SlideShare a Scribd company logo

Nexus Lifecycle Software Supply Chain Automation: How to Get Infosec and Legal Teams Invited to the DevOps Table

Sonatype
Sonatype

With automated discovery, approval and tracking of Free Open Source Software (FOSS) components, InfoSec and legal teams are no longer the bottleneck to development teams. When the selection of better and safer components is auto-adjudicated and continuously tracked and monitored throughout the software development lifecycle, InfoSec and legal teams become first class partners in DevOps efforts.

Software
1 of 12
Download to read offline
WHITEPAPER Nexus Lifecycle Software Supply Chain Automation HOW TO GET INFOSEC AND LEGAL TEAMS INVITED TO THE DEVOPS TABLE
Page 2 Nexus Lifecycle: Software Supply Chain Automation TABLE OF CONTENTS 3 Executive Summary 5 Complexity: The Enemy of Speed 7 The Case for a Software Supply Chain Approach 11 Next Steps Toward Software Supply Chain Best Practices
Page 3Nexus Lifecycle: Software Supply Chain Automation EXECUTIVE SUMMARY With automated discovery, approval and tracking of Free Open Source Software (FOSS) com- ponents, InfoSec and legal teams are no longer the bottleneck to development teams. When the selection of better and safer components is auto-adjudicated and continuously tracked and monitored throughout the software development lifecycle, InfoSec and legal teams be- come first class partners in DevOps efforts. The last 15 years have seen a revolution in the way software is developed and delivered. For example, developers commonly share and re-use compo- nents like Lego blocks to quickly build applica- tions and services. Most often, a component is open source soft- ware that is shared among developers via public repositories, such as the Central Repository, and is downloaded and assembled into applications. Nearly one million components are available, such as web frameworks, logging mechanisms and database access libraries that form the foundation for modern applications. Not surprisingly, today 80-90 percent of a typical software application is comprised of components. Despite their pervasive use, inefficient component approval and management practices often sabo- tage goals for speed, efficiency and quality. The quickening pace of development teams has put a strain on the slow, manual approval process many organization have today. Few organizations can quickly answer essential questions, such as “what components do we use and where,” which often leads to email chains or end-point scanning to assess the impact when an issue does arise. Unlike the manufacturing supply chain where or- ganizations recognize the need to use fewer and better suppliers, use the highest quality parts and track where they are used, the software industry is just now beginning to realize the potential of these basic, proven principles. The lack of visibili- ty, processes and automation leads to inadvertent use of outdated, defective and redundant compo- nents, which leads to unplanned work, technical debt, maintainability headaches, license risk, and security vulnerabilities. Sonatype’s Nexus Platform of software supply chain solutions addresses these issues. Specifical- ly, Nexus Lifecycle is a product that automates the component approval process including ongoing visibility throughout the SDLC and also offers daily monitoring of assets running in production. This automated approach optimizes the software supply chain at the heart of agile, continuous and DevOps movements and helps InfoSec and legal organizations to meet the their business demands while also partnering with delivery organizations instead of being perceived as creating barriers. Given the scope of the problem, it is not surpris- ing that software supply chain automation deliv- ers productivity improvements up to 30-40% with: • Auto-Adjudicated Approvals – Development teams instantly know if a new component for their project meets policy guidelines and pro- vides visibility to other versions that do meet the policy. Making better component choices early on reduces unplanned, unscheduled work down the road. • More Visibility – Know exactly which compo- nents are used and where. As security issues
Page 4 Nexus Lifecycle: Software Supply Chain Automation emerge, you’ll be notified and can quickly assess the impact, reducing the time required to detect and remediate issues. • Reduced Maintenance – Use only the latest component versions and avoid using multiple and varied frameworks, logging mechanisms, etc. to reduce maintainability issues and unnecessary technical bloat. • Simplified Re-Use – When using Nexus Lifecycle in conjunction with a Nexus Repository Manager, you can easily share and version external and internal components across development teams and tools, so that teams efficiently pull compo- nents from a consistent, controlled, stable deter- ministic location. • Staying Ahead of Your Adversaries – Be alerted when open source projects publish a new version to improve features or patch security vulnera- bility. Too often, adversaries identify vulnerable component targets by monitoring NIST and other databases. To prevent breaches, you need fast, proactive access to this same information. Software supply chain automation unites the goals of DevOps, InfoSec and legal teams by enabling software development and delivery teams to go even faster, while simultaneously achieving greater efficiency and quality. This white paper describes the ways in which Nex- us Lifecycle enables these teams to collaborate for mutual benefit. Software supply chain automation unites the goals of DevOps, InfoSec and legal teams by enabling development teams to go even faster, while simultaneously achieving greater efficiency and quality.
Page 5Nexus Lifecycle: Software Supply Chain Automation Organizations lack proper controls While component-based software development is widely accepted and growing exponentially, the complexities and inefficiencies are just now be- coming clear. Whereas traditional manufacturing supply chains use automation to ensure that better and fewer suppliers are chosen, only the highest quality parts are used and all parts are traceable, the software industry has a lot of room for improvement. Components are pervasive To fuel agile, continuous and DevOps initiatives, the demand for open source components is sky- rocketing. Requests from the Central Repository, the industry’s primary source for Java open source components, have increased 800% over the past five years to 17 billion in 2014. Component defects create unplanned work Whether provided by commercial vendors or open source projects, components can introduce signifi- cant management, security and licensing challeng- es. In 2014, more than 6 percent of all components downloaded from the Central Repository had known critical or severe vulnerabilities3 , and many of these are making their way into today’s software. Recent analysis of software from a broad cross-section of industries revealed that a typical application has 24 components with known critical or severe security vulnerabilities and nine restrictive GPL licenses.4 However, few