What’s in your Application – is it safe? Can you ‘Shift Left’ to mitigate the risks?

Nick Coombs, Regional Sales Director Andy Howells, Solutions Architect Win a GoPro Hero Session – scan an application

• Full HD 1080p video up to 60 fps • 149° lens • Waterproof to 32 ft with included housing • Up to 2 hours recording • 8 megapixel still photos & time lapse mode

2 5/2/2016 What Projects do you use?

• Apache Struts • • Wildfly • Liferay • Glassfish • Apache Tomee • JBOSS • Websphere •

3 5/2/2016 Devops – The intersection of Agile, Lean and ITSM

LEAN - Quality

Agile - Speed ITSM - Control

4 5/2/2016 The modern software supply chain

SUPPLIERS WAREHOUSES MANUFACTURERS FINISHED GOODS Open Source Projects Component Repositories Software Dev Teams Software Applications

3.7 million open source 32 billion download requests 11 million developers 80 - 90% component-based developers last year 160,000 organizations 106 components per Over 1.3M component 90,000 private component 7,600 external suppliers application versions contributed repositories in use used in an average 105,000 open source development organization 24 known security projects vulnerabilities per Once uploaded, always 27 versions of the same application, critical or available 6.2% of requests have component downloaded severe known security 3-4 yearly updates, no way 43% don’t have open vulnerabilities 9 restrictive licenses per to inform development source policies application, critical or teams 34% of downloads have 75% of those with policies severe restrictive licenses Mean-time-to-repair a don’t enforce them security vulnerability: 390 95% rely on inefficient 31% suspect a related 60% don’t have a complete days component distribution (or breach software Bill of Materials “sourcing”) practices.

5 5/2/2016 Your software supply chain is complicated

Hundreds of thousands of open source suppliers and millions of components Bouncy Apache HttpClient Castle Struts 2 CVE Date: CVE Date: 11/04/2012 CVE Date: 11/10/2007 07/20/2013

Java Cryptography API Java HTTP implementation Web application framework CVSS v2 Base Score: CVSS v2 Base Score: CVSS v2 Base Score: 10.0 HIGH 5.8 MEDIUM 9.3 HIGH Exploitability: Exploitability: Exploitability: 10.0 8.6 10

Since then Since then Since then 11,236 organizations 29,468 4,076 downloaded it organizations organizations downloaded it downloaded it 214,484 times 3,749,193 times 179,050 times

7 5/2/2016 Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database What if manufacturers built cars the way we build software: without supply chain visibility, process and automation …

Manufacturers Any part could choose There is Since parts There is can be chosen any supplier no inventory aren’t tracked, no quality even if it is they want for of the parts that it’s control outdated or any given part, were used, or challenging to or consistency known to be regardless of where. issue a recall. from car to car. unsafe. quality. Do you drive one of the following?

• Acura • Mazda • Audi • Mercedes-Benz • BMW • Mitsubishi • Chevrolet • Nissan • Chrysler • Pontiac • Dodge • Saab • Ford • Saturn • GMC • Subaru • Honda • Toyota • Infiniti • Volkswagen

9 5/2/2016 Source : http://www.safercar.gov/rs/takata/takatalist.html Partners across the globe are bringing the 787 together

10 5/2/2016 Source : http://dfat.gov.au Time for a SUPPLY CHAIN APPROACH?

• Use fewer and better suppliers

• Use higher quality parts

• Track what is used and where

11 3/19/14 Time for a FRESH APPROACH? Sonatype Nexus Lifecycle

• Precisely identify components and risks

• Remediate early in development

• Automate policy across the SDLC

• Manage risk across all applications

• Continuously monitor applications for new risks

12 3/19/14 NEXUS & Bamboo at the of Continuous

• Faster releases • Increased efficiency • Less unplanned work • Fewer break-fixes • Easier maintenance • And better quality software! Devops Calculator – Reduce your waste

14 5/2/2016 Thank you

Does anyone want to scan their applications?