Webinar: "Il software: la strategia vincente sta nella qualità"

• Emerasoft srl

• Mission

• Vision

• Solutions

Monica Burzio– Emerasoft

Ugo Ciracì – Emerasoft

Steve Millard - Sonatype

Emerasoft Srl

Data di nascita: 2005

Dove siamo:

Via Po, 1 – TorinoPiazzale Luigi Sturzo, 15 - Roma

“Il nostro impegno è nella costante ricerca dellamigliore soluzione per il cliente, garantendoeccellenza nella qualità di servizi e prodottiproposti. La nostra promessa è di svolgere il nostrolavoro con costanza e passione”

Emerasoft Srl

DevOpsIoT

Testing

ALM

SOABusiness Intelligence

Security

University

ALM+PLM

standard compliance

BRMS

User Experience SS4BEnterprise Mobility

agile

IoD

BPM

OpenSource

APIUsability

traceability

Compliance Management

ITSM

Solutions

AgendaWebinar: “Il software: la strategia vincente sta nella qualità”

APRILE

• La Supply Chain del software

• Devops e sicurezza: lo scenario attuale

• Sonatype Nexus per un software di

qualità

• Q&A

Il webinar di oggi

Ugo CiracìDevOps Specialist @Emerasoft

NOVEMBRE

8

Steve MillardInternational Partner Business Manager @Sonatype

2017 State of the Software Supply Chain

Say Hello to Your Software Supply Chain…

State of the Software Supply Chain

1,096 new projects per day

10,000 new versions per day

14x releases per year

• 3M npm components• 2M Java components

• 900K NuGet components• 870K PyPI components


59

52


80% to 90% of

modern apps

consist of

assembled

components.


80% to 90% of

modern

operations

consist of

assembled

containers.

Containers

Hand-built

applications

and

infrastructure


NOT ALL PARTS ARE CREATED

EQUAL


233 days

MeanTTR

119 days

MedianTTR

122,802 components

with known

vulnerabilities

19,44515.8% fixed

the

vulnerability

TIME TO REPAIR OSS COMPONENTS


zero

days

mean

time to

repairCVE ID: CVE-

2017-5638

March 7

Apache fixed the

vulnerability

March 7

APACHE STRUTS2 MEAN TIME TO REPAIR


@weekstweets


6-IN-10 HAVE OPEN SOURCE POLICIES


125,701Java component

downloads

annually

7,4285.8% with

known

vulnerabilities

7,500 ORGANIZATIONS ANALYZED


DEFECT PERCENTAGES FOR JAVASCRIPT


5 Month Opportunity to Take Corrective Action

Large Scale Exploit

March

10Equifax

applications

breached through

Struts2 vulnerability

AprMar May Jun Jul Aug Sept

March 7Apache Struts releases

updated version to

thwart vulnerability

CVE-2017-5638

July 29Breach is discovered by Equifax.

Sept 7A new RCE

vulnerability is

announced and fixed.CVE-2017-9805

Probing Hack Crisis

Management

Il caso: Equifax

TIME TO RESPOND BEFORE EXPLOITSource: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)

Year of Date Reported

2006 2007 2008 2009 2010 2011 2012 2013 2104 2015

10

20

30

40

50

0

Avera

ge

Days t

o E

xp

loit

Average

45

15

2017

Il caso: Equifax

9 years later, vulnerable

versions of Bouncy Castle

were downloaded…

11M

CVE-2007-6721

CVSS Base Score: 10.0 HIGH

Exploitability Subscore: 10.0

23M

2007 2016

BOUNCY CASTLE

Bouncy Castle

18,330,95878% downloads were vulnerable

COMMONS COLLECTIONCWE-502

23,476,966total downloads in 2016

Software Supply Chain

Trusted Partially

Trusted

Untrusted

Reliably

sourced

without any

digital risk

accessing

Some

attributes of

trust but no

confirmation

No

demonstrabl

e proof of

trust

Level of trust

Burd

en t

o v

erify

and level of ri

sk

Source: Gartner, May 2017

HOW OLOGY AND PRESS HELP?


Trusted Partially

Trusted

Untrusted

Reliably

sourced

without any

digital risk

accessing

Some

attributes of

trust but no

confirmation

No

demonstrabl

e proof of

trust

Level of trust

Burd

en t

o v

erify

and level o

f risk

Source: Gartner, May 2017

HOW OLOGY AND PRESS HELP?


TRUSTED SOFTWARE SUPPLY CHAINS


THE REWARDS ARE IMPRESSIVE

90%improvement in time to

deploy

34,000hours saved in

90 days

48%increase in application

quality


Businesses decide where and how to invest in

cybersecurity based on a cost-benefit assessment

but they are ultimately liable for the security of

their data and systems.U.K.’s National Cyber Security Strategy

2016 - 2021

1. You are using more open source than you think

2. There are good parts and bad components

3. You are responsible for your component choices

4. The new normal for getting business requirements into production is 3 days

5. It’s time to have the conversation internally

Five Takeaways

Contenuti disponibili su:

Canale slideshare di Emerasoft

Canale Youtube Emerasoft

Visita il nostro sito emerasoft.com

Contattaci: [email protected] @

WWW

Emerasoft Srl

mailto:[email protected]

Segui i nostri

canali…

[email protected]

Emerasoft Srl

via Po, 1 – 10124 Torino

Piazzale Luigi Sturzo, 15 - 00144 Roma

T +39 011 0120370

T +39 06 87811323

F +39 011 3710371

Grazie…

Contatti

http://www.linkedin.com/company/emerasoft?trk=hb_tab_compy_id_1203309

http://www.linkedin.com/company/emerasoft?trk=hb_tab_compy_id_1203309

http://www.emerasoft.com

mailto:[email protected]

Webinar: "Il software: la strategia vincente sta nella qualità"

Software

Transcript of Webinar: "Il software: la strategia vincente sta nella qualità"