SlideShare a Scribd company logo

Key Takeaways for Java Developers from the State of the Software Supply Chain Report

Download as PPTX, PDF
Steve Poole
Steve Poole

Maven Central hits 1 Trillion downloads, Cyber bad guys make $6 Trillion, Governments respond and of course AI. What happened this year and what does it mean for 2024? A look at what Sonatype discovered in preparing the 9th State of the Software Supply Chain Report and what it could mean for developers in the future. 2024 is going to be difficult for all of us: find out how, why and just what you need to do next!

Software
1 of 52
@spoole167 @spoole167 Steve Poole KEY TAKEAWAYS FOR JAVA DEVELOPERS FROM THE STATE OF THE SOFTWARE SUPPLY CHAIN REPORT
@spoole167 Director of Developer Advocacy, Security Champion, DevOps practitioner (whatever that means) Long time Java developer, leader and evangelist. I’ve been working on Java SDKs and JVMs since Java was less than 1. JavaOne Rockstar, JSR leader, committer on open source projects including ones at Apache, Eclipse and OpenJDK.
@spoole167
@spoole167 Not just the Maven Central people
@spoole167 sonatype.com/state-of- the-software-supply-chain
@spoole167 The Software Supply Chain report is constructed… ● By examining what’s on Maven Central ● By looking at what’s in other public Repos for most programming languages ● By reviewing what customers hold in their Nexus repos ● By analysing behaviour on public github repos etc ● By working with open source communities and governments ● by calculating what this all means in terms of risk and cost
@spoole167 What’s a Software Supply Chain?
@spoole167 @spoole167 At some point we all find ourselves searching for code …
@spoole167 so we can add a new dependency
@spoole167 You might think A software supply chain is about dependencies …
@spoole167 What’s a Software Supply Chain? “A software supply chain refers to the process and components involved in the creation, development, and maintenance of software” Dependenci es and Libraries
@spoole167 What’s a Software Supply Chain? “A software supply chain refers to the process and components involved in the creation, development, and maintenance of software” Code / Developmen t Dependenci es and Libraries Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life
@spoole167 What’s a Software Supply Chain? Code / Developmen t Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life Dependenci es and Libraries
@spoole167
@spoole167
@spoole167
@spoole167 What’s a Software Supply Chain? Code / Developmen t Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life Dependenci es and Libraries How many?
@spoole167 150 Dependencies (avg Java project)
@spoole167 10% Your code 90% someone else’s Your Software Supply Chain …
@spoole167 What’s new in the Software Supply Chain World?
@spoole167 Open Source Adoption is growing
@spoole167 But so are the attacks
@spoole167 Understand the cyber-attack landscape.
@spoole167 In 2016 Cybercrime surpassed the drug trade! $450 Billion a year $14,000 a second Equivalent to 50 US Nimitz Class Aircraft carriers Cyber Crime Facts
@spoole167 In 2023! $6 Trillion a year! $200,000 a second Equivalent to 620 US Nimitz Class Aircraft carriers Cyber Crime Facts
@spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
@spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
@spoole167 There is no sign of it slowing down drug trade cybercrime US gdp Cybercrime has been growing at ~56% per year ever since
@spoole167 Todays Pablo Escobar uses a Laptop
@spoole167 @spoole167 Cyber Attacks are rising in number and sophistication Nation states are preparing for the next war – and that all about software The aim is to infiltrate infrastructure and essential services…
@spoole167 @spoole167 And manipulate or terminate
@spoole167 @spoole167 A major target is open source projects and supply chains
@spoole167 @spoole167 is still active
@spoole167 @spoole167 Open source consumers are not paying attention
@spoole167 @spoole167 Open source consumers assume dependencies will just ‘get fixed’ 11% of all open source projects are maintained Only 6% of Javascript projects are maintained 16% of Java projects are maintained
@spoole167 @spoole167 Where ’maintained’ = 1 update / 90 days 11% of all open source projects are maintained Only 6% of Javascript projects are maintained 16% of Java projects are maintained
@spoole167 @spoole167 It’s slightly more complicated 16% of Java projects that were maintained in 2022 are no longer maintained in 2023 9.7% of Java projects that are maintained 2023 are “newly maintained” •21% of Javascript projects that were maintained in 2022 are no longer maintained in 2023 13% of Javascript projects that are maintained 2023 are “newly maintained” There’s a sense of consolidation around important projects happening
@spoole167 @spoole167 • The only time we consider adding a dependency to the supply chain is at development • Afterwards we just patch it… We need help to make better choices
@spoole167 @spoole167 top signs of a quality project? code reviews and not checking binaries into a repo!
