SlideShare a Scribd company logo

The Hidden Risk of Component Based Software Development

Sonatype
Sonatype

This document discusses the risks of component-based software development and the need for component lifecycle management. It notes that 80% of applications are assembled from open source and third-party components, but many organizations lack visibility into what components they use and where they may pose security risks. It argues that successful development at scale requires managing the entire lifecycle of components from identification and selection to ongoing monitoring and remediation of flaws. The document presents the Sonatype solution for component lifecycle management to help organizations gain control and governance over their use of software components.

1 of 27
Download to read offline
What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development Ryan Berg, CSO Sonatype Send Tweets to #CSORisk The Component Lifecycle Management Company
80% > Written Assembled of a typical application is assembled from open source & proprietary components The Component Lifecycle Management Company
The Ice-Caps are Melting The Component Lifecycle Management Company
Development Must Keep Up with Pace Of Innovation Development must change The Component Lifecycle Management Company
Components are Everywhere By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. Predicts 2011: Open-Source Software, the Power Behind the Throne November 2010 Global 100 Financial Institution 6,000 4,500 3,000 1,500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Unique Components per Month The Component Lifecycle Management Company
“But we don’t use Open Source” It’s no longer a question of whether you use OSS, it’s how many components are being used & where The Component Lifecycle Management Company
What You Don’t Know Can and Will Hurt You 46,000,000 18,000 4,000 downloads of insecure versions of the 31 most popular security libraries and web frameworks organizations downloaded a version of the Struts framework with a ‘severe’ security flaw organizations downloaded versions of Struts 1.x with known security flaws (most classified as ‘severe’). Uncontrolled, Unmanaged Risk The Component Lifecycle Management Company
No “Throat to Choke” • Discovering a security issue is half the battle • Transitive and hidden dependencies make it extremely difficult to assign responsibility to propagate fixes throughout the component chain The Component Lifecycle Management Company
A Multi-faceted Challenge Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year The Component Lifecycle Management Company
Success Requires Discipline The Component Lifecycle Management Company
The Problem is Not Problem Discovery • When our software development ecosystem looks like this it is easy to find problems • The real challenge is to develop at scale and deliver continuous value continuously when everything else is a mess The Component Lifecycle Management Company
Current State No No visibility to what components are used, where they are used and where there is risk No No way to govern/enforce component usage. Policies are not integrated with development . Visibility Control No No efficient way to fix existing flaws. Fix The Component Lifecycle Management Company
Practical Solutions Require a Practical Approach The Component Lifecycle Management Company
“Haven’t I heard this story before?” The Component Lifecycle Management Company
It’s Not a One Trick Pony The Component Lifecycle Management Company
Accurate Identification You can’t begin if you don’t know where to start, and you can’t start if you don’t know what you have. The Component Lifecycle Management Company
Components Can be Compromised Component Repositories Non-vetted components enter the dev process from many sources Development Repositories Integrate Build Deploy Components can be compromised throughout the lifecycle The Component Lifecycle Management Company
Component Lifecycle Management Development Repo Development Repositories The Component Lifecycle Management Company
Data Driven Policies Facilitate Governance Data Feeds Security License Quality Custom Policy Management  Workflow Reporting Rule-based Policies Alerts POLICY The Component Lifecycle Management Company
Sonatype Governed Development Informs and governs the software supply chain with security, popularity, and licensing information, developerfriendly policy enforcement, and early flaw detection and prevention. • Optimal component selection provides clean starting point minimizing downstream issues • Centralized policy administration with local enforcement ensures effective governance & compliance • Early problem detection & remediation ensures fast, trusted application delivery with low cost • Inventory capability provides basis for effective management & monitoring The Component Lifecycle Management Company
Sonatype Monitoring & Remediation Provides a fast-path to discovering and fixing at-risk applications by precisely identifying component flaws and offering flexible remediation options. • Constant monitoring of applications ensures continuous trust. • Triage capability helps prioritize critical work. • Flexible remediation enables fast response to application problems. • Reporting & analysis capability supports audit and regulatory requirements. The Component Lifecycle Management Company
The Patch vs. Replace Dilemma Patch • • • • • Replace Investigate severity of security vulnerability Determine project status (under active maintenance) Find patch (is it available?) Determine impact of patch (assess API compatibility, etc.) Re-certify The Component Lifecycle Management Company
Security is a Matter of Priorities Development Operations Security Features Performance Security Usability Reliability/Scalability Compliance Performance Compliance Everything Else Reliability/Scalability Security Maintainability Maintainability Security Features/Usability Compliance The Component Lifecycle Management Company
Building A Better Bridge Between Dev, Ops and Security • Need to recognize that the priorities are different • Tooling needs to adopt the practice of the practitioner not the other way around • A Tool is not a process and a process is not a tool learn to leverage both. The Component Lifecycle Management Company
For More Information: Free Risk Assessment www.sonatype.com/Products/App lication-Health-Check/AnalyzeYour-App www.sonatype.com/Contact-Us The Component Lifecycle Management Company
The Hidden Risk of Component Based Software Development

