Date post: | 21-Jan-2018 |
Category: |
Software |
Upload: | emerasoft-solutions-to-collaborate |
View: | 38 times |
Download: | 0 times |
• Emerasoft srl
• Mission
• Vision
• Solutions
Monica Burzio– Emerasoft
Ugo Ciracì – Emerasoft
Steve Millard - Sonatype
Emerasoft Srl
Data di nascita: 2005
Dove siamo:
Via Po, 1 – TorinoPiazzale Luigi Sturzo, 15 - Roma
“Il nostro impegno è nella costante ricerca dellamigliore soluzione per il cliente, garantendoeccellenza nella qualità di servizi e prodottiproposti. La nostra promessa è di svolgere il nostrolavoro con costanza e passione”
Emerasoft Srl
DevOpsIoT
Testing
ALM
SOABusiness Intelligence
Security
University
ALM+PLM
standard compliance
BRMS
User Experience SS4BEnterprise Mobility
agile
IoD
BPM
OpenSource
APIUsability
traceability
Compliance Management
ITSM
Solutions
DevOpsIoT
Testing
ALM
SOABusiness Intelligence
Security
University
ALM+PLM
standard compliance
BRMS
User Experience SS4BEnterprise Mobility
agile
IoD
BPM
OpenSource
APIUsability
traceability
Compliance Management
ITSM
Solutions
AgendaWebinar: “Il software: la strategia vincente sta nella qualità”
APRILE
• La Supply Chain del software
• Devops e sicurezza: lo scenario attuale
• Sonatype Nexus per un software di
qualità
• Q&A
Il webinar di oggi
Ugo CiracìDevOps Specialist @Emerasoft
NOVEMBRE
8
Steve MillardInternational Partner Business Manager @Sonatype
1,096 new projects per day
10,000 new versions per day
14x releases per year
• 3M npm components• 2M Java components
• 900K NuGet components• 870K PyPI components
State of the Software Supply Chain
80% to 90% of
modern
operations
consist of
assembled
containers.
Containers
Hand-built
applications
and
infrastructure
State of the Software Supply Chain
233 days
MeanTTR
119 days
MedianTTR
122,802 components
with known
vulnerabilities
19,44515.8% fixed
the
vulnerability
TIME TO REPAIR OSS COMPONENTS
State of the Software Supply Chain
zero
days
mean
time to
repairCVE ID: CVE-
2017-5638
March 7
Apache fixed the
vulnerability
March 7
APACHE STRUTS2 MEAN TIME TO REPAIR
State of the Software Supply Chain
125,701Java component
downloads
annually
7,4285.8% with
known
vulnerabilities
7,500 ORGANIZATIONS ANALYZED
State of the Software Supply Chain
5 Month Opportunity to Take Corrective Action
Large Scale Exploit
March
10Equifax
applications
breached through
Struts2 vulnerability
AprMar May Jun Jul Aug Sept
March 7Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
July 29Breach is discovered by Equifax.
Sept 7A new RCE
vulnerability is
announced and fixed.CVE-2017-9805
Probing Hack Crisis
Management
Il caso: Equifax
TIME TO RESPOND BEFORE EXPLOITSource: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Avera
ge
Days t
o E
xp
loit
Average
45
15
2017
Il caso: Equifax
9 years later, vulnerable
versions of Bouncy Castle
were downloaded…
11M
CVE-2007-6721
CVSS Base Score: 10.0 HIGH
Exploitability Subscore: 10.0
23M
2007 2016
BOUNCY CASTLE
Bouncy Castle
18,330,95878% downloads were vulnerable
COMMONS COLLECTIONCWE-502
23,476,966total downloads in 2016
Software Supply Chain
Trusted Partially
Trusted
Untrusted
Reliably
sourced
without any
digital risk
accessing
Some
attributes of
trust but no
confirmation
No
demonstrabl
e proof of
trust
Level of trust
Burd
en t
o v
erify
and level of ri
sk
Source: Gartner, May 2017
HOW OLOGY AND PRESS HELP?
Software Supply Chain
Trusted Partially
Trusted
Untrusted
Reliably
sourced
without any
digital risk
accessing
Some
attributes of
trust but no
confirmation
No
demonstrabl
e proof of
trust
Level of trust
Burd
en t
o v
erify
and level o
f risk
Source: Gartner, May 2017
HOW OLOGY AND PRESS HELP?
Software Supply Chain
THE REWARDS ARE IMPRESSIVE
90%improvement in time to
deploy
34,000hours saved in
90 days
48%increase in application
quality
Software Supply Chain
Businesses decide where and how to invest in
cybersecurity based on a cost-benefit assessment
but they are ultimately liable for the security of
their data and systems.U.K.’s National Cyber Security Strategy
2016 - 2021
1. You are using more open source than you think
2. There are good parts and bad components
3. You are responsible for your component choices
4. The new normal for getting business requirements into production is 3 days
5. It’s time to have the conversation internally
Five Takeaways
Contenuti disponibili su:
Canale slideshare di Emerasoft
Canale Youtube Emerasoft
Visita il nostro sito emerasoft.com
Contattaci: [email protected] @
WWW
Emerasoft Srl
Segui i nostri
canali…
Emerasoft Srl
via Po, 1 – 10124 Torino
Piazzale Luigi Sturzo, 15 - 00144 Roma
T +39 011 0120370
T +39 06 87811323
F +39 011 3710371
Grazie…
Contatti