organizations have the proper con- trols in place to mitigate the rework and risks posed by flawed components. [See Figure 1] Component complexity exacerbates the problem To add to the problem, most components also depend on other components. These relationships, known as transitive dependencies, can be difficult or impossible for developers to understand, track and support without tools designed to manage these supply chain complexities. Component dependen- cies can introduce security breaches, intellectual property claims, as well as application stability and performance issues. Often, flawed components are nested deep in an application’s dependency tree and are not easily apparent. Organizations lack actionable security, quality and licensing information It is difficult and time consuming for developers to research and determine security, quality and licens- ing characteristics for all of the components they use to assemble their applications. To do this for FIGURE 1: Source: Based on Sonatype’s 2014 Open Source Development survey with more than 3500 respondents. There are no standards. Each developer or team chooses the components that are best for their project. 39+61+A36+64+A25+75+t We’re completely locked down. We can only use approved components. Yes, we have some corporate standards, but they aren’t enforced. 25% 36% 39% How well does your organization control which components are used in development projects? COMPLEXITY: THE ENEMY OF SPEED
Page 6 Nexus Lifecycle: Software Supply Chain Automation components is hard enough; to extend this research to all component dependencies is beyond reason. With the pressure to deliver applications quickly, developers are forced to take a chance when they select components – exposing the organization to quality, security and license issues. Organizations regularly consume outdated, flawed, or insecure components Open source projects release 3-4 updates per year, on average.5 However, since there is no communi- cations channel between open source projects and those using their software, there is no easy way for component consumers to know when a new version has been released. Organizations are consuming outdated, defective, or insecure components even years after newer fixed versions are available—con- tributing to a growing mountain of technical debt. An analysis of component downloads by large technology and financial services firms showed that organizations consumed an average of 27 versions of their most popular components. Each progres- sive version will have unique characteristics and variances to manage and maintain. Organizations don’t have the capacity to manage newly discovered defects. These days, more and more organizations are aware of and support the use of open source components, however they are unaware of the complexity, unsure of the number of components used and unclear about where they are used. [See Figure 2] When de- fects or bugs have been repaired or a security flaw is discovered, many organizations are left exposed, unaware of where or how they are using the affect- ed component. It is a challenge that impacts the full software supply chain. Agile development and geographically dispersed development teams adds to the complexity Agile software development projects—with their rapid iterations, continuous integration builds and continuous deployment—have all resulted in many more releases over the life of a software project. And, increasingly development teams are geo- graphically dispersed, often including external contractors. Keeping disparate teams in sync and enforcing standards adds yet another layer of com- plexity to component management. Restrictive, approval-laden policy approaches don’t work Some organizations attempt to manage component usage by implementing restrictive policies. If a de- veloper wants to use a new component, approvals are needed from the security, legal, and architecture teams. Even if the approval process is“automated” using workflow, it can’t keep up with the scale or pace of development. On average, sizable develop- FIGURE 2: Source: Based on Sonatype’s 2014 Open Source Development survey with more than 3500 respondents. 40+23+37+A40% 23% 37% Yes, for all components including dependencies Yes, for all components, but NOT dependencies No Does your organization maintain an inventory of open source components?
Page 7Nexus Lifecycle: Software Supply Chain Automation ment organizations rely on 18,614 unique compo- nent versions from 1,997 suppliers.6 The volume and velocity of consumption today leave develop- ers with few good options. They can either delay their development cycles in order to secure compo- nent approvals, or work around the policies that are aimed to better control quality, or pick from out-of- date components that were previously approved. Security tools for custom code deliver results late in the development cycle Many organizations have turned to application scanner technologies or application life cycle management to address component concerns. Although these tools play a role in a layered security strategy, they often don’t accurately identify issues in component binaries. Scanning tools are designed to evaluate risk in custom source code – providing results that are delivered after the fact, late in the development life cycle. THE CASE FOR A SOFTWARE SUPPLY CHAIN APPROACH Software supply chain automation can empower all organizations to develop better, safer software even faster. As organizations increase velocity through agile, continuous, and DevOps initiatives, the speed, efficiency and quality offered by automation be- comes even more essential. With software supply chain automation, organiza- tions benefit from the same proven supply chain principles that transformed the manufacturing industry. When you choose fewer and better open source suppliers, use only the highest quality com- ponents and track which components you are using and where, you can: • Reduce component approval times from weeks to seconds • Boost developer productivity by up to 40% • Detect outdated, redundant, or vulnerable com- ponents 96% faster • Remediate defects in minutes, not weeks or months • Leverage governance as a strategic advantage, not a hindrance In everything we do and everything we have always done, Sonatype makes software development easier, faster and safer. We pioneered component-based software development with innovations such as Apache Maven, the Central Repository, and the Nexus line of repository managers. Nexus Lifecycle continues the innovation in today’s world of contin- uous everything. Nexus Lifecycle is a software supply chain automa- tion tool custom-designed to streamline compo- nent-based development across the life cycle. Nexus Lifecycle tracks usage, enforces quality control poli- cies and prevents the use of defective components throughout the modern software supply chain. By natively integrating component intelligence and policy automation into the continuous delivery tools developers already use, feedback on component choices is delivered automatically and rapidly. When troublesome components are identified, alternative choices can be selected and applied. The use of outdated, redundant or risky components is avoid- ed proactively, which drastically reduces context switching and unplanned rework. These approaches
