the illusion of control: seven deadly wastes in your devops practice
TRANSCRIPT
![Page 1: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/1.jpg)
The Illusion of ControlSeven Deadly Wastes in Your DevOps Practice
Matthew BarkerTechnical Directory and DevOpsSec Advocate @[email protected]://www.sonatype.com/assessments/application-health-check/start
1
![Page 2: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/2.jpg)
Where’s That Software Supply Chain?
2
![Page 3: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/3.jpg)
3
It is not necessary to change. Survival is not mandatory.
Edwards Deming
![Page 4: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/4.jpg)
Use the highestquality parts
Use fewer and better suppliers
Track what you use and where
Supply Chain Principles
1 2 3
![Page 5: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/5.jpg)
106,000Organizations Analyzed
Source: 2015 State of the Software Supply Chain Report
![Page 6: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/6.jpg)
Quality?
Security?
Maintainability?
Repeatability?
Raw innovation Innovation at
any cost
Net innovation Net value to the
organization
![Page 7: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/7.jpg)
We all have aSOFTWARE SUPPLY CHAIN
![Page 8: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/8.jpg)
POLLING QUESTION
What percent of modern apps are composed of open source components?
8
a. 10 - 20%b. 50 - 60%c. 80 - 90%
![Page 9: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/9.jpg)
How Dependent on 3rd Parties Are We?
10% Custom Written CodeTypical Application
Open Source
Cloud Services
Closed Source
90% From 3rd Parties
![Page 10: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/10.jpg)
We all have aSOFTWARE SUPPLY CHAIN
![Page 11: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/11.jpg)
11 MILLION OSS USERS
1,109,005 OSS COMPONENTS
121,341 SUPPLIERS
CHANGE: Typical component is updated 3 – 4x per year
Source: 2015 State of the Software Supply Chain Report
![Page 12: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/12.jpg)
POLLING QUESTION
On the average, how many open source suppliers do companies work with?
12
a. 5,372b. 7,601
c. 15,118
![Page 13: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/13.jpg)
Suppliers Serving Manufacturers
Source: 2015 State of the Software Supply Chain Report
Orders(downloads)
Suppliers(artifacts)
Parts(versions)
Year Average 240,757 7,601 18,614
![Page 14: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/14.jpg)
59% never repaired
41% 390 days (median 265 days). CVSS 10s 224 days
<7The best were remediated in under a week.
Source: USENIX, https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
@sonatype
![Page 15: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/15.jpg)
We all have aSOFTWARE SUPPLY CHAIN
![Page 16: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/16.jpg)
Sample of Open Source Repositories
2014Volume of Download Requests
Central.sonatype.org 17,213,084,947Npmjs.org 15,460,748,856NuGetGallery.com 280,124,916Bintray.com 250,000,000
Source: 2015 State of the Software Supply Chain Report
![Page 17: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/17.jpg)
Source: 2015 State of the Software Supply Chain Report
PublicRepos
Local Repo
Build Tool
Public Repos
Build ToolPATTERN #1
PATTERN #2
![Page 18: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/18.jpg)
POLLING QUESTION
What percent of components are sourced from public repositories vs.
local repositories?
18
a. 15%b. 35%c. 95%
![Page 19: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/19.jpg)
PublicRepos
Local Repo
Build Tool
Public Repos
Build Tool
Source: 2015 State of the Software Supply Chain Report
95%of downloads
5%of downloads
![Page 20: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/20.jpg)
20
We all have aSOFTWARE SUPPLY CHAIN
![Page 21: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/21.jpg)
POLLING QUESTION
What percent of organizations do not have a policy governing quality and
integrity of components?
21
a. 25%b. 55%c. 95%
![Page 22: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/22.jpg)
Half of organizations continue to run without an open source policy.
Q: Does your organization have an open source policy?
Source: 2012, 2013, 2014 Sonatype Open Source Development and Application Security Survey
![Page 23: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/23.jpg)
1-in-10 had or suspected an open source related breachin the past 12 months
![Page 24: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/24.jpg)
Average downloads
# of known vulnerabilities
% of known vulnerabilities
% known vulnerabilities (2013 or older)
240K 15K 7.5% 66.3%
Download Volumes of Old CVEs
Source: 2015 State of the Software Supply Chain Report
![Page 25: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/25.jpg)
Source: 2015 State of the Software Supply Chain Report
27Average Number of Outdated
Versions Downloaded
For the top 100 components:
![Page 26: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/26.jpg)
We all have aSOFTWARE SUPPLY CHAIN
![Page 27: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/27.jpg)
1,500+Applications Analyzed
![Page 28: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/28.jpg)
The Average Application Contains:
106 components
24 known
vulnerabilities
9restrictive licenses
![Page 29: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/29.jpg)
Some really bad components in our applications
Java Cryptography APICVSS v2 Base Score:
10.0 HIGHExploitability:
10.0
Since then 11,236 organizations
downloaded it214,484 times
Bouncy CastleCVE Date:
11/10/2007
Java HTTP implementationCVSS v2 Base Score:
5.8 MEDIUMExploitability:
8.6
Since then 29,468 organizations
downloaded it3,749,193 times
HttpClientCVE Date:
11/04/2012
Web application frameworkCVSS v2 Base Score:
9.3 HIGHExploitability:
10
Since then 4,076 organizations
downloaded it179,050 times
Apache Struts 2
CVE Date:07/20/2013
Source: Sonatype, Inc. analysis of (Maven) Central downloads and NIST National Vulnerability Database
![Page 30: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/30.jpg)
30
SEVEN DEADLY DEVOPS WASTES
![Page 31: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/31.jpg)
31
Most DevOps deadly sins are caused byGO FAST AT ANY COST
![Page 32: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/32.jpg)
32
WASTE NUMBER 1:Ignore your software supply chain
![Page 33: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/33.jpg)
33
WASTE NUMBER 2:Use any supplier and many
component versions
![Page 34: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/34.jpg)
34
WASTE NUMBER 3:Fail to use a local repository
manager
![Page 35: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/35.jpg)
35
LicenseFeatures
WASTE NUMBER 4:Choose components irrespective of
quality or risk
![Page 36: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/36.jpg)
36
WASTE NUMBER 5:Depend on a manual component
approval process
![Page 37: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/37.jpg)
37
WASTE NUMBER 6:Fail to track component usage
![Page 38: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/38.jpg)
38
?
… AND THE LAST DEADLY WASTE:Fail to monitor your released
applications
![Page 39: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/39.jpg)
Use the highestquality parts
Use fewer and better suppliers
Track what you use and where
Supply Chain Principles
1 2 3
![Page 40: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/40.jpg)
ZTTR (Zero Time to Remediation)
1
Use fewer and better suppliers
![Page 41: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/41.jpg)
Choose quality components
@matthewabq
2
![Page 42: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/42.jpg)
bit.ly/softwareBOM
3Track what you use and where
![Page 43: The Illusion of Control: Seven Deadly Wastes in Your Devops Practice](https://reader035.vdocuments.mx/reader035/viewer/2022070512/589ed2921a28ab47138b717d/html5/thumbnails/43.jpg)
John WillisDevOps Days Core
Organizer
Gareth RushgrovePuppet Labs
Nigel SimpsonF-100 Entertainment Giant
@matthewabq