Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
• Emerasoft srl
• Mission
• Vision
• Market & Solutions
Maria Chiara Ambrosio
Federico Pagnozzi
Agenda
• I componenti open source
nelle aziende
• I principi della Supply Chain
del Software
• Soluzioni e Best practice
•...
Chi siamo
Data di nascita: 2005
Dove siamo:
 via Po, 1 – Torino
 via del Poggio Laurentino, 118 - Roma
Creare valore per...
Alcuni clienti
DevOps
IoT
System & Software Engineering
Testing
ALM
SOA
Process Intelligence
Business Intelligence
Security
Digital Publi...
DevOps
IoT
System & Software Engineering
Testing
ALM
SOA
Process Intelligence
Business Intelligence
Security
Digital Publi...
PRESSIONI MERCATO Qualità
REQUISITI PROCESSI
ATTIVITÁ COLLABORAZIONE
DevOps
Continuous
Delivery
Continuous
Integration
Automatisation Continuous
Acceleration
10
LO STATO DEL
SOFTWARE 2015:
ANALISI DELLA
SUPPLY CHAIN
Sonatype
Supporting millions of developers worldwide
60k
17B9M
MAVEN
easy to build
CENTRAL
easy to share
NEXUS REPOS
easy ...
@sonatype
@sonatype
106,000Organizations Analyzed
Source: 2015 State of the Software Supply Chain Report
@sonatype
We all have a
SOFTWARE
SUPPLY CHAIN
@sonatype
Modern software development HAS
CHANGED
Our process
HASN’T CHANGED
ENOUGH
@sonatype
John Willis
DevOps Days Core Organizer
Gareth Rushgrove
Puppet Labs
Nigel Simpson
F-100 Entertainment Giant
@sonatype
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B 17B
2014
Source: 2015 State of the Software Supply Chain Report
@sonat...
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud Services
Closed Source
...
Better and
fewer
suppliers
Higher
quality
parts
Improved
visibility
and
traceability
3 savings in
modern supply chains Aut...
@sonatype
CHANGE
Typical component is
updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: ...
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders
(downloads)
Suppliers
(artif...
59%
never repaired
41%
390 days (median 265
days). CVSS 10s 224 days
<7
The best were remediated in
under a week.
Source: ...
@sonatype
Source: modulecounts.com
@sonatype
Sample of
Open Source
Repositories
2014
Volume of
Download Requests
Central.sonatype.org 17,213,084,947
Npmjs.org 15,460,7...
CHANGE
Typical component is
updated 3 - 4X per year.
Unlike COTS, there is no clear, effective
COMMUNICATION
channel
…but ...
Repository Managers Accessing the Central Repository
Source: 2015 State of the Software Supply Chain Report
@sonatype
Source: 2015 State of the Software Supply Chain Report
Public
Repos
Local
Repo
Build
Tool
Public
Repos
Build
Tool
PATTERN ...
Source: 2015 State of the Software Supply Chain Report
Public
Repos
Local
Repo
Build
Tool
Public
Repos
Build
Tool
95%
of d...
32
100-200
Cycle Time: Minutes-Hours
@sonatype
Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy....
If it does not fit,
it does not get done.
@sonatype
Source: 2015 State of the Software Supply Chain Report
Outdated Versions Downloaded
@sonatype
Image Source: caranddriver.com
@sonatype
@sonatype
@sonatype
Analysis of 1,500+ Applications
106
components
24
known
vulnerabilities
9
restrictive
licenses
@sonatype
v
1
2
3
Create a software Bill of
Materials for one application
Design a frictionless, automated,
“continuous” approach
Empo...
CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD
Jenkins integration run
history and status of each
build, across multiple
a...
Shift Left= ZTTR (Zero Time to Remediation)
Analyze all components
from within your IDE
License, Security and Architecture...
CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM
5
MINUTES
@sonatype
SCARICA IL REPORT
COMPLETO DELL’ANALISI
www.emerasoft.com/lo-stato-del-
software-2015
IT’S TIME WE IMPROVE OUR
SOFTWARE SUPPLY CHAINS
Contenuti disponibili su:
Canale slideshare di Emerasoft
Canale Youtube Emerasoft
Visita il nostro sito emerasoft.com
What...
Segui i nostri
canali …
www.emerasoft.com
sales@emerasoft.com
Emerasoft Srl
via Po, 1 – 10124 Torino
via del Poggio Lauren...
Upcoming SlideShare
Loading in …5
×