Recommended

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
SeniorStoryteller
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!
DevOps.com
 
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops PracticeThe Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
matthewabq
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design Practices
Synopsys Software Integrity Group
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 

Recommended

Lisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is ResponsibleLisa Conference 2014: DevOps and AppSec - Who is Responsible
Lisa Conference 2014: DevOps and AppSec - Who is Responsible
SeniorStoryteller
 
5 things about os sharon webinar final
5 things about os sharon webinar final5 things about os sharon webinar final
5 things about os sharon webinar final
DevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions2021 Open Source Governance: Top Ten Trends and Predictions
2021 Open Source Governance: Top Ten Trends and Predictions
DevOps.com
 
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24 webinar - Protecting Cezanne HR’s cloud web application with contin...
Outpost24
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!Security & DevOps - What We Have Here Is a Failure to Communicate!
Security & DevOps - What We Have Here Is a Failure to Communicate!
DevOps.com
 
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops PracticeThe Illusion of Control: Seven Deadly Wastes in Your Devops Practice
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
matthewabq
 
Webinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design PracticesWebinar: Systems Failures Fuel Security-Focused Design Practices
Webinar: Systems Failures Fuel Security-Focused Design Practices
Synopsys Software Integrity Group
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!
Puppet
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
Cloud Survey
Cloud SurveyCloud Survey
Cloud Survey
Tim Pickard
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOps
Manasi Mali
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
Veracode
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
jananya213
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Enterprise Security APIs
Enterprise Security APIsEnterprise Security APIs
Enterprise Security APIs
Adam Migus
 
Why the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedWhy the Future of Analytics Is Embedded
Why the Future of Analytics Is Embedded
Logi Analytics
 
Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform.
Nawaz Dhandala
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise
Puppet
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
Collaborative Mobile Test Automation
Collaborative Mobile Test AutomationCollaborative Mobile Test Automation
Collaborative Mobile Test Automation
Keynote Mobile Testing
 
Software testing trends for 2019
Software testing trends for 2019Software testing trends for 2019
Software testing trends for 2019
BugRaptors
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
QASource
 
Future Of Software Testing
Future Of Software TestingFuture Of Software Testing
Future Of Software Testing
99tests
 
How IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsHow IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build Apps
Dreamforce
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2
Smart ERP Solutions, Inc.
 

More Related Content

What's hot

Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!
Puppet
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
Cloud Survey
Cloud SurveyCloud Survey
Cloud Survey
Tim Pickard
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOps
Manasi Mali
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
Veracode
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
jananya213
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
DeServ - Tecnologia e Servços
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Enterprise Security APIs
Enterprise Security APIsEnterprise Security APIs
Enterprise Security APIs
Adam Migus
 
Why the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedWhy the Future of Analytics Is Embedded
Why the Future of Analytics Is Embedded
Logi Analytics
 
Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform.
Nawaz Dhandala
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
NowSecure
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise
Puppet
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
Collaborative Mobile Test Automation
Collaborative Mobile Test AutomationCollaborative Mobile Test Automation
Collaborative Mobile Test Automation
Keynote Mobile Testing
 
Software testing trends for 2019
Software testing trends for 2019Software testing trends for 2019
Software testing trends for 2019
BugRaptors
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
QASource
 
Future Of Software Testing
Future Of Software TestingFuture Of Software Testing
Future Of Software Testing
99tests
 

What's hot (20)

Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!Find out what's new at Puppet - products, programs, and more!
Find out what's new at Puppet - products, programs, and more!
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
 
Cloud Survey
Cloud SurveyCloud Survey
Cloud Survey
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Need Of security in DevOps
Need Of security in DevOpsNeed Of security in DevOps
Need Of security in DevOps
 
Healthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracodeHealthcare application-security-practices-survey-veracode
Healthcare application-security-practices-survey-veracode
 
