Curtis Yanko, profile picture
Uploaded byCurtis Yanko
PPTX, PDF50 views

Nadog dev secops_survey

This document discusses the importance of building quality and security into software from the beginning through practices like DevSecOps. It notes that while many organizations deploy code multiple times per week, many are still downloading outdated or vulnerable open source components. Automating security processes and having complete visibility into software supply chains is key to reducing vulnerabilities and speeding up remediation times. The document advocates for prioritizing the performance of the entire system over any individual part and never passing defects downstream.

Embed presentation

Download to read offline
Curtis Yanko DevSecOps Evangelist and Coach Author – Concise Introduction to DevSecOps Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps
W. Edwards Deming, 1945 Cease dependence on inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.
Jez Humble, 2010 Build Quality in. (citing Deming) The earlier you catch defects, the cheaper they are to fix.
Gene Kim, 2013 Emphasize performance of the entire system and never pass a defect downstream.
47%deploy multiple times per week Source: 2019 DevSecOps Community Survey velocity
59,000 data breaches have been reported to GDPR regulators since May 2018 source: DLA Piper, February 2019
Everyone has a software supply chain. (even if you don’t call it that)
Demand drives 15,000 new releases every day @onCommit
Automation accelerates OSS downloads Source: Sonatype’s 2018 State of the Software Supply Chain Report
@OnCommit
85% of your code is sourced from external suppliers @OnCommit
170,000 Java component downloads annually 3,500 unique source: 2018 State of the Software Supply Chain Report
60,660 JavaScript packages downloaded per developer per year source: npm, 2018
Not all parts are created equal. @OnCommit
We are not “building quality in”. source: 2019 State of the Software Supply Chain Report 2018 Java
We are not “building quality in”. Oct 2018 npm source: 2018 npm
6.2K 233 510,000 120K691,000 309,000 66.8K 3.4 1,000,000 1∑ 2∑ 3∑ 4∑ 5∑ 6∑ Defects targets per million for 6-sigma
170,000 java component downloads annually 3,500 unique 20,570 12.1% with known vulnerabilities @weekstweets
60,660 JavaScript packages downloaded annually per developer 30,330 51% with known vulnerabilities @weekstweets
Every developer in your software supply chain is in procurement
Social normalization of deviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety.” Diane Vaughan
Breaches increased 71% 24% suspect or have verified a breach related to open source components in the 2019 survey 14% suspect or have verified a breach related to open source components in the 2014 survey source: DevSecOps Community Survey 2014 and 2019
The speed of exploits has compressed 93% Sources: Gartner, IBM, Sonatype @OnCommit
source: 2019 DevSecOps Community Survey Quickly identify who is faster than their adversaries
March 7 Apache Struts releases updated version to thwart vulnerability CVE-2017-5638 Today 65% of the Fortune 100 download vulnerable versions 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR April 13 India Post Equifax was not alone @OnCommit
18,126 organizations downloading vulnerable versions of Struts Source: Sonatype Breach announced. 14
Complete software bill of materials (SBOM) 2019 No DevOps Practice 2019 Mature DevOps Practices 19% 50% Source: 2019 DevSecOps Community Survey
DevSecOps challenge: automate faster than evil. @OnCommit
1.3 million vulnerabilities in OSS components undocumented No corresponding CVE advisory in the public NVD database
July 2017 8 3 10 4 The new battlefront Software Supply Chain Attacks Study found credentials online affecting publishing access to 14% of npm repository. +79,000 packages. Malicious npm Packages “typosquatted” (40 packages for 2 weeks. Collecting env including npm publishing credentials). 1 10 Malicious Python packages Basic info collected and sent to Chinese IP address 2 Golang go-bindata github id deleted and reclaimed. 5 ssh-decorator Python Module stealing private ssh keys. 7 npm event-stream attack on CoPay. 11 Sep 2017 Homebrew repository compromised. 9 Jan 2018 Feb 2018 Mar 2018 6 Aug 2018 Conventional-changelog compromised and turned into a Monero miner. Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” Backdoor discovered in npm get-cookies module published since March. Unauthorized publishing of mailparser. Gentoo Linux Repository Compromised. Malicious Eslint discovered to be stealing npm credentials. Aug 2017 Oct 2017 Nov 2017 Dec 2017 Apr 2018 May 2018 Jun 2018 Jul 2018 Sep 2018 Oct 2018 Nov 2018 Dec 2018
At what point in the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
Which application security tools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
How are you informed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops
Automation continues to prove difficult to ignore @OnCommitSource: 2019 DevSecOps Community Survey 2019 No DevOps Practice 2019 Mature DevOps Practices
Trusted software supply chains are 2x more secure Source: 2018 State of the Software Supply Chain Report
“Emphasize performance of the entire system and never pass a defect downstream.” @OnCommit
“99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident..” https://www.gartner.com/smarterwithgartner/focus-on-the-biggest-security-threats-not-the-most-publicized/ --Susan Moore 2017 @OnCommit
cyanko@sonatype.com Thank You! @OnCommit
@OnCommit
All Countries Show Poor Cyber Hygiene 1 in 7 Downloads 1 in 9 Downloads