Webinar: "Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per incrementare velocità, efficienza e qualità"

433 views

Published on

L’uso di componenti Open Source nei processi di sviluppo potrebbe inconsapevolmente portare all’introduzione di vulnerabilità, spesso note, dovute all’utilizzo di versioni non aggiornate degli stessi componenti, o dall’utilizzo di componenti superflui.
In questo webinar uno dei Security Expert di Emerasoft illustra:
- i risultati di un’analisi approfondita relativa all’utilizzo dei componenti Open Source in ben 106.000 aziende;
- i principi utili che scaturiscono dalle analogie esistenti tra la Supply Chain del software e le tradizionali filiere manifatturiere;
- le best practice per migliorare la velocità, l’efficienza e la qualità della Supply Chain del software.
Segui il webinar on demand: https://www.youtube.com/watch?v=3w_1EAxkfYU

Published in: Software
  • Be the first to comment

  • Be the first to like this

Webinar: "Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per incrementare velocità, efficienza e qualità"

  1. 1. • Emerasoft srl • Mission • Vision • Market & Solutions Maria Chiara Ambrosio Federico Pagnozzi
  2. 2. Agenda • I componenti open source nelle aziende • I principi della Supply Chain del Software • Soluzioni e Best practice • Q&A Webinar: “Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per incrementare velocità, efficienza e qualità” SETTEMBRE 2015 Image courtesy of digitalart at FreeDigitalPhotos.net
  3. 3. Chi siamo Data di nascita: 2005 Dove siamo:  via Po, 1 – Torino  via del Poggio Laurentino, 118 - Roma Creare valore per i nostri clienti implementando soluzioni che aumentano la produttività, facilitando la collaborazione. La nostra mission:
  4. 4. Alcuni clienti
  5. 5. DevOps IoT System & Software Engineering Testing ALM SOA Process Intelligence Business Intelligence Security Digital Publishing Training ALM+PLM traceability standard compliance collaboration Big Data BYOD User Experience Quality Enterprise Mobility agile IoD IoH Usability API BPM Continuous DeliveryContinuous Integration
  6. 6. DevOps IoT System & Software Engineering Testing ALM SOA Process Intelligence Business Intelligence Security Digital Publishing Training ALM+PLM traceability standard compliance collaboration Big Data BYOD User Experience Quality Enterprise Mobility agile IoD IoH Usability API BPM Continuous DeliveryContinuous Integration
  7. 7. PRESSIONI MERCATO Qualità
  8. 8. REQUISITI PROCESSI ATTIVITÁ COLLABORAZIONE
  9. 9. DevOps Continuous Delivery Continuous Integration Automatisation Continuous Acceleration
  10. 10. 10 LO STATO DEL SOFTWARE 2015: ANALISI DELLA SUPPLY CHAIN
  11. 11. Sonatype Supporting millions of developers worldwide 60k 17B9M MAVEN easy to build CENTRAL easy to share NEXUS REPOS easy to manage NEXUS LIFECYCLE easy to automate
  12. 12. @sonatype
  13. 13. @sonatype
  14. 14. 106,000Organizations Analyzed Source: 2015 State of the Software Supply Chain Report @sonatype
  15. 15. We all have a SOFTWARE SUPPLY CHAIN @sonatype
  16. 16. Modern software development HAS CHANGED Our process HASN’T CHANGED ENOUGH @sonatype
  17. 17. John Willis DevOps Days Core Organizer Gareth Rushgrove Puppet Labs Nigel Simpson F-100 Entertainment Giant @sonatype
  18. 18. 201320122011200920082007 2010 2B1B500M 4B 6B 8B 13B 17B 2014 Source: 2015 State of the Software Supply Chain Report @sonatype Open Source Download Requests…
  19. 19. How Dependent on 3rd Parties Are We? 10% Custom Written Code Typical Application Open Source Cloud Services Closed Source 90% From 3rd Parties @sonatype
  20. 20. Better and fewer suppliers Higher quality parts Improved visibility and traceability 3 savings in modern supply chains Automation @sonatype