Page 8 Nexus Lifecycle: Software Supply Chain Automation make it possible to develop even faster, but also be more efficient, increase quality and reduce risk. Nexus Lifecycle provides a comprehensive invento- ry of components and associated bill-of-materials. Unique binary fingerprint matching identifies com- ponent inventory with extreme accuracy. Inventory information is provided across the SDLC including the repository manager, IDE, CI Server, and ongoing with application monitoring. [See Figure 3] 1. Smart Consumption Nexus Lifecycle ensures trust in the software supply chain by authenticating and securely delivering com- ponents. [See Figure 4] Nexus Lifecycle gives you: • Built-in component intelligence that ensures high quality parts are chosen – Sonatype provides component intelligence for the compo- nents that are checked into the Central Reposi- tory and will soon include other leading public repositories such as the NuGet Gallery. This se- curity, licensing and quality intelligence is used to reduce unplanned work, improve quality, and prevent defects across the software lifecycle. • Authentication throughout the software life cycle to eliminate risk of tampering inside the firewall – Nexus Lifecycle uses advanced binary fingerprinting to identify and check the integrity of the component throughout the life cycle. This allows you to detect intentional or inadvertent changes to the component. 2. Rapid Feedback Nexus Lifecycle provides developers with security, popularity, and licensing information making it easy to detect and prevent flaws early in the develop- ment process. This“zero-latency”approach to reme- diation reduces the friction that negatively impacts developer compliance. FIGURE 3: Nexus Lifecycle tracks usage, enforces policy and prevents the use of defective components throughout the modern software supply chain. Nexus Lifecycle FIGURE 4: Smart Consumption - Nexus Lifecycle authenticates downloaded components including security, licensing and quality information.
Page 9Nexus Lifecycle: Software Supply Chain Automation • Rich security, licensing, and popularity meta- data drives action in the IDE – Developers minimize expensive downstream problems by selecting components based on security, licens- ing and quality intelligence integrated directly in the IDE. [See Figure 5] Component recommen- dations help developers make the best choice. • Information and policy enforcement extends across the IDE, repository, and CI server to automate and enforce governance across the entire software life cycle – Comprehen- sive software supply chain automation requires diligence across the entire software life cycle. Nexus Lifecycle provides appropriate guidance in your IDE, repository manager, build and CI en- vironments to ensure policies are enforced and developers are presented with better options. Developers don’t have to learn new tools. The information they need is in the tools they use throughout the life cycle. 3. Exposure Visibility Nexus Lifecycle provides the ability to proactively identify and prioritize your actions. Vulnerabili- ties are proactively identified and reported in the context of your organizational policies. Developers can prioritize remediation action based on a visual threat summary of security, licensing and architec- ture factors. 4. Defect Remediation Nexus Lifecycle provides the ability to prevent and quickly fix component defects. Developers start with the right components and can easily fix applications directly within their IDE. You can: • Prevent problems by starting with the right components – Developers can select the best components to use within the IDE based on built-in, real-time security, licensing and quality information. • Push-button migration – Developers can mi- grate to new component versions with a simple mouse click in their IDE. [See Figure 6] FIGURE 5: Rapid Feedback - Developers minimize expensive downstream problems by selecting components based on security, licensing and quality intelligence integrated directly in the IDE.
Page 10 Nexus Lifecycle: Software Supply Chain Automation FIGURE 6: Defect Remediation - Developers can assess the versions using a side-by-side comparison and migrate to a new component version with a single mouse click. 5. Continuous monitoring Nexus Lifecycle provides proactive, ongoing, continu- ous monitoring of both development and production applications. • Discover new vulnerabilities – Newly discov- ered security, licensing, and quality issues are identified and mapped correctly to the applica- tion inventory. • Proactive notification – New violations are proactively reported with contextual information that expedites corrective action. • Enterprise risk & policy assessment – Custom- izable executive dashboards provide the ability to assess your enterprise risk profile and policy compliance. While empowering development teams to choose their own suppliers (i.e. software components) has enabled speed, increased throughput and unlocked innovation, there is much hidden inefficiency and risk.
Page 11Nexus Lifecycle: Software Supply Chain Automation NEXT STEPS TOWARD SOFTWARE SUPPLY CHAIN BEST PRACTICES Organizations interested in continuous acceleration using a software supply chain approach, should take the following first steps toward automation awareness, policy and enforcement: Create a Software Bill of Materials using the Application Health Check Report The free Application Health Check provides visibility into the components in an existing application. In just five minutes, you’ll understand the composition of any component-based application, and discover known security vulnerabilities, restrictive licenses and outdated components. Evaluate Your Current Repository with the Repository Health Check Report If your organization uses Sonatype’s Nexus Repository or Nexus Repository OSS, you can use a Repository Health Check to learn about known security vulnerabilities or restrictive licenses in your repository compo- nents. By adding Nexus Firewall, you can block undesirable components from entering or leaving your reposi- tory manager. For more information on either of these options, please visit http://www.sonatype.com/assessments For general information, visit: www.sonatype.com Footnotes: 1 Source: Analysis of component downloads from the Central Repository, Jan 1 - Dec 31, 2014 2 Source: Analysis of components within the Central Repository, https://search.maven.org/#stats (2015) 3 Source: Analysis of component downloads from the Central Repository, Jan 1 - Dec 31, 2014 4 Source: Analysis of Application Health Check scans (2014) 5 Source: Analysis of component updates within the Central Repository (2015) 6 Source: Analysis of component downloads from the Central Repository, Jan 1 - Dec 31, 2014
Page 12 Sonatype Inc. • 8161 Maple Lawn Drive, Suite 250 • Fulton, MD 20759 • 1.877.866.2836 • www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com