More Related Content

PPTX
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
byCameron Townshend
 
PPTX
Dev Secops Software Supply Chain
byCameron Townshend
 
PDF
2019 04-04-dev secops-software supply chain_fst-2
byCameron Townshend
 
PPTX
2019 04-18 -DevSecOps-software supply chain
byCameron Townshend
 
PDF
Comprehensive Protection and Visibility into Advanced Email Attacks
bySymantec
 
PPTX
Cybersecurity is the Future of Computing
byDavid Fry
 
PDF
The Cost of Inactivity: Malware Infographic
byCisco Security
 
PDF
Infographic: The crippled state of network security
byGreat Bay Software
 
Security Software Supply Chains - Sonatype - DevSecCon Singapore March 2019
byCameron Townshend
 
Dev Secops Software Supply Chain
byCameron Townshend
 
2019 04-04-dev secops-software supply chain_fst-2
byCameron Townshend
 
2019 04-18 -DevSecOps-software supply chain
byCameron Townshend
 
Comprehensive Protection and Visibility into Advanced Email Attacks
bySymantec
 
Cybersecurity is the Future of Computing
byDavid Fry
 
The Cost of Inactivity: Malware Infographic
byCisco Security
 
Infographic: The crippled state of network security
byGreat Bay Software
 

What's hot

DOCX
Why security is the kidney not the tail of the dog v3
byErnest Staats
 
PPTX
Embracing DevSecOps: A Changing Security Landscape for the US Government
byDJ Schleen
 
PDF
CSS Trivia
byAlert Logic
 
PPTX
Cybersecurity Webinar for Small Business
byChad Gniffke
 
PPTX
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
byBlack Duck by Synopsys
 
PDF
McAfee Labs Threats Report, August 2019
byBAKOTECH
 
PDF
Cisco Annual Security Report 2016
byThe Internet of Things
 
PDF
WatchGuard Internet Security Report
byBAKOTECH
 
PDF
Cisco 2016 Annual Security Report
byJames Gachie
 
PDF
Cisco Annual Security Report
byThe Internet of Things
 
PPT
Consensus Audit Guidelines 2008
byJohn Gilligan
 
PPTX
Open Source Insight: Happy Birthday Open Source and Application Security for ...
byBlack Duck by Synopsys
 
PDF
Hii assessing the_effectiveness_of_antivirus_solutions
byAnatoliy Tkachev
 
PPTX
Leverage Big Data in Cybersecurity
byDefCamp
 
PDF
INTSUM
byworldwidebranding
 
PPTX
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
byBlack Duck by Synopsys
 
PDF
Phishing simulation exercises, by Michael Jenkins
byJisc
 
PPTX
New wave of attacks in Ukraine 2016
byMarina Krotofil
 
Why security is the kidney not the tail of the dog v3
byErnest Staats
 
Embracing DevSecOps: A Changing Security Landscape for the US Government
byDJ Schleen
 
CSS Trivia
byAlert Logic
 
Cybersecurity Webinar for Small Business
byChad Gniffke
 
Open Source Insight: CVE–2017-9805, Equifax Breach & Wacky Open Source Licenses
byBlack Duck by Synopsys
 
McAfee Labs Threats Report, August 2019
byBAKOTECH
 
Cisco Annual Security Report 2016
byThe Internet of Things
 
WatchGuard Internet Security Report
byBAKOTECH
 
Cisco 2016 Annual Security Report
byJames Gachie
 
Cisco Annual Security Report
byThe Internet of Things
 
Consensus Audit Guidelines 2008
byJohn Gilligan
 
Open Source Insight: Happy Birthday Open Source and Application Security for ...
byBlack Duck by Synopsys
 
Hii assessing the_effectiveness_of_antivirus_solutions
byAnatoliy Tkachev
 
Leverage Big Data in Cybersecurity
byDefCamp
 
INTSUM
byworldwidebranding
 
Open Source Insight: Equifax, Apache Struts, & CVE-2017-5638 Vulnerability
byBlack Duck by Synopsys
 
Phishing simulation exercises, by Michael Jenkins
byJisc
 
New wave of attacks in Ukraine 2016
byMarina Krotofil
 

Similar to Nadog dev secops_survey

PDF
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
PDF
ScotSecure 2020
byRay Bugg
 
PDF
BackStabber Special: Supply chain attacks
byKnoldus Inc.
 
