We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
6. POLLING QUESTION
What percent of modern apps are
composed of open source components?
6
a. 10 - 20%
b. 50 - 60%
c. 80 - 90%
7. How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
@sonatype
8. Need speed, efficiency & quality for agile,
continuous DevOps?
Automate your software supply chain with three proven principles:
Use higher
quality parts
Use better & fewer
suppliers
Track what you use
and where
10. CHANGE
Typical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: 2015 State of the Software Supply Chain Report
@sonatype
11. POLLING QUESTION
How many open source suppliers do
companies work with?
11
a. 5,372
b. 7,601
c. 15,118
12. Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders
(downloads)
Suppliers
(artifacts)
Parts
(versions)
Average 240,757 7,601 18,614
@sonatype
13. 59%
never repaired
41%
390 days (median 265
days). CVSS 10s 224 days
<7
The best were remediated in
under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
15. Sample of
Open Source
Repositories
2014
Volume of
Download Requests
Central.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
@sonatype
16. Source: 2015 State of the Software Supply Chain Report
Public
Repos
Local
Repo
Build
Tool
Public
Repos
Build
Tool
PATTERN #1
PATTERN #2
@sonatype
17. POLLING QUESTION
What percent of components are
sourced from repository managers vs.
other tools?
17
a. 25%
b. 55%
c. 95%
18. Source: 2015 State of the Software Supply Chain Report
Public
Repos
Local
Repo
Build
Tool
Public
Repos
Build
Tool
95%
of downloads
5%
of downloads
@sonatype
20. Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
21. POLLING QUESTION
What percent of organizations do not
have a policy governing quality and
integrity of components?
21
a. 25%
b. 55%
c. 95%
22. Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey
@sonatype
23. Orders Quality Control
Average
downloads
# with known
vulnerabilities
% with known
vulnerabilities
% known
vulnerabilities
(2013 or older)
240,757 15,337 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report
@sonatype
25. Analysis of 1,500+ Applications
106
components
24
known
vulnerabilities
9
restrictive
licenses
@sonatype
26. What if manufacturers built cars the way we build software:
without supply chain visibility, process and automation …
They could
choose
any supplier
they want for
any given part,
regardless of
quality.
Any part
can be chosen
even if it is
outdated or
known to be
unsafe.
Since there is no
visibility, it is
very
slow and costly
to recall
a part.
There is
no quality
control
or consistency
from car to car.
There is
no inventory
of the parts that
were used, or
where.
27. 1
2
3
Create a software Bill of
Materials for your application
Design a frictionless, automated,
“continuous” approach
Choose good components from
the start - empower developers
with the right information at the
right time
@sonatype
28. Shift Left= ZTTR (Zero Time to Remediation)
Analyze all components
from within your IDE
License, Security and Architecture data for each
component, evaluated against your policy
CHOOSE GOOD COMPONENTS FROM THE START
@sonatype
29. CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD
Jenkins integration run
history and status of each
build, across multiple
applications.
Builds might be stable or
unstable. Also shows build
success and failures.
Nexus Lifecycle policy
violations and
vulnerabilities levels are
displayed within the
Jenkins CI dashboard.
@sonatype
30. CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM
5MINUTES
@sonatype
31. Supply chain advantage
Source: Toyota Supply Chain Management: A Strategic Approach to
Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri
32. John Willis
DevOps Days Core Organizer
Gareth Rushgrove
Puppet Labs
Nigel Simpson
F-100 Entertainment Giant
@sonatype
33. @sonatype
Back to the Cars…
What’s this got to do with software???
Use fewer and better suppliers
Choose high quality parts
Track what parts are used and where
Quality, speed, remediation time
Debt, rework, negative branding
Collaboration and governance to create value!
Editor's Notes
We are in the business of open source governance, management and compliance (add in slide or on cover slide)
Your Company Runs on Software – it must be trusted
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry? I think the answer will be obvious!
A defective part as simple as a “nut or bolt” can create havoc in a finished product such as a car – it’s clear that each part matters!
Having a keen eye on the explosive utilization of OSS components, I was VERY interested to see the intersection of the traditional Supply Chain Management principles and how they were used in the software world. I knew there were problems, but after reading “2015 State of the Software Supply Chain” and “The Phoenix Project,” I was astonished to see that many, if not all, of the core Supply Chain Management principles have yet to be or are just starting to be applied to the software industry.
The definition of supply chain management is “the collaboration, planning, execution, control, and monitoring of supply chain activities with the objective of creating value.” Probably the most important part of that definition is the collaboration between supply chain activities to create value.
Devops and Continuous Delivery have great promise, but velocity without value is not going to cut it – or put another way, even if you are efficiently digging yourself into a hole, you still need to STOP DIGGING!
These are the principles that Toyota applies.
Our customers strive to automate their software supply chain by using better and fewer suppliers, higher quality and secure parts—and confidently track the parts their using and their dependencies.
Add wrap it up slide to position or products as solutions
The suppliers and the manufacturers need to share information. And right now that communication channel is not only broken, it simply doesn’t exist. Components are updated an average of 4X a year to fix issues, but how do the manufacturers even learn about it?
……..
Supply chain management at Toyota was transformational. They went from being a textile company to the world’s leading automobile manufacturer, largely because of these improvements and these principles. And even today, the effect of their philosophy is pretty remarkable to me. For example, Toyota-wide, they have 226 suppliers. General Motors has 5,500. And so imagine the efficiencies of only having to deal with 226 suppliers as opposed to 5,000. And what’s further to that, is that GM produces 54% of the content of their vehicles and Toyota produces 27%. So, GM has 1/20th the suppliers, and yet they produce half of the content of their vehicles. And so it’s no surprise that a Volt costs $40,000 and a Prius $20,000. And the Prius sells 20,000 units a month and GM sells 1,700.
By not using a repo, it’s like going to the grocery store every time you need a glass of milk or a teaspoon of sugar.
The analogy is sobering, yet fairly close to the truth than one might imagine. Modern software development has evolved into a “software supply chain” where developers re-use open source components from vast public repositories.
Unlike traditional supply chains, developer lack the automation and visibility needed to choose better and fewer suppliers, use the highest qualify parts and track what is used where.
So how do we change that!
First of all… when you can clearly see the threat levels of components in your IDE, you can easily shift to a safer one.
The area here in the lower right works like a slider… you simply slide to the right to identify a safer, accepted version of a component.
So you see, you not only see a potential problem early one, but you also see the solution.
Better yet…
=========
Click onto pane and zoom in and zoom out
Guide your eyes to the RIGHT….
This is a normal Developer IDE called Eclipse…
Sonatype made a PLUGIN within it to show a developer the component BEFORE before they choose or commit to ELECTIVE/AVOIDABLE Risk/AttackSurface/Complexity/LegalIssues …
The RED chain (e.g.) is every version of Strut2-core…. And if you move RIGHT far enough…. It will lack KNOW CRITICAL vulnerabilities.
The Green bar charts are the download popularity… which doesn’t speak at all to SECURITY… but may give people more comfort that it is stable and being used.
License rsik is based on self-defined policy – we track if the use of this license can cause your whole website to now be FREE common opensource – like GPL… which might be very bad for you… and a DIFFERENT type of risk…
Toyota’s process innovations brought them enormous gains in productivity, predictability and long term competitive advantage.
That is our mission for the world of software development.
You may know Gene Kim, the author of the Phoenix project - he certainly understands the value of managing your software supply chain!