Recommended

It automation & devops - devopsdays istambul 2016
It automation & devops - devopsdays istambul 2016It automation & devops - devopsdays istambul 2016
It automation & devops - devopsdays istambul 2016
Quentin Adam
 
Selenium ppt
Selenium pptSelenium ppt
Selenium ppt
Pavan Kumar
 
DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 

Recommended

It automation & devops - devopsdays istambul 2016
It automation & devops - devopsdays istambul 2016It automation & devops - devopsdays istambul 2016
It automation & devops - devopsdays istambul 2016
Quentin Adam
 
Selenium ppt
Selenium pptSelenium ppt
Selenium ppt
Pavan Kumar
 
DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
Sonatype
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous Pipeline
Sonatype
 
The Road to Continuous Deployment
The Road to Continuous Deployment The Road to Continuous Deployment
The Road to Continuous Deployment
Sonatype
 
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Sonatype
 
I, For One, Welcome Our New Robot Overlords
I, For One, Welcome Our New Robot OverlordsI, For One, Welcome Our New Robot Overlords
I, For One, Welcome Our New Robot Overlords
Sonatype
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Sonatype
 
Monitoring, Hold the Infrastructure
Monitoring, Hold the InfrastructureMonitoring, Hold the Infrastructure
Monitoring, Hold the Infrastructure
Sonatype
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
Wave PLM
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Q-Advise
 

More Related Content

More from Sonatype

Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous Pipeline
Sonatype
 
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Sonatype
 
I, For One, Welcome Our New Robot Overlords
I, For One, Welcome Our New Robot OverlordsI, For One, Welcome Our New Robot Overlords
I, For One, Welcome Our New Robot Overlords
Sonatype
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Sonatype
 

More from Sonatype (20)

Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 
Continuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous PipelineContinuous Everyone: Engaging People Across the Continuous Pipeline
Continuous Everyone: Engaging People Across the Continuous Pipeline
 
The Road to Continuous Deployment
The Road to Continuous Deployment The Road to Continuous Deployment
The Road to Continuous Deployment
 
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...
 