@spoole167 @spoole167 Governments are helping too •United States National Cybersecurity Strategy (NCS) •Securing Open Source Software Act of 2023 •AI for National Security Act: •FDA Cybersecurity in Medical Devices •SEC Regulation •Cyber Strategy of the Department of Defense •CISA Open Source Software Security Roadmap •NHTSA Cybersecurity Best Practices for Modern Vehicles •Cyber Resilience Act (CRA) •Product Liability Directive (PLD) •Network and Information Security Directive (NIS2)
@spoole167 @spoole167 Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third-party software and services Demonstrate regular audit processes
@spoole167 SBOM Requirements Are Spreading https://www.sonatype.com/state-of-the-software-supply-chain
@spoole167 What Do you need to do if you produce any digital product? (1 of 2) Security Requirements ➔ Designed, developed and produced to ensure an appropriate level of cybersecurity based on the risks; ➔ Delivered without any known exploitable vulnerabilities; ➔ Be placed on the market delivered with a secure by default configuration including a default setting that security updates be installed automatically ➔ ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems; ➔ Encrypt relevant data at rest or in transit by state of the art mechanisms; ➔ protect the integrity of data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions ➔ Process only data that is limited to what is necessary in relation to the intended use purpose of the product ➔ Protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks; ➔ Minimise their own negative impact on the availability of services provided by other devices or networks; ➔ Reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; ➔ Provide security related information by recording and/or monitoring relevant activity, including the access to or modification of data, services or functions; ➔ enable that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates by default ➔ Provide the possibility for users to securely and easily remove all data and settings “Products with digital elements and processes shall be presumed to be in conformity with the essential requirements set out in Annex I covered by those standards or parts thereof. “ Sources: Article 18 Annex I
@spoole167 What Do you need to do if you produce any digital product? (2 of 2) Vulnerability Management Requirements ➔ Identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine readable format covering at the very least the top-level dependencies of the product; [You Need to produce SBOM] ➔ Address and remediate vulnerabilities without delay, including by providing security updates; ➔ Publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product affected, the impacts of the vulnerabilities, their severity and clear and user friendly information helping users to remediate the vulnerabilities ➔ Put in place and enforce a policy on coordinated vulnerability disclosure; ➔ Provide a contact address for the reporting of the vulnerabilities discovered in the product including third party components ➔ Provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely and, where applicable, automatic manner; ➔ Ensure Security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages Sources: Article 18 Annex I
@spoole167 And there’s more …
@spoole167 Demand for LLM Libraries Is Growing LLM Library Usage Over Time https://www.sonatype.com/state-of-the-software-supply-chain
@spoole167 Demand for ML Libraries Broadly Is Also Growing Traditional ML Library Usage Over Time https://www.sonatype.com/state-of-the-software-supply-chain
@spoole167 Security and Licencing for AI in the supply chain is a major concern So is AI in the hands of the bad guys ..
@spoole167 What’s an ‘AI’ Software Supply Chain? Models Dependenci es and Libraries Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life Code / Developmen t Training Evaluation and continuous retraining Legal Governence Provence Control of AI tools in the process
@spoole167 Generative AI is here “97% of 800 developers said that they used generative AI in their workflows.” AI is not going to replace you - but a developer using AI just might ...
@spoole167 ● Time to look at your software supply chains and the tools involved. ● Time to lean how Maven* can help ● Time to review the components – licenses, dependencies, vulnerabilities AND other project metrics. ● Time to prune those old versions, obsolete projects ● Time to look at how you automate , how you trace the process. The evidence you can produce ● Time to take a look at SBOMS and add them to your processes ● Time to look at the new legislation coming – especially CRA ● Time to lean how to use Chat GPT and other AI tools ● Time to be flexible and rise to the new world of AI and Legislation Next Steps news.apache.org/foundation/entry/save-open- source-the-impending-tragedy-of-the-cyber- resilience-act eclipse-foundation.blog/2023/01/15/european-cyber- resiliency-act-potential-impact-on-the-eclipse- foundation/ linuxfoundation.eu/cyber-resilience-act
@spoole167 “The hottest new programming language is English.”