PDF
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
byNETWAYS
 
PDF
Infiltrating the Supply Chain Attack: Advanced Payload Delivery and Evasion T...
bynull - The Open Security Community
 
PPTX
Securing Modern Applications: The Data Behind DevSecOps
byEficode
 
PDF
Secure Software Ecosystem Teqnation 2024
bySoroosh Khodami
 
PPTX
Cybercrime and the developer 2021 style
bySteve Poole
 
PPTX
Key Takeaways for Java Developers from the State of the Software Supply Chain...
bySteve Poole
 
PDF
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
PPTX
7 Reasons Your Applications are Attractive to Adversaries
byDerek E. Weeks
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
bylior mazor
 
PDF
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
byFINOS
 
PPTX
Supply Chain Solutions for Modern Software Development
bySonatype
 
PDF
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
PDF
Preventing Supply Chain Attacks on Open Source Software
byAll Things Open
 
PDF
Sonatype's 2013 OSS Software Survey
bySonatype
 
DevSecCon Singapore 2019: Embracing Security - A changing DevOps landscape
byDevSecCon
 
ScotSecure 2020
byRay Bugg
 
BackStabber Special: Supply chain attacks
byKnoldus Inc.
 
stackconf 2024 | How to hack and defend (your) open source by Roman Zhukov.pdf
byNETWAYS
 
Infiltrating the Supply Chain Attack: Advanced Payload Delivery and Evasion T...
bynull - The Open Security Community
 
Securing Modern Applications: The Data Behind DevSecOps
byEficode
 
Secure Software Ecosystem Teqnation 2024
bySoroosh Khodami
 
Cybercrime and the developer 2021 style
bySteve Poole
 
Key Takeaways for Java Developers from the State of the Software Supply Chain...
bySteve Poole
 
2021-10-14 The Critical Role of Security in DevOps.pdf
bySavinder Puri
 
7 Reasons Your Applications are Attractive to Adversaries
byDerek E. Weeks
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
bylior mazor
 
DevSecCon London 2019: Are Open Source Developers Security’s New Front Line?
byDevSecCon
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
byFINOS
 
Supply Chain Solutions for Modern Software Development
bySonatype
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
Preventing Supply Chain Attacks on Open Source Software
byAll Things Open
 
Sonatype's 2013 OSS Software Survey
bySonatype
 

Recently uploaded

PDF
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Chapter 6 Authentication and Access Control.pdf
byGetnet Tigabie Askale -(GM)
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Agent Factory -AIOUG Multicloud - Feb 2026
bySandesh Rao
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Exploring-AI-Basics in Artificial Intelligence
bysharmilas219546
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Reality Drift: Why Systems Keep Working After Meaning Drops Out
byReality Drift Archive | A. Jacobs
 