I, For One, Welcome Our New Robot Overlords
I, For One, Welcome Our New Robot OverlordsI, For One, Welcome Our New Robot Overlords
I, For One, Welcome Our New Robot Overlords
 
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
Meta Infrastructure as Code: How Capital One Automated Our Automation Tools w...
 
Monitoring, Hold the Infrastructure
Monitoring, Hold the InfrastructureMonitoring, Hold the Infrastructure
Monitoring, Hold the Infrastructure
 

Recently uploaded

Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Q-Advise
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
steffenkarlsson2
 
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Primacy Infotech
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
Alluxio, Inc.
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 

Recently uploaded (20)

The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Naer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research SynthesisNaer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research Synthesis
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
Odoo vs Shopify: Why Odoo is Best for Ecommerce Website Builder in 2024
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
AI Hackathon.pptx
AI Hackathon.pptxAI Hackathon.pptx
AI Hackathon.pptx
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 

Nexus Lifecycle Software Supply Chain Automation: How to Get Infosec and Legal Teams Invited to the DevOps Table

  • 1. WHITEPAPER Nexus Lifecycle Software Supply Chain Automation HOW TO GET INFOSEC AND LEGAL TEAMS INVITED TO THE DEVOPS TABLE
  • 2. Page 2 Nexus Lifecycle: Software Supply Chain Automation TABLE OF CONTENTS 3 Executive Summary 5 Complexity: The Enemy of Speed 7 The Case for a Software Supply Chain Approach 11 Next Steps Toward Software Supply Chain Best Practices
  • 3. Page 3Nexus Lifecycle: Software Supply Chain Automation EXECUTIVE SUMMARY With automated discovery, approval and tracking of Free Open Source Software (FOSS) com- ponents, InfoSec and legal teams are no longer the bottleneck to development teams. When the selection of better and safer components is auto-adjudicated and continuously tracked and monitored throughout the software development lifecycle, InfoSec and legal teams be- come first class partners in DevOps efforts. The last 15 years have seen a revolution in the way software is developed and delivered. For example, developers commonly share and re-use compo- nents like Lego blocks to quickly build applica- tions and services. Most often, a component is open source soft- ware that is shared among developers via public repositories, such as the Central Repository, and is downloaded and assembled into applications. Nearly one million components are available, such as web frameworks, logging mechanisms and database access libraries that form the foundation for modern applications. Not surprisingly, today 80-90 percent of a typical software application is comprised of components. Despite their pervasive use, inefficient component approval and management practices often sabo- tage goals for speed, efficiency and quality. The quickening pace of development teams has put a strain on the slow, manual approval process many organization have today. Few organizations can quickly answer essential questions, such as “what components do we use and where,” which often leads to email chains or end-point scanning to assess the impact when an issue does arise. Unlike the manufacturing supply chain where or- ganizations recognize the need to use fewer and better suppliers, use the highest quality parts and track where they are used, the software industry is just now beginning to realize the potential of these basic, proven principles. The lack of visibili- ty, processes and automation leads to inadvertent use of outdated, defective and redundant compo- nents, which leads to unplanned work, technical debt, maintainability headaches, license risk, and security vulnerabilities. Sonatype’s Nexus Platform of software supply chain solutions addresses these issues. Specifical- ly, Nexus Lifecycle is a product that automates the component approval process including ongoing visibility throughout the SDLC and also offers daily monitoring of assets running in production. This automated approach optimizes the software supply chain at the heart of agile, continuous and DevOps movements and helps InfoSec and legal organizations to meet the their business demands while also partnering with delivery organizations instead of being perceived as creating barriers. Given the scope of the problem, it is not surpris- ing that software supply chain automation deliv- ers productivity improvements up to 30-40% with: • Auto-Adjudicated Approvals – Development teams instantly know if a new component for their project meets policy guidelines and pro- vides visibility to other versions that do meet the policy. Making better component choices early on reduces unplanned, unscheduled work down the road. • More Visibility – Know exactly which compo- nents are used and where. As security issues
