Webinar: "Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per...

•Emerasoft srl•Mission•Vision•Market & Solutions

Maria Chiara AmbrosioFederico Pagnozzi

Agenda

• I componenti open source nelle aziende

• I principi della Supply Chain del Software

• Soluzioni e Best practice• Q&A

Webinar: “Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per incrementare velocità, efficienza e qualità”

SETTEMBRE 2015

Image courtesy of digitalart at FreeDigitalPhotos.net

http://freedigitalphotos.net/

Chi siamo

Data di nascita: 2005

Dove siamo:

via Po, 1 – Torino via del Poggio Laurentino, 118 - Roma

Creare valore per i nostri clienti implementando soluzioni

che aumentano la produttività, facilitando la collaborazione.

La nostra mission:

Alcuni clienti

DevOpsIoT

System & Software Engineering

Testing

ALM

SOAProcess Intelligence

Business Intelligence

Security

Digital Publishing

Training

ALM+PLMtraceability

standard compliance

collaboration

Big Data

BYOD

User Experience

QualityEnterprise Mobility

agileIoD

IoH

Usability

APIBPM

Continuous Delivery Continuous Integration

PRESSIONI MERCATO Qualità

REQUISITI PROCESSI

ATTIVITÁ COLLABORAZIONE

DevOps

Continuous Delivery

Continuous Integration

Automatisation ContinuousAcceleration

10

LO STATO DEL SOFTWARE 2015: ANALISI DELLA SUPPLY CHAIN

SonatypeSupporting millions of developers worldwide

60k17B9M

MAVENeasy to build

CENTRALeasy to share

NEXUS REPOSeasy to manage

NEXUS LIFECYCLEeasy to automate

@sonatype

106,000Organizations Analyzed

Source: 2015 State of the Software Supply Chain Report

@sonatype

We all have a

SOFTWARE SUPPLY CHAIN

@sonatype

Modern software development HAS CHANGED

Our process

HASN’T CHANGEDENOUGH

@sonatype

John WillisDevOps Days Core

Organizer

Gareth RushgrovePuppet Labs

Nigel SimpsonF-100 Entertainment Giant

@sonatype

201320122011200920082007 2010

2B1B500M 4B 6B 8B 13B 17B2014


@sonatype

Open Source Download Requests…

How Dependent on 3rd Parties Are We?

10% Custom Written Code

Typical Application

Open Source

Cloud ServicesClosed Source

90% From 3rd Parties

@sonatype

Better and fewer

suppliers

Higher qualityparts

Improved visibility

and traceability

3 savings inmodern supply chains Automation

@sonatype

@sonatype

CHANGE Typical component is updated 3 - 4X per year.

985,000 OSS COMPONENTS

11 MILLION OSS USERS108,000 SUPPLIERS

Source: 2015 State of the Software Supply Chain Report@sonatype

Suppliers Serving Manufacturers


Orders(downloads)

Suppliers(artifacts)

Parts(versions)

Average 240,757 7,601 18,614

@sonatype

59% never repaired

41% 390 days (median 265 days). CVSS 10s 224 days

<7The best were remediated in under a week.

Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf

@sonatype

@sonatype

Source: modulecounts.com

@sonatype

Sample of Open Source Repositories

2014Volume of

Download RequestsCentral.sonatype.org 17,213,084,947

Npmjs.org 15,460,748,856

NuGetGallery.com 280,124,916

Bintray.com 250,000,000


@sonatype

CHANGE Typical component is updated 3 - 4X per year.

Unlike COTS, there is no clear, effective

COMMUNICATION channel

…but there can be.

985,000 OSS COMPONENTS

11 MILLION OSS USERS

@sonatype

Repository Managers Accessing the Central Repository


@sonatype


PublicRepos

Local Repo

Build Tool

Public Repos

Build Tool

PATTERN #1

PATTERN #2

@sonatype


PublicRepos

Local Repo

Build Tool

Public Repos

Build Tool

95%of downloads

5%of downloads

@sonatype

100-200Cycle Time: Minutes-

Hours

@sonatype


240,000Components Downloaded Annually

@sonatype

Q: Does your organization have an open source policy?

Half of organizations continue to run without an open source policy.

Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype

If it does not fit,it does not get done.

@sonatype


27Outdated Versions Downloaded

@sonatype

Image Source: caranddriver.com

@sonatype

@sonatype

Analysis of 1,500+ Applications

106 components

24 known

vulnerabilities

9restrictive licenses

@sonatype

software glitch

v

1

2

3 Create a software Bill of Materials for one application

Design a frictionless, automated, “continuous” approach

Empower developers with the right information at the right time

@sonatype

CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD

Jenkins integration run history and status of each build, across multiple applications.

Builds might be stable or unstable. Also shows build success and failures.

Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.

@sonatype

Shift Left= ZTTR (Zero Time to Remediation)

Analyze all components from within your IDE

License, Security and Architecture data for each component, evaluated against your policy

EMPOWER DEVELOPERS FROM THE START

@sonatype

CREATE A SOFTWARE BILL OF MATERIALS

bit.ly/softwareBOM

5MINUTES

@sonatype

SCARICA IL REPORT COMPLETO DELL’ANALISI

www.emerasoft.com/lo-stato-del-software-2015

IT’S TIME WE IMPROVE OURSOFTWARE SUPPLY CHAINS

Contenuti disponibili su:

Canale slideshare di Emerasoft

Canale Youtube Emerasoft

Visita il nostro sito emerasoft.com

What’s next

Contattaci: [email protected]

Email: [email protected] Q&A ?

@

WWW

mailto:[email protected]


Segui i nostri canali …

[email protected]

Emerasoft Srl

via Po, 1 – 10124 Torinovia del Poggio Laurentino, 118 – 00144 Roma

T +39 011 0120370 T +39 06 87811323F +39 011 3710371

Grazie…

Contatti

http://www.emerasoft.com/


http://www.slideshare.net/emerasoft

http://www.linkedin.com/company/emerasoft?trk=hb_tab_compy_id_1203309

Webinar: "Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per...

Software

Transcript of Webinar: "Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per...