final.pdf
byomarbishtawi04
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 

Nadog dev secops_survey

  • 1.
    Curtis Yanko DevSecOps Evangelistand Coach Author – Concise Introduction to DevSecOps Securing Software Supply Chains Why 3 Days Might Be Your New Normal for DevSecOps
  • 2.
    W. Edwards Deming,1945 Cease dependence on inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.
  • 3.
    Jez Humble, 2010 BuildQuality in. (citing Deming) The earlier you catch defects, the cheaper they are to fix.
  • 4.
    Gene Kim, 2013 Emphasizeperformance of the entire system and never pass a defect downstream.
  • 5.
    47%deploy multiple times perweek Source: 2019 DevSecOps Community Survey velocity
  • 6.
    59,000 data breaches havebeen reported to GDPR regulators since May 2018 source: DLA Piper, February 2019
  • 7.
    Everyone has asoftware supply chain. (even if you don’t call it that)
  • 8.
    Demand drives 15,000new releases every day @onCommit
  • 9.
    Automation accelerates OSSdownloads Source: Sonatype’s 2018 State of the Software Supply Chain Report
  • 10.
  • 11.
    85% of your codeis sourced from external suppliers @OnCommit
  • 12.
    170,000 Java component downloads annually 3,500 unique source:2018 State of the Software Supply Chain Report
  • 13.
    60,660 JavaScript packages downloaded perdeveloper per year source: npm, 2018
  • 14.
    Not all partsare created equal. @OnCommit
  • 15.
    We are not“building quality in”. source: 2019 State of the Software Supply Chain Report 2018 Java
  • 16.
    We are not“building quality in”. Oct 2018 npm source: 2018 npm
  • 17.
    6.2K 233 510,000 120K691,000 309,00066.8K 3.4 1,000,000 1∑ 2∑ 3∑ 4∑ 5∑ 6∑ Defects targets per million for 6-sigma
  • 18.
  • 19.
    60,660 JavaScript packages downloaded annually perdeveloper 30,330 51% with known vulnerabilities @weekstweets
  • 20.
    Every developer inyour software supply chain is in procurement
  • 22.
    Social normalization ofdeviance “People within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety.” Diane Vaughan
  • 23.
    Breaches increased 71% 24% suspector have verified a breach related to open source components in the 2019 survey 14% suspect or have verified a breach related to open source components in the 2014 survey source: DevSecOps Community Survey 2014 and 2019
  • 24.
    The speed ofexploits has compressed 93% Sources: Gartner, IBM, Sonatype @OnCommit
  • 25.
    source: 2019 DevSecOpsCommunity Survey Quickly identify who is faster than their adversaries
  • 26.
    March 7 Apache Strutsreleases updated version to thwart vulnerability CVE-2017-5638 Today 65% of the Fortune 100 download vulnerable versions 3 Days in March March 8 NSA reveals Pentagon servers scanned by nation-states for vulnerable Struts instances Struts exploit published to Exploit-DB. March 10 Equifax Canada Revenue Agency Canada Statistics GMO Payment Gateway The Rest of the Story March 13 Okinawa Power Japan Post March 9 Cisco observes "a high number of exploitation events." March ’18 India’s AADHAAR April 13 India Post Equifax was not alone @OnCommit
  • 27.
    18,126 organizations downloadingvulnerable versions of Struts Source: Sonatype Breach announced. 14
  • 28.
    Complete software billof materials (SBOM) 2019 No DevOps Practice 2019 Mature DevOps Practices 19% 50% Source: 2019 DevSecOps Community Survey
  • 29.
    DevSecOps challenge: automatefaster than evil. @OnCommit
  • 30.
    1.3 million vulnerabilitiesin OSS components undocumented No corresponding CVE advisory in the public NVD database
  • 31.
    July 2017 8 3 10 4 The new battlefront SoftwareSupply Chain Attacks Study found credentials online affecting publishing access to 14% of npm repository. +79,000 packages. Malicious npm Packages “typosquatted” (40 packages for 2 weeks. Collecting env including npm publishing credentials). 1 10 Malicious Python packages Basic info collected and sent to Chinese IP address 2 Golang go-bindata github id deleted and reclaimed. 5 ssh-decorator Python Module stealing private ssh keys. 7 npm event-stream attack on CoPay. 11 Sep 2017 Homebrew repository compromised. 9 Jan 2018 Feb 2018 Mar 2018 6 Aug 2018 Conventional-changelog compromised and turned into a Monero miner. Blog: “I’m harvesting credit card numbers and passwords from your site. Here’s how.” Backdoor discovered in npm get-cookies module published since March. Unauthorized publishing of mailparser. Gentoo Linux Repository Compromised. Malicious Eslint discovered to be stealing npm credentials. Aug 2017 Oct 2017 Nov 2017 Dec 2017 Apr 2018 May 2018 Jun 2018 Jul 2018 Sep 2018 Oct 2018 Nov 2018 Dec 2018
  • 32.
    At what pointin the development process does your organization perform automated application analysis? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
  • 33.
    Which application securitytools are used? 2019 No DevSecOps Practice 2019 Mature DevSecOps Practices
  • 34.
    How are youinformed of InfoSec and AppSec issues? Automating security enables faster DevOps feedback loops
  • 35.
    Automation continues toprove difficult to ignore @OnCommitSource: 2019 DevSecOps Community Survey 2019 No DevOps Practice 2019 Mature DevOps Practices
  • 36.
    Trusted software supplychains are 2x more secure Source: 2018 State of the Software Supply Chain Report
  • 37.
    “Emphasize performance ofthe entire system and never pass a defect downstream.” @OnCommit
  • 38.
    “99% of thevulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident..” https://www.gartner.com/smarterwithgartner/focus-on-the-biggest-security-threats-not-the-most-publicized/ --Susan Moore 2017 @OnCommit
  • 39.
  • 40.
  • 41.
    All Countries Show Poor Cyber Hygiene 1in 7 Downloads 1 in 9 Downloads