  • 4. Page 4 Nexus Lifecycle: Software Supply Chain Automation emerge, you’ll be notified and can quickly assess the impact, reducing the time required to detect and remediate issues. • Reduced Maintenance – Use only the latest component versions and avoid using multiple and varied frameworks, logging mechanisms, etc. to reduce maintainability issues and unnecessary technical bloat. • Simplified Re-Use – When using Nexus Lifecycle in conjunction with a Nexus Repository Manager, you can easily share and version external and internal components across development teams and tools, so that teams efficiently pull compo- nents from a consistent, controlled, stable deter- ministic location. • Staying Ahead of Your Adversaries – Be alerted when open source projects publish a new version to improve features or patch security vulnera- bility. Too often, adversaries identify vulnerable component targets by monitoring NIST and other databases. To prevent breaches, you need fast, proactive access to this same information. Software supply chain automation unites the goals of DevOps, InfoSec and legal teams by enabling software development and delivery teams to go even faster, while simultaneously achieving greater efficiency and quality. This white paper describes the ways in which Nex- us Lifecycle enables these teams to collaborate for mutual benefit. Software supply chain automation unites the goals of DevOps, InfoSec and legal teams by enabling development teams to go even faster, while simultaneously achieving greater efficiency and quality.
  • 5. Page 5Nexus Lifecycle: Software Supply Chain Automation Organizations lack proper controls While component-based software development is widely accepted and growing exponentially, the complexities and inefficiencies are just now be- coming clear. Whereas traditional manufacturing supply chains use automation to ensure that better and fewer suppliers are chosen, only the highest quality parts are used and all parts are traceable, the software industry has a lot of room for improvement. Components are pervasive To fuel agile, continuous and DevOps initiatives, the demand for open source components is sky- rocketing. Requests from the Central Repository, the industry’s primary source for Java open source components, have increased 800% over the past five years to 17 billion in 2014. Component defects create unplanned work Whether provided by commercial vendors or open source projects, components can introduce signifi- cant management, security and licensing challeng- es. In 2014, more than 6 percent of all components downloaded from the Central Repository had known critical or severe vulnerabilities3 , and many of these are making their way into today’s software. Recent analysis of software from a broad cross-section of industries revealed that a typical application has 24 components with known critical or severe security vulnerabilities and nine restrictive GPL licenses.4 However, few organizations have the proper con- trols in place to mitigate the rework and risks posed by flawed components. [See Figure 1] Component complexity exacerbates the problem To add to the problem, most components also depend on other components. These relationships, known as transitive dependencies, can be difficult or impossible for developers to understand, track and support without tools designed to manage these supply chain complexities. Component dependen- cies can introduce security breaches, intellectual property claims, as well as application stability and performance issues. Often, flawed components are nested deep in an application’s dependency tree and are not easily apparent. Organizations lack actionable security, quality and licensing information It is difficult and time consuming for developers to research and determine security, quality and licens- ing characteristics for all of the components they use to assemble their applications. To do this for FIGURE 1: Source: Based on Sonatype’s 2014 Open Source Development survey with more than 3500 respondents. There are no standards. Each developer or team chooses the components that are best for their project. 39+61+A36+64+A25+75+t We’re completely locked down. We can only use approved components. Yes, we have some corporate standards, but they aren’t enforced. 25% 36% 39% How well does your organization control which components are used in development projects? COMPLEXITY: THE ENEMY OF SPEED
  • 6. Page 6 Nexus Lifecycle: Software Supply Chain Automation components is hard enough; to extend this research to all component dependencies is beyond reason. With the pressure to deliver applications quickly, developers are forced to take a chance when they select components – exposing the organization to quality, security and license issues. Organizations regularly consume outdated, flawed, or insecure components Open source projects release 3-4 updates per year, on average.5 However, since there is no communi- cations channel between open source projects and those using their software, there is no easy way for component consumers to know when a new version has been released. Organizations are consuming outdated, defective, or insecure components even years after newer fixed versions are available—con- tributing to a growing mountain of technical debt. An analysis of component downloads by large technology and financial services firms showed that organizations consumed an average of 27 versions of their most popular components. Each progres- sive version will have unique characteristics and variances to manage and maintain. Organizations don’t have the capacity to manage newly discovered defects. These days, more and more organizations are aware of and support the use of open source components, however they are unaware of the complexity, unsure of the number of components used and unclear about where they are used. [See Figure 2] When de- fects or bugs have been repaired or a security flaw is discovered, many organizations are left exposed, unaware of where or how they are using the affect- ed component. It is a challenge that impacts the full software supply chain. Agile development and geographically dispersed development teams adds to the complexity Agile software development projects—with their rapid iterations, continuous integration builds and continuous deployment—have all resulted in many more releases over the life of a software project. And, increasingly development teams are geo- graphically dispersed, often including external contractors. Keeping disparate teams in sync and enforcing standards adds yet another layer of com- plexity to component management. Restrictive, approval-laden policy approaches don’t work Some organizations attempt to manage component usage by implementing restrictive policies. If a de- veloper wants to use a new component, approvals are needed from the security, legal, and architecture teams. Even if the approval process is“automated” using workflow, it can’t keep up with the scale or pace of development. On average, sizable develop- FIGURE 2: Source: Based on Sonatype’s 2014 Open Source Development survey with more than 3500 respondents. 40+23+37+A40% 23% 37% Yes, for all components including dependencies Yes, for all components, but NOT dependencies No Does your organization maintain an inventory of open source components?
