What’s in your Java Application – is it safe? Can you ‘Shift Left’ to mitigate the risks? Nick Coombs, Regional Sales Director Andy Howells, Solutions Architect

Win a GoPro Hero Session – scan an application

2 5/2/2016

• Full HD 1080p video up to 60 fps

• 149° lens

• Waterproof to 32 ft with included

housing

• Up to 2 hours recording

• 8 megapixel still photos & time lapse

mode

What Projects do you use?

3 5/2/2016

• Apache Struts

• Apache Mahout

• Wildfly

• Liferay

• Glassfish

• Apache Tomee

• JBOSS

• Websphere

• Apache Tomcat

Devops – The intersection of Agile, Lean and ITSM

4 5/2/2016

LEAN - Quality

ITSM - Control Agile - Speed

SUPPLIERS Open Source Projects

3.7 million open source

developers

Over 1.3M component

versions contributed

105,000 open source

projects

WAREHOUSES Component Repositories

32 billion download requests

last year

90,000 private component

repositories in use

MANUFACTURERS Software Dev Teams

11 million developers

160,000 organizations

7,600 external suppliers

used in an average

development organization

FINISHED GOODS Software Applications

80 - 90% component-based

106 components per

application

The modern software supply chain

5 5/2/2016

Once uploaded, always

available

3-4 yearly updates, no way

to inform development

teams

Mean-time-to-repair a

security vulnerability: 390

days

6.2% of requests have

known security

vulnerabilities

34% of downloads have

restrictive licenses

95% rely on inefficient

component distribution (or

“sourcing”) practices.

27 versions of the same

component downloaded

43% don’t have open

source policies

75% of those with policies

don’t enforce them

31% suspect a related

breach

24 known security

vulnerabilities per

application, critical or

severe

9 restrictive licenses per

application, critical or

severe

60% don’t have a complete

software Bill of Materials

Your software supply chain is complicated

Hundreds of thousands of open source suppliers and millions of components

5/2/2016

Java Cryptography API

CVSS v2 Base Score:

10.0 HIGH

Exploitability:

10.0

Since then

11,236 organizations

downloaded it

214,484 times

Bouncy Castle CVE Date:

11/10/2007

Java HTTP implementation

CVSS v2 Base Score:

5.8 MEDIUM

Exploitability:

8.6

Since then

29,468 organizations

downloaded it

3,749,193 times

HttpClient CVE Date:

11/04/2012

Web application framework

CVSS v2 Base Score:

9.3 HIGH

Exploitability:

10

Since then

4,076 organizations

downloaded it

179,050 times

Apache Struts 2

CVE Date:

07/20/2013

7 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database

What if manufacturers built cars the way we build software: without supply chain visibility, process and automation …

Any part can be chosen

even if it is outdated or known to be

unsafe.

Since parts aren’t tracked,

it’s challenging to issue a recall.

There is no quality

control or consistency from car to car.

There is no inventory

of the parts that were used, or

where.

Manufacturers could choose any supplier they want for

any given part, regardless of

quality.

Do you drive one of the following?

9 5/2/2016

• Acura • Audi • BMW • Chevrolet • Chrysler • Dodge • Ford • GMC • Honda • Infiniti

• Mazda • Mercedes-Benz • Mitsubishi • Nissan • Pontiac • Saab • Saturn • Subaru • Toyota • Volkswagen

Source : http://www.safercar.gov/rs/takata/takatalist.html

10 5/2/2016

Partners across the globe are bringing the 787 together

Source : http://dfat.gov.au

Time for a

SUPPLY CHAIN APPROACH?

11 3/19/14

• Use fewer and better suppliers

• Use higher quality parts

• Track what is used and where

Time for a

FRESH APPROACH?

12 3/19/14

Sonatype Nexus Lifecycle

• Precisely identify components and risks

• Remediate early in development

• Automate policy across the SDLC

• Manage risk across all applications

• Continuously monitor applications for new risks

• Faster releases

• Increased efficiency

• Less unplanned work

• Fewer break-fixes

• Easier maintenance

• And better quality software!

NEXUS & Bamboo at the of Continuous

Devops Calculator – Reduce your waste

14 5/2/2016

Thank you

Does anyone want to scan their applications?