Penetration Testing
Penetration TestingPenetration Testing
Penetration Testing
 
Veracode - Inglês
Veracode - InglêsVeracode - Inglês
Veracode - Inglês
 
Accelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain ManagementAccelerating Innovation with Software Supply Chain Management
Accelerating Innovation with Software Supply Chain Management
 
Enterprise Security APIs
Enterprise Security APIsEnterprise Security APIs
Enterprise Security APIs
 
Why the Future of Analytics Is Embedded
Why the Future of Analytics Is EmbeddedWhy the Future of Analytics Is Embedded
Why the Future of Analytics Is Embedded
 
Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform. Fyipe - One complete DevOps and IT Ops platform.
Fyipe - One complete DevOps and IT Ops platform.
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise3 Steps to Expand DevOps and Automation Throughout the Enterprise
3 Steps to Expand DevOps and Automation Throughout the Enterprise
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
 
Collaborative Mobile Test Automation
Collaborative Mobile Test AutomationCollaborative Mobile Test Automation
Collaborative Mobile Test Automation
 
Software testing trends for 2019
Software testing trends for 2019Software testing trends for 2019
Software testing trends for 2019
 
Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?Should I Partner with an Outsourced QA Provider for Security Testing?
Should I Partner with an Outsourced QA Provider for Security Testing?
 
Future Of Software Testing
Future Of Software TestingFuture Of Software Testing
Future Of Software Testing
 

Similar to The Hidden Risk of Component Based Software Development

How IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsHow IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build Apps
Dreamforce
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2
Smart ERP Solutions, Inc.
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
Sonatype
 
Fundamentals of Deploy and Release
Fundamentals of Deploy and ReleaseFundamentals of Deploy and Release
Fundamentals of Deploy and Release
IBM UrbanCode Products
 
Blankenship application insights overview
Blankenship application insights overviewBlankenship application insights overview
Blankenship application insights overview
Jason Alinen
 
Software supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing controlSoftware supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing control
matthewabq
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019
Microsoft 365 Developer
 
Lean Systems Thinking Bob Marshall
Lean Systems Thinking Bob MarshallLean Systems Thinking Bob Marshall
Lean Systems Thinking Bob Marshall
Valtech UK
 
Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011
GetApp
 
Recent and-future-trends spm
Recent and-future-trends spmRecent and-future-trends spm
Recent and-future-trends spm
Prakash Poudel
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Enterprise DevOps
Enterprise DevOpsEnterprise DevOps
Enterprise DevOps
Microsoft Visual Studio
 
IT Symposium Agile
IT Symposium AgileIT Symposium Agile
IT Symposium Agile
Matt Holitza
 
ITIL Guide for DevOps
ITIL Guide for DevOpsITIL Guide for DevOps
ITIL Guide for DevOps
PMOfficers PMOAcademy
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"
Peter Marshall
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
Emma Kelly
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023
RTTS
 
Software Testing Principles
Software Testing PrinciplesSoftware Testing Principles
Software Testing Principles
Kanoah
 
Use the Right Tools to Avoid the DevOps Culture Clash
Use the Right Tools to Avoid the DevOps Culture ClashUse the Right Tools to Avoid the DevOps Culture Clash
Use the Right Tools to Avoid the DevOps Culture Clash
Enterprise Management Associates
 
Most Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdfMost Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdf
InsightsSuccess4
 

Similar to The Hidden Risk of Component Based Software Development (20)

How IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build AppsHow IT Can Empower Citizen Developers to Build Apps
How IT Can Empower Citizen Developers to Build Apps
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
 
Fundamentals of Deploy and Release
Fundamentals of Deploy and ReleaseFundamentals of Deploy and Release
Fundamentals of Deploy and Release
 
Blankenship application insights overview
Blankenship application insights overviewBlankenship application insights overview
Blankenship application insights overview
 
Software supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing controlSoftware supply chain management: Gaining velocity without losing control
Software supply chain management: Gaining velocity without losing control
 
Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019Office Add-ins developer community call-July 2019
Office Add-ins developer community call-July 2019
 
Lean Systems Thinking Bob Marshall
Lean Systems Thinking Bob MarshallLean Systems Thinking Bob Marshall
Lean Systems Thinking Bob Marshall
 
Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011Mavenlink Analyst Review April 2011
Mavenlink Analyst Review April 2011
 