  • 7. Page 7Nexus Lifecycle: Software Supply Chain Automation ment organizations rely on 18,614 unique compo- nent versions from 1,997 suppliers.6 The volume and velocity of consumption today leave develop- ers with few good options. They can either delay their development cycles in order to secure compo- nent approvals, or work around the policies that are aimed to better control quality, or pick from out-of- date components that were previously approved. Security tools for custom code deliver results late in the development cycle Many organizations have turned to application scanner technologies or application life cycle management to address component concerns. Although these tools play a role in a layered security strategy, they often don’t accurately identify issues in component binaries. Scanning tools are designed to evaluate risk in custom source code – providing results that are delivered after the fact, late in the development life cycle. THE CASE FOR A SOFTWARE SUPPLY CHAIN APPROACH Software supply chain automation can empower all organizations to develop better, safer software even faster. As organizations increase velocity through agile, continuous, and DevOps initiatives, the speed, efficiency and quality offered by automation be- comes even more essential. With software supply chain automation, organiza- tions benefit from the same proven supply chain principles that transformed the manufacturing industry. When you choose fewer and better open source suppliers, use only the highest quality com- ponents and track which components you are using and where, you can: • Reduce component approval times from weeks to seconds • Boost developer productivity by up to 40% • Detect outdated, redundant, or vulnerable com- ponents 96% faster • Remediate defects in minutes, not weeks or months • Leverage governance as a strategic advantage, not a hindrance In everything we do and everything we have always done, Sonatype makes software development easier, faster and safer. We pioneered component-based software development with innovations such as Apache Maven, the Central Repository, and the Nexus line of repository managers. Nexus Lifecycle continues the innovation in today’s world of contin- uous everything. Nexus Lifecycle is a software supply chain automa- tion tool custom-designed to streamline compo- nent-based development across the life cycle. Nexus Lifecycle tracks usage, enforces quality control poli- cies and prevents the use of defective components throughout the modern software supply chain. By natively integrating component intelligence and policy automation into the continuous delivery tools developers already use, feedback on component choices is delivered automatically and rapidly. When troublesome components are identified, alternative choices can be selected and applied. The use of outdated, redundant or risky components is avoid- ed proactively, which drastically reduces context switching and unplanned rework. These approaches
  • 8. Page 8 Nexus Lifecycle: Software Supply Chain Automation make it possible to develop even faster, but also be more efficient, increase quality and reduce risk. Nexus Lifecycle provides a comprehensive invento- ry of components and associated bill-of-materials. Unique binary fingerprint matching identifies com- ponent inventory with extreme accuracy. Inventory information is provided across the SDLC including the repository manager, IDE, CI Server, and ongoing with application monitoring. [See Figure 3] 1. Smart Consumption Nexus Lifecycle ensures trust in the software supply chain by authenticating and securely delivering com- ponents. [See Figure 4] Nexus Lifecycle gives you: • Built-in component intelligence that ensures high quality parts are chosen – Sonatype provides component intelligence for the compo- nents that are checked into the Central Reposi- tory and will soon include other leading public repositories such as the NuGet Gallery. This se- curity, licensing and quality intelligence is used to reduce unplanned work, improve quality, and prevent defects across the software lifecycle. • Authentication throughout the software life cycle to eliminate risk of tampering inside the firewall – Nexus Lifecycle uses advanced binary fingerprinting to identify and check the integrity of the component throughout the life cycle. This allows you to detect intentional or inadvertent changes to the component. 2. Rapid Feedback Nexus Lifecycle provides developers with security, popularity, and licensing information making it easy to detect and prevent flaws early in the develop- ment process. This“zero-latency”approach to reme- diation reduces the friction that negatively impacts developer compliance. FIGURE 3: Nexus Lifecycle tracks usage, enforces policy and prevents the use of defective components throughout the modern software supply chain. Nexus Lifecycle FIGURE 4: Smart Consumption - Nexus Lifecycle authenticates downloaded components including security, licensing and quality information.
