Upload
seniorstoryteller
View
163
Download
0
Embed Size (px)
Citation preview
Dallas, TX April 5, 2016
Mentor’s View: Aligning your team and your powers for successMike Worthington, Customer Success Engineer, Sonatype
2 05/02/2023
Agenda
• Software Supply Chain & Rugged DevOps
• Getting Started on Your Journey
• Interactive Demo – Setting Policy
• Policy Results in Jenkins & Eclipse
• Meaningful Success Metrics
3 05/02/2023
The Software Supply Chain
• Hundreds of thousands of projects
• 3-4 updates annually
• 30 billion download requests last year
• 1 in 16 have known vulnerabilities
• 43% have no component governance
• 75% of those who do don’t enforce it
• 106 components per application
• 24 known vulnerabilities
• 73% have no inventory
4 05/02/2023
If manufacturers built cars the way we build software…
Any part can be used even if it’s
outdated or known to be
unsafe.
Since parts aren’t tracked,
it’schallenging to issue a recall.
There is no quality
control or consistency from car to car.
There is no inventory of parts used,
or where.
Chooseany supplier for
any part, regardless of
quality.
5 05/02/2023
Apply Software Supply Chain Principles For Rugged DevOps
Supplier & component selection(3rd party or Proprietary)
Component quality & governance
Monitoring components & assemblies (patches, updates, vulns, age)
Guidelines & policies Bill of Materials
Warehouse & Staging
Image: Gartner Research, March 2016: Avoid Failure by Developing a Toolchain that Enables DevOps
Nexus Automates Software Supply Chain Practices Across The Devops Toolchain
7 05/02/2023
Getting started on your journey
Rugged DevOps, Software Supply Chain, Now What?
• The Hero’s Journey• Align Your Heroes• Building Bridges• Setting Expectations
8 05/02/2023
Building a trusted software supply chain
9 05/02/2023
Different stakeholders, different priorities
Where’s that
release?
Done! On to the next
sprint.
Now, where are we in that process?
10 05/02/2023
Building a better bridge between Dev, Ops & Sec
• Tooling needs to adopt the practice of the practitioner
• A tool is not a process and a process is not a tool; learn to leverage both
11 05/02/2023
Two philosophies
Support & guide
• Objective information across the lifecycle
• Each performs the task they are good at
• Faster component selection and issue resolution
• Bridges the developer “compliance” gap
Scan & scold
• Reactive information latein the lifecycle
• Creates rework and slows remediation
• Hinders technology innovation• More expensive
12 05/02/2023
Building a good component practice
Phase 3 Reducing risk &
enforcing compliance
Phase 2 Creating policy &
rating risk
Phase 1Understanding your
environment
13 05/02/2023
Communicate expectations
Determine lifecycle enforcement strategy:
Allows developers time to research & fix or to request waivers
Everything is documented on an internal WIKI
Development CI Build Promotion to staging or release
14 05/02/2023
Fix the Red – Actionable?
paniceasy
oops
prayhelp?
evil
bs
fix it
15 05/02/2023
Fix the Red – Actionable?
paniceasy
oops
prayhelp?
evil
bs
fix it
16 05/02/2023
Interactive policy development
17 05/02/2023
What is policy?
18 05/02/2023
Out-of-the-box policies with easy customization
Architecture
Component
License
Security
19 05/02/2023
IQ Server Policy Definition
DEMO
20 05/02/2023
IQ Server policy definition
21 05/02/2023
Jenkins & IDE integration
DEMO
22 05/02/2023
Toolchain integration – IDE & CI Server
23 05/02/2023
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START1
24 05/02/2023
DESIGN A FRICTIONLESS APPROACH2
25 05/02/2023
CREATE A SOFTWARE BILL OF MATERIALS3
26 05/02/2023
Defining Meaningful Success Metrics
http://www.aintitcool.com/node/44547
27 05/02/2023
It’s Not What You Measure…
http://ronjeffries.com/articles/016-03/you-want/
28 05/02/2023
…It’s the Behavior that Results
Manager: “Nathan, this isn’t fair. You’re just showing the number of stories, not how big they are.”
Nathan: “That’s right.”
Manager: “But that’s not fair!”
Nathan: [silent]
Manager: “All I’d have to do would be to divide up my stories into little bits and release those every month.”
Nathan: [silent, smiling]
Manager: “Oh.”
Soon, the manager was doing small stories, to the benefit of everyone.
http://ronjeffries.com/articles/016-03/you-want/
29 05/02/2023
Success Metrics
• Short Term – Time to Value• “By the end of the workshop, we configured ~80% of
our policies. Just six business days after training, we have made the test environment available in our organization”
• Long Term – Quality Metrics• MTTR• WIP• New violations delivered to production
30 05/02/2023
Q&A
31 05/02/2023
Wrap Up
• Manage your Software Supply Chain
• Collaborate with counterparts – BA/PM/Dev/QA/Ops/Sec.
• Discuss mutual interdependence and shared objectives
• Automated Real-Time Feedback is a win-win
• http://bit.ly/app-check
32
We’re here, engaged &
READYTO HELP
Nexus Newsletter Nexus Live – Google Hangouts Cool Things in 2 Minutes
Customer Success Team
Training On-Site or OnlineOnline Knowledge BaseNexus Community Pages
Books Online
Dallas, TX April 5, 2016
Mike Worthington - http://bit.ly/mwsonatype Customer Success Engineer, Sonatype