Recent and-future-trends spm
Recent and-future-trends spmRecent and-future-trends spm
Recent and-future-trends spm
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Enterprise DevOps
Enterprise DevOpsEnterprise DevOps
Enterprise DevOps
 
IT Symposium Agile
IT Symposium AgileIT Symposium Agile
IT Symposium Agile
 
ITIL Guide for DevOps
ITIL Guide for DevOpsITIL Guide for DevOps
ITIL Guide for DevOps
 
Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"Slides from "Taking an Holistic Approach to Product Quality"
Slides from "Taking an Holistic Approach to Product Quality"
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023State of the Market - Data Quality in 2023
State of the Market - Data Quality in 2023
 
Software Testing Principles
Software Testing PrinciplesSoftware Testing Principles
Software Testing Principles
 
Use the Right Tools to Avoid the DevOps Culture Clash
Use the Right Tools to Avoid the DevOps Culture ClashUse the Right Tools to Avoid the DevOps Culture Clash
Use the Right Tools to Avoid the DevOps Culture Clash
 
Most Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdfMost Advanced Software Testing Solution Providers of 2022.pdf
Most Advanced Software Testing Solution Providers of 2022.pdf
 

More from Sonatype

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
Sonatype
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
Sonatype
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
Sonatype
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
Sonatype
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
Sonatype
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
Sonatype
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
Sonatype
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
Sonatype
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
Sonatype
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
Sonatype
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Sonatype
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Sonatype
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
Sonatype
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
Sonatype
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
Sonatype
 

More from Sonatype (20)

DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
RSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all EquifaxRSAC DevSecOpsDays 2018 - We are all Equifax
RSAC DevSecOpsDays 2018 - We are all Equifax
 
DevSecOps reference architectures 2018
DevSecOps reference architectures 2018DevSecOps reference architectures 2018
DevSecOps reference architectures 2018
 
30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps30+ Nexus Integrations to Accelerate DevOps
30+ Nexus Integrations to Accelerate DevOps
 
2017 DevSecOps Survey
2017 DevSecOps Survey2017 DevSecOps Survey
2017 DevSecOps Survey
 
Starting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the EnterpriseStarting and Scaling DevOps In the Enterprise
Starting and Scaling DevOps In the Enterprise
 
DevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & MicroservicesDevOps Friendly Doc Publishing for APIs & Microservices
DevOps Friendly Doc Publishing for APIs & Microservices
 
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason HandThe Unrealized Role of Monitoring & Alerting w/ Jason Hand
The Unrealized Role of Monitoring & Alerting w/ Jason Hand
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Serverless and the Way Forward
Serverless and the Way ForwardServerless and the Way Forward
Serverless and the Way Forward
 
A Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward RuizA Small Association's Journey to DevOps w/ Edward Ruiz
A Small Association's Journey to DevOps w/ Edward Ruiz
 
What's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris SwanWhat's My Security Policy Doing to My Help Desk w/ Chris Swan
What's My Security Policy Doing to My Help Desk w/ Chris Swan
 
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-orsCharacterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors
 
Static Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin CollinsStatic Analysis For Security and DevOps Happiness w/ Justin Collins
Static Analysis For Security and DevOps Happiness w/ Justin Collins
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
System Hardening Using Ansible
System Hardening Using AnsibleSystem Hardening Using Ansible
System Hardening Using Ansible
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Getting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with JenkinsGetting out of the Job Jungle with Jenkins
Getting out of the Job Jungle with Jenkins
 
Modern Infrastructure Automation
Modern Infrastructure AutomationModern Infrastructure Automation
Modern Infrastructure Automation
 

Recently uploaded

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 

Recently uploaded (20)