  • 9. Page 9Nexus Lifecycle: Software Supply Chain Automation • Rich security, licensing, and popularity meta- data drives action in the IDE – Developers minimize expensive downstream problems by selecting components based on security, licens- ing and quality intelligence integrated directly in the IDE. [See Figure 5] Component recommen- dations help developers make the best choice. • Information and policy enforcement extends across the IDE, repository, and CI server to automate and enforce governance across the entire software life cycle – Comprehen- sive software supply chain automation requires diligence across the entire software life cycle. Nexus Lifecycle provides appropriate guidance in your IDE, repository manager, build and CI en- vironments to ensure policies are enforced and developers are presented with better options. Developers don’t have to learn new tools. The information they need is in the tools they use throughout the life cycle. 3. Exposure Visibility Nexus Lifecycle provides the ability to proactively identify and prioritize your actions. Vulnerabili- ties are proactively identified and reported in the context of your organizational policies. Developers can prioritize remediation action based on a visual threat summary of security, licensing and architec- ture factors. 4. Defect Remediation Nexus Lifecycle provides the ability to prevent and quickly fix component defects. Developers start with the right components and can easily fix applications directly within their IDE. You can: • Prevent problems by starting with the right components – Developers can select the best components to use within the IDE based on built-in, real-time security, licensing and quality information. • Push-button migration – Developers can mi- grate to new component versions with a simple mouse click in their IDE. [See Figure 6] FIGURE 5: Rapid Feedback - Developers minimize expensive downstream problems by selecting components based on security, licensing and quality intelligence integrated directly in the IDE.
  • 10. Page 10 Nexus Lifecycle: Software Supply Chain Automation FIGURE 6: Defect Remediation - Developers can assess the versions using a side-by-side comparison and migrate to a new component version with a single mouse click. 5. Continuous monitoring Nexus Lifecycle provides proactive, ongoing, continu- ous monitoring of both development and production applications. • Discover new vulnerabilities – Newly discov- ered security, licensing, and quality issues are identified and mapped correctly to the applica- tion inventory. • Proactive notification – New violations are proactively reported with contextual information that expedites corrective action. • Enterprise risk & policy assessment – Custom- izable executive dashboards provide the ability to assess your enterprise risk profile and policy compliance. While empowering development teams to choose their own suppliers (i.e. software components) has enabled speed, increased throughput and unlocked innovation, there is much hidden inefficiency and risk.
  • 11. Page 11Nexus Lifecycle: Software Supply Chain Automation NEXT STEPS TOWARD SOFTWARE SUPPLY CHAIN BEST PRACTICES Organizations interested in continuous acceleration using a software supply chain approach, should take the following first steps toward automation awareness, policy and enforcement: Create a Software Bill of Materials using the Application Health Check Report The free Application Health Check provides visibility into the components in an existing application. In just five minutes, you’ll understand the composition of any component-based application, and discover known security vulnerabilities, restrictive licenses and outdated components. Evaluate Your Current Repository with the Repository Health Check Report If your organization uses Sonatype’s Nexus Repository or Nexus Repository OSS, you can use a Repository Health Check to learn about known security vulnerabilities or restrictive licenses in your repository compo- nents. By adding Nexus Firewall, you can block undesirable components from entering or leaving your reposi- tory manager. For more information on either of these options, please visit http://www.sonatype.com/assessments For general information, visit: www.sonatype.com Footnotes: 1 Source: Analysis of component downloads from the Central Repository, Jan 1 - Dec 31, 2014 2 Source: Analysis of components within the Central Repository, https://search.maven.org/#stats (2015) 3 Source: Analysis of component downloads from the Central Repository, Jan 1 - Dec 31, 2014 4 Source: Analysis of Application Health Check scans (2014) 5 Source: Analysis of component updates within the Central Repository (2015) 6 Source: Analysis of component downloads from the Central Repository, Jan 1 - Dec 31, 2014
  • 12. Page 12 Sonatype Inc. • 8161 Maple Lawn Drive, Suite 250 • Fulton, MD 20759 • 1.877.866.2836 • www.sonatype.com 2015. Sonatype Inc. All Rights Reserved. Sonatype helps organizations build better software, even faster. Like a traditional supply chain, software applications are built by assembling open source and third party components streaming in from a wide variety of public and internal sources. While re-use is far faster than custom code, the flow of components into and through an organization remains complex and inefficient. Sonatype’s Nexus platform applies proven supply chain principles to increase speed, efficiency and quality by optimizing the component supply chain. Sonatype has been on the forefront of creating tools to improve developer efficiency and quality since the inception of the Central Repository and Apache Maven in 2001, and the company continues to serve as the steward of the Central Repository serving 17.2 Billion component download requests in 2014 alone. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com