  21. 21. @sonatype
  22. 22. CHANGE Typical component is updated 3 - 4X per year. 985,000 OSS COMPONENTS 11 MILLION OSS USERS108,000 SUPPLIERS Source: 2015 State of the Software Supply Chain Report @sonatype
  23. 23. Suppliers Serving Manufacturers Source: 2015 State of the Software Supply Chain Report Orders (downloads) Suppliers (artifacts) Parts (versions) Average 240,757 7,601 18,614 @sonatype
  24. 24. 59% never repaired 41% 390 days (median 265 days). CVSS 10s 224 days <7 The best were remediated in under a week. Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf @sonatype
  25. 25. @sonatype
  26. 26. Source: modulecounts.com @sonatype
  27. 27. Sample of Open Source Repositories 2014 Volume of Download Requests Central.sonatype.org 17,213,084,947 Npmjs.org 15,460,748,856 NuGetGallery.com 280,124,916 Bintray.com 250,000,000 Source: 2015 State of the Software Supply Chain Report @sonatype
  28. 28. CHANGE Typical component is updated 3 - 4X per year. Unlike COTS, there is no clear, effective COMMUNICATION channel …but there can be. 985,000 OSS COMPONENTS 11 MILLION OSS USERS @sonatype
  29. 29. Repository Managers Accessing the Central Repository Source: 2015 State of the Software Supply Chain Report @sonatype
  30. 30. Source: 2015 State of the Software Supply Chain Report Public Repos Local Repo Build Tool Public Repos Build Tool PATTERN #1 PATTERN #2 @sonatype
  31. 31. Source: 2015 State of the Software Supply Chain Report Public Repos Local Repo Build Tool Public Repos Build Tool 95% of downloads 5% of downloads @sonatype
  32. 32. 32
  33. 33. 100-200 Cycle Time: Minutes-Hours @sonatype
  34. 34. Source: 2015 State of the Software Supply Chain Report 240,000Components Downloaded Annually @sonatype
  35. 35. Q: Does your organization have an open source policy? Half of organizations continue to run without an open source policy. Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey @sonatype
  36. 36. If it does not fit, it does not get done. @sonatype
  37. 37. Source: 2015 State of the Software Supply Chain Report Outdated Versions Downloaded @sonatype
  38. 38. Image Source: caranddriver.com @sonatype
  39. 39. @sonatype
  40. 40. @sonatype
  41. 41. Analysis of 1,500+ Applications 106 components 24 known vulnerabilities 9 restrictive licenses @sonatype
  42. 42. v
  43. 43. 1 2 3 Create a software Bill of Materials for one application Design a frictionless, automated, “continuous” approach Empower developers with the right information at the right time @sonatype
  44. 44. CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD Jenkins integration run history and status of each build, across multiple applications. Builds might be stable or unstable. Also shows build success and failures. Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard. @sonatype
  45. 45. Shift Left= ZTTR (Zero Time to Remediation) Analyze all components from within your IDE License, Security and Architecture data for each component, evaluated against your policy EMPOWER DEVELOPERS FROM THE START @sonatype
  46. 46. CREATE A SOFTWARE BILL OF MATERIALS bit.ly/softwareBOM 5 MINUTES @sonatype
  47. 47. SCARICA IL REPORT COMPLETO DELL’ANALISI www.emerasoft.com/lo-stato-del- software-2015
  48. 48. IT’S TIME WE IMPROVE OUR SOFTWARE SUPPLY CHAINS
  49. 49. Contenuti disponibili su: Canale slideshare di Emerasoft Canale Youtube Emerasoft Visita il nostro sito emerasoft.com What’s next Contattaci: sales@emerasoft.com Email: federico.pagnozzi@emerasoft.com Q&A ? @ WWW
  50. 50. Segui i nostri canali … www.emerasoft.com sales@emerasoft.com Emerasoft Srl via Po, 1 – 10124 Torino via del Poggio Laurentino, 118 – 00144 Roma T +39 011 0120370 T +39 06 87811323 F +39 011 3710371 Grazie… Contatti

×