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 

The Hidden Risk of Component Based Software Development

  • 1.
  • 2. What You Don’t Know Will Hurt You The Hidden Risk of Component Based Software Development Ryan Berg, CSO Sonatype Send Tweets to #CSORisk The Component Lifecycle Management Company
  • 3. 80% > Written Assembled of a typical application is assembled from open source & proprietary components The Component Lifecycle Management Company
  • 4. The Ice-Caps are Melting The Component Lifecycle Management Company
  • 5. Development Must Keep Up with Pace Of Innovation Development must change The Component Lifecycle Management Company
  • 6. Components are Everywhere By 2016, OSS will be included in mission-critical software portfolios within 99% of Global 2000 enterprises, up from 75% in 2010. Predicts 2011: Open-Source Software, the Power Behind the Throne November 2010 Global 100 Financial Institution 6,000 4,500 3,000 1,500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Unique Components per Month The Component Lifecycle Management Company
  • 7. “But we don’t use Open Source” It’s no longer a question of whether you use OSS, it’s how many components are being used & where The Component Lifecycle Management Company
  • 8. What You Don’t Know Can and Will Hurt You 46,000,000 18,000 4,000 downloads of insecure versions of the 31 most popular security libraries and web frameworks organizations downloaded a version of the Struts framework with a ‘severe’ security flaw organizations downloaded versions of Struts 1.x with known security flaws (most classified as ‘severe’). Uncontrolled, Unmanaged Risk The Component Lifecycle Management Company
  • 9. No “Throat to Choke” • Discovering a security issue is half the battle • Transitive and hidden dependencies make it extremely difficult to assign responsibility to propagate fixes throughout the component chain The Component Lifecycle Management Company
  • 10. A Multi-faceted Challenge Complexity Diversity Volume Change One component may rely on 00s of others 40,000 Projects 200MM Classes 400K Components Typical Enterprise Consumes 000s of Components Monthly Typical Component is Updated 4X per Year The Component Lifecycle Management Company
  • 11. Success Requires Discipline The Component Lifecycle Management Company
  • 12. The Problem is Not Problem Discovery • When our software development ecosystem looks like this it is easy to find problems • The real challenge is to develop at scale and deliver continuous value continuously when everything else is a mess The Component Lifecycle Management Company
  • 13. Current State No No visibility to what components are used, where they are used and where there is risk No No way to govern/enforce component usage. Policies are not integrated with development . Visibility Control No No efficient way to fix existing flaws. Fix The Component Lifecycle Management Company
  • 14. Practical Solutions Require a Practical Approach The Component Lifecycle Management Company
  • 15. “Haven’t I heard this story before?” The Component Lifecycle Management Company
  • 16. It’s Not a One Trick Pony The Component Lifecycle Management Company
  • 17. Accurate Identification You can’t begin if you don’t know where to start, and you can’t start if you don’t know what you have. The Component Lifecycle Management Company
  • 18. Components Can be Compromised Component Repositories Non-vetted components enter the dev process from many sources Development Repositories Integrate Build Deploy Components can be compromised throughout the lifecycle The Component Lifecycle Management Company
  • 19. Component Lifecycle Management Development Repo Development Repositories The Component Lifecycle Management Company
  • 20. Data Driven Policies Facilitate Governance Data Feeds Security License Quality Custom Policy Management  Workflow Reporting Rule-based Policies Alerts POLICY The Component Lifecycle Management Company
  • 21. Sonatype Governed Development Informs and governs the software supply chain with security, popularity, and licensing information, developerfriendly policy enforcement, and early flaw detection and prevention. • Optimal component selection provides clean starting point minimizing downstream issues • Centralized policy administration with local enforcement ensures effective governance & compliance • Early problem detection & remediation ensures fast, trusted application delivery with low cost • Inventory capability provides basis for effective management & monitoring The Component Lifecycle Management Company
  • 22. Sonatype Monitoring & Remediation Provides a fast-path to discovering and fixing at-risk applications by precisely identifying component flaws and offering flexible remediation options. • Constant monitoring of applications ensures continuous trust. • Triage capability helps prioritize critical work. • Flexible remediation enables fast response to application problems. • Reporting & analysis capability supports audit and regulatory requirements. The Component Lifecycle Management Company
  • 23. The Patch vs. Replace Dilemma Patch • • • • • Replace Investigate severity of security vulnerability Determine project status (under active maintenance) Find patch (is it available?) Determine impact of patch (assess API compatibility, etc.) Re-certify The Component Lifecycle Management Company
  • 24. Security is a Matter of Priorities Development Operations Security Features Performance Security Usability Reliability/Scalability Compliance Performance Compliance Everything Else Reliability/Scalability Security Maintainability Maintainability Security Features/Usability Compliance The Component Lifecycle Management Company
  • 25. Building A Better Bridge Between Dev, Ops and Security • Need to recognize that the priorities are different • Tooling needs to adopt the practice of the practitioner not the other way around • A Tool is not a process and a process is not a tool learn to leverage both. The Component Lifecycle Management Company
  • 26. For More Information: Free Risk Assessment www.sonatype.com/Products/App lication-Health-Check/AnalyzeYour-App www.sonatype.com/Contact-Us The Component Lifecycle Management Company