Recommended

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
Black Duck by Synopsys
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 

Recommended

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
SBWebinars
 
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyYou Can’t Live Without Open Source - Results from the Open Source 360 Survey
You Can’t Live Without Open Source - Results from the Open Source 360 Survey
Black Duck by Synopsys
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
Narudom Roongsiriwong, CISSP
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
Ulf Mattsson
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
NowSecure
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
South Tyrol Free Software Conference
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
Aryan G
 
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docxIT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
vrickens
 
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
AppDynamics
 
Microservices the modern it stack trends of tomorrow
Microservices the modern it stack trends of tomorrowMicroservices the modern it stack trends of tomorrow
Microservices the modern it stack trends of tomorrow
Jonah Kowall
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
Phillip Maddux
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
RazaMehmood7
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
State of the Software Supply Chain Report 2017
State of the Software Supply Chain Report 2017State of the Software Supply Chain Report 2017
State of the Software Supply Chain Report 2017
Matthew Howard
 
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Amazon Web Services
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
Research Paper
Research PaperResearch Paper
Research Paper
David Chaponniere
 
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
Steve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
Steve Poole
 

More Related Content

Similar to Key Takeaways for Java Developers from the State of the Software Supply Chain Report

How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
Ulf Mattsson
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
NowSecure
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
South Tyrol Free Software Conference
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
Aryan G
 
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docxIT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
vrickens
 
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
AppDynamics
 
Microservices the modern it stack trends of tomorrow
Microservices the modern it stack trends of tomorrowMicroservices the modern it stack trends of tomorrow
Microservices the modern it stack trends of tomorrow
Jonah Kowall
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
Phillip Maddux
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
RazaMehmood7
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Minded Security
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
Savinder Puri
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
Amien Harisen Rosyandino
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Mobodexter
 
State of the Software Supply Chain Report 2017
State of the Software Supply Chain Report 2017State of the Software Supply Chain Report 2017
State of the Software Supply Chain Report 2017
Matthew Howard
 
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Amazon Web Services
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Phil Agcaoili
 
Research Paper
Research PaperResearch Paper
Research Paper
David Chaponniere
 

Similar to Key Takeaways for Java Developers from the State of the Software Supply Chain Report (20)

How to add security in dataops and devops
How to add security in dataops and devopsHow to add security in dataops and devops
How to add security in dataops and devops
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
SFSCON23 - Carlo Falciola - Opensource to help increase organizations Cyberse...
 
OWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference GuideOWASP Secure Coding Quick Reference Guide
OWASP Secure Coding Quick Reference Guide
 
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docxIT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
IT 8003 Cloud ComputingGroup Activity 1 SuperTAX Soft.docx
 
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
Microservices and the Modern IT Stack: Trends of Tomorrow - AppSphere16
 
Microservices the modern it stack trends of tomorrow
Microservices the modern it stack trends of tomorrowMicroservices the modern it stack trends of tomorrow
Microservices the modern it stack trends of tomorrow
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Application security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOpsApplication security for the modern web - ISSA South Texas Houston DevOps
Application security for the modern web - ISSA South Texas Houston DevOps
 
Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3Owasp top 10_proactive_controls_v3
Owasp top 10_proactive_controls_v3
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf2021-10-14 The Critical Role of Security in DevOps.pdf
2021-10-14 The Critical Role of Security in DevOps.pdf
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...
 
State of the Software Supply Chain Report 2017
State of the Software Supply Chain Report 2017State of the Software Supply Chain Report 2017
State of the Software Supply Chain Report 2017
 
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
 
Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...Good Security Starts with Software Assurance - Software Assurance Market Plac...
Good Security Starts with Software Assurance - Software Assurance Market Plac...
 
