’t Flexible Enough Flexibility #sonatype Control The Component Lifecycle Management Company
    • 9. Golden Repo Component Approvals Can’t Keep Pace #sonatype The Component Lifecycle Management Company
    • 10. Without Governance, Components Become Stale Versions without the vulnerabilities exist but they aren’t in the Repo #sonatype The Component Lifecycle Management Company
    • 11. Vulnerability Discovery is Required Proactive identification and analysis of security vulnerabilities & licensing issues needs to be ongoing and comprehensive #sonatype The Component Lifecycle Management Company
    • 12. Your Strategy Must Extend to Production Apps Component threats are not static – hackers are not complacent – Continuous protection for production apps is needed #sonatype The Component Lifecycle Management Company
    • 13. Risk Profiles Vary by App & Organization #sonatype The Component Lifecycle Management Company
    • 14. Why not use multiple repositories to address these challenges?
    • 15. Multiple / Segmented Repositories are Not the Answer Managing multiple repositories increases the administrative burden Playing the “let’s change the repo URL and see what breaks” game is problematic Developers don’t know what will or won’t be approved #sonatype Reconciliation tends to happen late in the Dev Cycle The Component Lifecycle Management Company
    • 16. So what do you need to solve this problem?
    • 17. A New Approach is Needed Fast Precise Contextual Actionable Continuous 17 #sonatype The Component Lifecycle Management Company
    • 18. The Component Lifecycle Management Company
    • 19. Fast: Automated Policies Speed Development Automated Policies Free Humans 1. Humans define policy. 2. Machines automate the implementation of policy. 3. Humans manage exceptions. The Component Lifecycle Management Company
    • 20. The Component Lifecycle Management Company
    • 21. The Component Lifecycle Management Company
    • 22. Contextual: Info Must Be Relevant to My Needs Info Must Be Specific to My Apps & Toolchain • Information needs to apply to my application. • SQL Injection vulnerabilities only apply to DB apps. • CopyLeft licenses may not be a problem for internal applications or services. #sonatype The Component Lifecycle Management Company
    • 23. The Component Lifecycle Management Company
    • 24. Actionable: Help Developers Fix Problems Only Developers Can Fix It: Guidance is Key • Now that you've told me about a problem, tell me what I can do to fix it. • Suggest alternatives. • Even if I don't completely understand the risk, if you show me an easy fix, I will take it. #sonatype The Component Lifecycle Management Company
    • 25. The Component Lifecycle Management Company
    • 26. The Component Lifecycle Management Company
    • 27. Continuous: Constant Diligence is Needed to Prevent Rot Component Vulnerabilities are not Static • Applications that have "left the building" don't age like wine. • They age like milk and you need to monitor for newly discovered threats. #sonatype The Component Lifecycle Management Company
    • 28. The Component Lifecycle Management Company
    • 29. Only Sonatype is designed for how applications are constructed today. Only Sonatype provides automated policies that guide development and production effort for the entire software lifecycle. The Component Lifecycle Management Company
    • 30. Sonatype Product Family Sonatype CLM Component Lifecycle Management • • • • • Centrally define governance policies Enforce throughout the lifecycle Integrate with existing developer tools Build security in from the start Continuous trust for production apps Sonatype CLM Nexus Pro CLM Edition Sonatype Nexus Repository Management • Improve collaboration • Controlled release process Component governance in the repo Nexus Pro Enterprise features, enterprise support Nexus OSS Repository • Speed Builds #sonatype Nexus OSS Industry standard open source repository manager The Component Lifecycle Management Company
    • 31. Want to Learn More? Yes, Policies Can Speed Development: November 6th at 12pm EDT Register Now - http://www.sonatype.com/request/nexus-webinar-series Exclusive Brief – Successful Agile Development Efforts Require Automated “Golden” Policies Available Only to Registrants Join Nexus Live – Automated Deployment of Nexus as Part of a SaaS Platform http://www.sonatype.com/october-nexus-live October 23rd Download a Free Trial – Updated Trial Guide and New Ant & Gradle Samples http://www.sonatype.com/nexus/free-trial #sonatype The Component Lifecycle Management Company