Date post: | 11-Jan-2017 |
Category: |
Software |
Upload: | emerasoft-solutions-to-collaborate |
View: | 302 times |
Download: | 0 times |
Agenda
• I componenti open source nelle aziende
• I principi della Supply Chain del Software
• Soluzioni e Best practice• Q&A
Webinar: “Sicurezza e qualità del software: un viaggio attraverso vulnerabilità e strumenti per incrementare velocità, efficienza e qualità”
SETTEMBRE 2015
Image courtesy of digitalart at FreeDigitalPhotos.net
Chi siamo
Data di nascita: 2005
Dove siamo:
via Po, 1 – Torino via del Poggio Laurentino, 118 - Roma
Creare valore per i nostri clienti implementando soluzioni
che aumentano la produttività, facilitando la collaborazione.
La nostra mission:
DevOpsIoT
System & Software Engineering
Testing
ALM
SOAProcess Intelligence
Business Intelligence
Security
Digital Publishing
Training
ALM+PLMtraceability
standard compliance
collaboration
Big Data
BYOD
User Experience
QualityEnterprise Mobility
agileIoD
IoH
Usability
APIBPM
Continuous Delivery Continuous Integration
DevOpsIoT
System & Software Engineering
Testing
ALM
SOAProcess Intelligence
Business Intelligence
Security
Digital Publishing
Training
ALM+PLMtraceability
standard compliance
collaboration
Big Data
BYOD
User Experience
QualityEnterprise Mobility
agileIoD
IoH
Usability
APIBPM
Continuous Delivery Continuous Integration
SonatypeSupporting millions of developers worldwide
60k17B9M
MAVENeasy to build
CENTRALeasy to share
NEXUS REPOSeasy to manage
NEXUS LIFECYCLEeasy to automate
John WillisDevOps Days Core
Organizer
Gareth RushgrovePuppet Labs
Nigel SimpsonF-100 Entertainment Giant
@sonatype
201320122011200920082007 2010
2B1B500M 4B 6B 8B 13B 17B2014
Source: 2015 State of the Software Supply Chain Report
@sonatype
Open Source Download Requests…
How Dependent on 3rd Parties Are We?
10% Custom Written Code
Typical Application
Open Source
Cloud ServicesClosed Source
90% From 3rd Parties
@sonatype
Better and fewer
suppliers
Higher qualityparts
Improved visibility
and traceability
3 savings inmodern supply chains Automation
@sonatype
CHANGE Typical component is updated 3 - 4X per year.
985,000 OSS COMPONENTS
11 MILLION OSS USERS108,000 SUPPLIERS
Source: 2015 State of the Software Supply Chain Report@sonatype
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders(downloads)
Suppliers(artifacts)
Parts(versions)
Average 240,757 7,601 18,614
@sonatype
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
Sample of Open Source Repositories
2014Volume of
Download RequestsCentral.sonatype.org 17,213,084,947
Npmjs.org 15,460,748,856
NuGetGallery.com 280,124,916
Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
@sonatype
CHANGE Typical component is updated 3 - 4X per year.
Unlike COTS, there is no clear, effective
COMMUNICATION channel
…but there can be.
985,000 OSS COMPONENTS
11 MILLION OSS USERS
@sonatype
Repository Managers Accessing the Central Repository
Source: 2015 State of the Software Supply Chain Report
@sonatype
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
PATTERN #1
PATTERN #2
@sonatype
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
95%of downloads
5%of downloads
@sonatype
Source: 2015 State of the Software Supply Chain Report
240,000Components Downloaded Annually
@sonatype
Q: Does your organization have an open source policy?
Half of organizations continue to run without an open source policy.
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey@sonatype
Analysis of 1,500+ Applications
106 components
24 known
vulnerabilities
9restrictive licenses
@sonatype
1
2
3 Create a software Bill of Materials for one application
Design a frictionless, automated, “continuous” approach
Empower developers with the right information at the right time
@sonatype
CHECK THE QUALITY AND INTEGRITY OF EVERY BUILD
Jenkins integration run history and status of each build, across multiple applications.
Builds might be stable or unstable. Also shows build success and failures.
Nexus Lifecycle policy violations and vulnerabilities levels are displayed within the Jenkins CI dashboard.
@sonatype
Shift Left= ZTTR (Zero Time to Remediation)
Analyze all components from within your IDE
License, Security and Architecture data for each component, evaluated against your policy
EMPOWER DEVELOPERS FROM THE START
@sonatype
Contenuti disponibili su:
Canale slideshare di Emerasoft
Canale Youtube Emerasoft
Visita il nostro sito emerasoft.com
What’s next
Contattaci: [email protected]
Email: [email protected] Q&A ?
@
WWW
Segui i nostri canali …
Emerasoft Srl
via Po, 1 – 10124 Torinovia del Poggio Laurentino, 118 – 00144 Roma
T +39 011 0120370 T +39 06 87811323F +39 011 3710371
Grazie…
Contatti