Editor's Notes

  • #3 It hardly seemed like the start of a revolution, but oh boy, it was in 1945, when W. Edwards Deming started advising Japanese manufacturers to detect and fix defects at the beginning of the manufacturing process. Within five years, companies Mitsubishi and Toyota Motor Co. had become disciples. By the 1960, Deming’s TQM practices were an intrinsic part of the Japanese culture and was driving their rise to their global dominance. In 1981, Ford adopted these principles and within 6 years became the most profitable US auto manufacturer Sadly, sup[ply chain management wasn’t incorporated into the early thinking of Agile as no one thought it was needed back in 2001 “Cease dependence on mass inspection.” Emphasize performance of the entire system and never pass a defect downstream Inspection does not improve quality. Nor guarantee quality. Inspection is too late. Harold F. Dodge: “You cannot inspect quality into a product” Automatic inspection and recording require constant vigil.
  • #4 It was then no mistake in 2010, when Jez Humble and Dave Farley advised people to “Build Quality In” in their seminal book “Continuous Delivery” as people heard about and strove to achieve Allspaw’s 10 deploys a day. Feedback from releases Single object is built, tested and deployed, you do not build for each environment You learn from releases – share story of MunichRe 2 releases a year and both were disasters, my failure at the CAB
  • #5 It hardly seemed like the start of a revolution three years later when Gene Kim shared the Three Ways of DevOps inside The Phoenix Project, The principles of Flow, which accelerate the delivery of work from Development to Operations to our customers “Emphasize performance of the entire system and never pass a defect downstream.” The principles of Feedback, which enable us to create ever safer system of work; The principles of Continual Learning and experimentation, which foster a high-trust culture and a scientific approach to organizational improvement as part of our daily work.
  • #6 Since then, the quest for speed in software manufacturing has been a holy grail. In our 2019 DevSecOps community survey of 5,500 people, 47% reported their ability to deploy multiple times a week.
  • #9 There's a really interesting site out there called moduleaccounts.com. It has a simple value, it keeps track of the number of different components, or packages that are available across the different development languages.. And it shows the increase in the number of these components that are available to developer ecosystem, over time. We used some data from that site to see that >1000 new open-source projects were created each day. People delivering a new kind of software, a new kind of component. Then, from the general population of all open-source projects worldwide, we were able to estimate that ~10.000 new versions of components are introduced every day. There's this huge supply of components entering the ecosystem, and available to our software supply chains. When we look at the central repository that Sonatype manages, of maven style or java open-source components, we looked across 380,000 open-source projects, and found that on average those projects were releasing 14 new versions of their components every year. That's great from a supply chain aspect, that the suppliers are very active, actively releasing new software, actively releasing new innovations, and actively improving the software that they're making available to developers worldwide.  
  • #13 The average enterprise is downloading…
  • #16 Java - We found that 12.1% of all downloads were known vulnerable versions in 2018
  • #17 NPM – advised that 51% of their downloads in October 2018 are vulnerable. Get the exact source Laurie Voss
  • #19 170,000 * 11.1% = 18870 vulnerable libraries
  • #20 66600 * 51% = 30,936
  • #24 Between 2014 and 2019 we saw 71% increase in breaches from open source libraries
  • #25 Attack window has shrunk from 45 days to 3 days. Note: This is an ‘average’, the NSA in a talk last year said they routinely see attacks within the first 24hrs!
  • #26 Leading organisations can release a feature or a patch multiple times a week.
  • #29 Visibility is the starting point. Do you have a complete Bill of Materials Are we using struts And where is it
  • #30 Ever since 2009 when John Aspaw shared Etsy’s practice of 10 deploys a day, the rest of the development industry has been trying to catch up.
  • #36 Do you have a Open Source Governance Policy and do you follow it?
  • #37 In the 2018 State of the software Supply Chain We analysed 60000 application We found 11.7% flowing in unmanaged In managed supply chain we saw 6.1% so we improved 50%
  • #38 “Cease dependence on mass inspection.” Inspection does not improve quality. Nor guarantee quality. Inspection is too late. Harold F. Dodge: “You cannot inspect quality into a product” Automatic inspection and recording require constant vigil.
  • #41 The new standard requires organizations to govern their use of open source software, and it states that any application utilized as part of the payment process, must be secure by design. https://blog.sonatype.com/hygiene-for-open-source-softwareis-now-a-pci-requirement