Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
What’s in your Java Application – is it safe? Can you ‘Shift Left’ to mitigate the risks? Nick Coombs, Regional Sales Director Andy Howells, Solutions Architect
Win a GoPro Hero Session – scan an application
2 5/2/2016
• Full HD 1080p video up to 60 fps
• 149° lens
• Waterproof to 32 ft with included
housing
• Up to 2 hours recording
• 8 megapixel still photos & time lapse
mode
What Projects do you use?
3 5/2/2016
• Apache Struts
• Apache Mahout
• Wildfly
• Liferay
• Glassfish
• Apache Tomee
• JBOSS
• Websphere
• Apache Tomcat
Devops – The intersection of Agile, Lean and ITSM
4 5/2/2016
LEAN - Quality
ITSM - Control Agile - Speed
SUPPLIERS Open Source Projects
3.7 million open source
developers
Over 1.3M component
versions contributed
105,000 open source
projects
WAREHOUSES Component Repositories
32 billion download requests
last year
90,000 private component
repositories in use
MANUFACTURERS Software Dev Teams
11 million developers
160,000 organizations
7,600 external suppliers
used in an average
development organization
FINISHED GOODS Software Applications
80 - 90% component-based
106 components per
application
The modern software supply chain
5 5/2/2016
Once uploaded, always
available
3-4 yearly updates, no way
to inform development
teams
Mean-time-to-repair a
security vulnerability: 390
days
6.2% of requests have
known security
vulnerabilities
34% of downloads have
restrictive licenses
95% rely on inefficient
component distribution (or
“sourcing”) practices.
27 versions of the same
component downloaded
43% don’t have open
source policies
75% of those with policies
don’t enforce them
31% suspect a related
breach
24 known security
vulnerabilities per
application, critical or
severe
9 restrictive licenses per
application, critical or
severe
60% don’t have a complete
software Bill of Materials
Your software supply chain is complicated
Hundreds of thousands of open source suppliers and millions of components
5/2/2016
Java Cryptography API
CVSS v2 Base Score:
10.0 HIGH
Exploitability:
10.0
Since then
11,236 organizations
downloaded it
214,484 times
Bouncy Castle CVE Date:
11/10/2007
Java HTTP implementation
CVSS v2 Base Score:
5.8 MEDIUM
Exploitability:
8.6
Since then
29,468 organizations
downloaded it
3,749,193 times
HttpClient CVE Date:
11/04/2012
Web application framework
CVSS v2 Base Score:
9.3 HIGH
Exploitability:
10
Since then
4,076 organizations
downloaded it
179,050 times
Apache Struts 2
CVE Date:
07/20/2013
7 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database
What if manufacturers built cars the way we build software: without supply chain visibility, process and automation …
Any part can be chosen
even if it is outdated or known to be
unsafe.
Since parts aren’t tracked,
it’s challenging to issue a recall.
There is no quality
control or consistency from car to car.
There is no inventory
of the parts that were used, or
where.
Manufacturers could choose any supplier they want for
any given part, regardless of
quality.
Do you drive one of the following?
9 5/2/2016
• Acura • Audi • BMW • Chevrolet • Chrysler • Dodge • Ford • GMC • Honda • Infiniti
• Mazda • Mercedes-Benz • Mitsubishi • Nissan • Pontiac • Saab • Saturn • Subaru • Toyota • Volkswagen
Source : http://www.safercar.gov/rs/takata/takatalist.html
Time for a
SUPPLY CHAIN APPROACH?
11 3/19/14
• Use fewer and better suppliers
• Use higher quality parts
• Track what is used and where
Time for a
FRESH APPROACH?
12 3/19/14
Sonatype Nexus Lifecycle
• Precisely identify components and risks
• Remediate early in development
• Automate policy across the SDLC
• Manage risk across all applications
• Continuously monitor applications for new risks
• Faster releases
• Increased efficiency
• Less unplanned work
• Fewer break-fixes
• Easier maintenance
• And better quality software!
NEXUS & Bamboo at the of Continuous