Research Paper
Research PaperResearch Paper
Research Paper
 

More from Steve Poole

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
Steve Poole
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
Steve Poole
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
Steve Poole
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
Steve Poole
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
Steve Poole
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
Steve Poole
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
Steve Poole
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
Steve Poole
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Steve Poole
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
Steve Poole
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
Steve Poole
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
Steve Poole
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
Steve Poole
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
Steve Poole
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
Steve Poole
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Steve Poole
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
Steve Poole
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
Steve Poole
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Steve Poole
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
Steve Poole
 

More from Steve Poole (20)

THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECHTHRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
THRIVING IN THE GEN AI ERA: NAVIGATING CHANGE IN TECH
 
Maven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chainMaven Central++ What's happening at the core of the Java supply chain
Maven Central++ What's happening at the core of the Java supply chain
 
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn NextGIDS-2023 A New Hope for 2023? What Developers Must Learn Next
GIDS-2023 A New Hope for 2023? What Developers Must Learn Next
 
A new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn nextA new hope for 2023? What developers must learn next
A new hope for 2023? What developers must learn next
 
Stop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptxStop Security by Sleight Of Hand.pptx
Stop Security by Sleight Of Hand.pptx
 
Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?Superman or Ironman - can everyone be a 10x developer?
Superman or Ironman - can everyone be a 10x developer?
 
The Secret Life of Maven Central
The Secret Life of Maven CentralThe Secret Life of Maven Central
The Secret Life of Maven Central
 
The Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptxThe Secret Life of Maven Central.pptx
The Secret Life of Maven Central.pptx
 
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
Devoxx France 2022: Game Over or Game Changing? Why Software Development May ...
 
Log4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptxLog4Shell - Armageddon or Opportunity.pptx
Log4Shell - Armageddon or Opportunity.pptx
 
DevnexusRansomeware.pptx
DevnexusRansomeware.pptxDevnexusRansomeware.pptx
DevnexusRansomeware.pptx
 
Game Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same againGame Over or Game Changing? Why Software Development May Never be the same again
Game Over or Game Changing? Why Software Development May Never be the same again
 
Cybercrime and the developer 2021 style
Cybercrime and the developer 2021 styleCybercrime and the developer 2021 style
Cybercrime and the developer 2021 style
 
Agile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and CultureAgile Islands 2020 - Dashboards and Culture
Agile Islands 2020 - Dashboards and Culture
 
LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020LJC Speaker Clnic June 2020
LJC Speaker Clnic June 2020
 
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
Agile Tour London 2018: DASHBOARDS AND CULTURE – HOW OPENNESS CHANGES YOUR BE...
 
Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?Beyond the Pi: What’s Next for the Hacker in All of Us?
Beyond the Pi: What’s Next for the Hacker in All of Us?
 
A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization A Modern Fairy Tale: Java Serialization
A Modern Fairy Tale: Java Serialization
 
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talkEclipse OpenJ9 - SpringOne 2018 Lightning talk
Eclipse OpenJ9 - SpringOne 2018 Lightning talk
 
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
SkillsMatter June 2018: Java in the 21st Century: Are You Thinking Far Enough...
 

Recently uploaded

Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
vaishalijagtap12
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Paul Brebner
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
aeeva
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
Jhone kinadey
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 

Recently uploaded (20)

Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert42 Ways to Generate Real Estate Leads - Sellxpert
42 Ways to Generate Real Estate Leads - Sellxpert
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
Why Apache Kafka Clusters Are Like Galaxies (And Other Cosmic Kafka Quandarie...
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
Boost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management AppsBoost Your Savings with These Money Management Apps
Boost Your Savings with These Money Management Apps
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 

Key Takeaways for Java Developers from the State of the Software Supply Chain Report

  • 1. @spoole167 @spoole167 Steve Poole KEY TAKEAWAYS FOR JAVA DEVELOPERS FROM THE STATE OF THE SOFTWARE SUPPLY CHAIN REPORT
  • 2. @spoole167 Director of Developer Advocacy, Security Champion, DevOps practitioner (whatever that means) Long time Java developer, leader and evangelist. I’ve been working on Java SDKs and JVMs since Java was less than 1. JavaOne Rockstar, JSR leader, committer on open source projects including ones at Apache, Eclipse and OpenJDK.
  • 4. @spoole167 Not just the Maven Central people
  • 6. @spoole167 The Software Supply Chain report is constructed… ● By examining what’s on Maven Central ● By looking at what’s in other public Repos for most programming languages ● By reviewing what customers hold in their Nexus repos ● By analysing behaviour on public github repos etc ● By working with open source communities and governments ● by calculating what this all means in terms of risk and cost
  • 8. @spoole167 @spoole167 At some point we all find ourselves searching for code …
  • 9. @spoole167 so we can add a new dependency
  • 10. @spoole167 You might think A software supply chain is about dependencies …
  • 11. @spoole167 What’s a Software Supply Chain? “A software supply chain refers to the process and components involved in the creation, development, and maintenance of software” Dependenci es and Libraries
  • 12. @spoole167 What’s a Software Supply Chain? “A software supply chain refers to the process and components involved in the creation, development, and maintenance of software” Code / Developmen t Dependenci es and Libraries Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life
  • 13. @spoole167 What’s a Software Supply Chain? Code / Developmen t Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life Dependenci es and Libraries
  • 17. @spoole167 What’s a Software Supply Chain? Code / Developmen t Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life Dependenci es and Libraries How many?
  • 19. @spoole167 10% Your code 90% someone else’s Your Software Supply Chain …
  • 20. @spoole167 What’s new in the Software Supply Chain World?
  • 22. @spoole167 But so are the attacks
  • 24. @spoole167 In 2016 Cybercrime surpassed the drug trade! $450 Billion a year $14,000 a second Equivalent to 50 US Nimitz Class Aircraft carriers Cyber Crime Facts
  • 25. @spoole167 In 2023! $6 Trillion a year! $200,000 a second Equivalent to 620 US Nimitz Class Aircraft carriers Cyber Crime Facts
  • 26. @spoole167 United States: $20.89 trillion China: $14.72 trillion Cyber Crime : $6.0 trillion Japan: $5.06 trillion Germany: $3.85 trillion United Kingdom: $2.67 trillion India: $2.66 trillion France: $2.63 trillion Italy: $1.89 trillion Canada: $1.64 trillion https://globalpeoservices.com/top-15-countries-by-gdp-in-2022/ if Cybercrime was a country (by gdp)
  • 27. @spoole167 Cybercrime has been growing at ~56% per year ever since drug trade cybercrime
  • 28. @spoole167 There is no sign of it slowing down drug trade cybercrime US gdp Cybercrime has been growing at ~56% per year ever since
  • 30. @spoole167 @spoole167 Cyber Attacks are rising in number and sophistication Nation states are preparing for the next war – and that all about software The aim is to infiltrate infrastructure and essential services…
  • 32. @spoole167 @spoole167 A major target is open source projects and supply chains
  • 35. @spoole167 @spoole167 Open source consumers assume dependencies will just ‘get fixed’ 11% of all open source projects are maintained Only 6% of Javascript projects are maintained 16% of Java projects are maintained
  • 36. @spoole167 @spoole167 Where ’maintained’ = 1 update / 90 days 11% of all open source projects are maintained Only 6% of Javascript projects are maintained 16% of Java projects are maintained
  • 37. @spoole167 @spoole167 It’s slightly more complicated 16% of Java projects that were maintained in 2022 are no longer maintained in 2023 9.7% of Java projects that are maintained 2023 are “newly maintained” •21% of Javascript projects that were maintained in 2022 are no longer maintained in 2023 13% of Javascript projects that are maintained 2023 are “newly maintained” There’s a sense of consolidation around important projects happening
  • 38. @spoole167 @spoole167 • The only time we consider adding a dependency to the supply chain is at development • Afterwards we just patch it… We need help to make better choices
  • 39. @spoole167 @spoole167 top signs of a quality project? code reviews and not checking binaries into a repo!
  • 40. @spoole167 @spoole167 Governments are helping too •United States National Cybersecurity Strategy (NCS) •Securing Open Source Software Act of 2023 •AI for National Security Act: •FDA Cybersecurity in Medical Devices •SEC Regulation •Cyber Strategy of the Department of Defense •CISA Open Source Software Security Roadmap •NHTSA Cybersecurity Best Practices for Modern Vehicles •Cyber Resilience Act (CRA) •Product Liability Directive (PLD) •Network and Information Security Directive (NIS2)
  • 41. @spoole167 @spoole167 Hardening the software supply chain : every product has a SBOM uses an automatic supply chain process has evidence of software integrity has evidence of an automatic vulnerability check process Has a vulnerability disclosure program Has evidence on the providence of all software used Demonstrates strong controls over the use of internal and third-party software and services Demonstrate regular audit processes
  • 42. @spoole167 SBOM Requirements Are Spreading https://www.sonatype.com/state-of-the-software-supply-chain
  • 43. @spoole167 What Do you need to do if you produce any digital product? (1 of 2) Security Requirements ➔ Designed, developed and produced to ensure an appropriate level of cybersecurity based on the risks; ➔ Delivered without any known exploitable vulnerabilities; ➔ Be placed on the market delivered with a secure by default configuration including a default setting that security updates be installed automatically ➔ ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems; ➔ Encrypt relevant data at rest or in transit by state of the art mechanisms; ➔ protect the integrity of data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions ➔ Process only data that is limited to what is necessary in relation to the intended use purpose of the product ➔ Protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks; ➔ Minimise their own negative impact on the availability of services provided by other devices or networks; ➔ Reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques; ➔ Provide security related information by recording and/or monitoring relevant activity, including the access to or modification of data, services or functions; ➔ enable that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates by default ➔ Provide the possibility for users to securely and easily remove all data and settings “Products with digital elements and processes shall be presumed to be in conformity with the essential requirements set out in Annex I covered by those standards or parts thereof. “ Sources: Article 18 Annex I
  • 44. @spoole167 What Do you need to do if you produce any digital product? (2 of 2) Vulnerability Management Requirements ➔ Identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine readable format covering at the very least the top-level dependencies of the product; [You Need to produce SBOM] ➔ Address and remediate vulnerabilities without delay, including by providing security updates; ➔ Publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product affected, the impacts of the vulnerabilities, their severity and clear and user friendly information helping users to remediate the vulnerabilities ➔ Put in place and enforce a policy on coordinated vulnerability disclosure; ➔ Provide a contact address for the reporting of the vulnerabilities discovered in the product including third party components ➔ Provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely and, where applicable, automatic manner; ➔ Ensure Security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages Sources: Article 18 Annex I
  • 46. @spoole167 Demand for LLM Libraries Is Growing LLM Library Usage Over Time https://www.sonatype.com/state-of-the-software-supply-chain
  • 47. @spoole167 Demand for ML Libraries Broadly Is Also Growing Traditional ML Library Usage Over Time https://www.sonatype.com/state-of-the-software-supply-chain
  • 48. @spoole167 Security and Licencing for AI in the supply chain is a major concern So is AI in the hands of the bad guys ..
  • 49. @spoole167 What’s an ‘AI’ Software Supply Chain? Models Dependenci es and Libraries Testing Integration Deployment Maintenance and Updates Security and Compliance End of Life Code / Developmen t Training Evaluation and continuous retraining Legal Governence Provence Control of AI tools in the process
  • 50. @spoole167 Generative AI is here “97% of 800 developers said that they used generative AI in their workflows.” AI is not going to replace you - but a developer using AI just might ...
  • 51. @spoole167 ● Time to look at your software supply chains and the tools involved. ● Time to lean how Maven* can help ● Time to review the components – licenses, dependencies, vulnerabilities AND other project metrics. ● Time to prune those old versions, obsolete projects ● Time to look at how you automate , how you trace the process. The evidence you can produce ● Time to take a look at SBOMS and add them to your processes ● Time to look at the new legislation coming – especially CRA ● Time to lean how to use Chat GPT and other AI tools ● Time to be flexible and rise to the new world of AI and Legislation Next Steps news.apache.org/foundation/entry/save-open- source-the-impending-tragedy-of-the-cyber- resilience-act eclipse-foundation.blog/2023/01/15/european-cyber- resiliency-act-potential-impact-on-the-eclipse- foundation/ linuxfoundation.eu/cyber-resilience-act
  • 52. @spoole167 “The hottest new programming language is English.”