Con$nuous Accelera$on Accelera$ng Innova$on with So6ware Supply Chain Management Ilkka Turunen – SOLUTIONS ARCHITECT EMEA / APJ
Spoiler: We can learn from this Automa$on Integra$on Ecosystems
A driving force: Suppor$ng millions of developers worldwide 72k 9M 31B MAVEN CENTRAL NEXUS REPOS NEXUS LIFECYCLE easy to build easy to share easy to manage easy to automate
NEXUS at the of Con$nuous
Marc Andreessen 2011 10/23/2013 5 @joshcorman
So6ware is an innova$on differen$ator
Con$nuous Integra$on Agile Open Source DevOps Lean Internet of Things Modularity Con$nuous Delivery So6ware Factories 7
h=ps://www.flickr.com/photos/wwworks/2472232245/
Quality? Raw innova$on Net innova$on InnovaMon at Net value to the Security? any cost organizaMon Maintainability? Repeatability?
Modern Applica$ons Are 90% open source code State of the Software Supply Chain Report 2015
According to the State of the So6ware Supply Chain report…. State of the Software Supply Chain Report 2015
Embrace proven supply chain principles
The Missing Link
Your so6ware supply chain is complicated Hundreds of thousands of open source suppliers and millions of components
Houston, we have a problem In 2014, organizaMons downloaded a version of Bouncy Castle with a level 10 vulnerability NATIONAL CYBER 42,124 AWARENESS SYSTEM Original Notification Date: 03/30/2009 Mmes into XXXX CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 applicaMons… Exploitability Subscore: 10.0 7 BOUNCY CASTLE years aYer the vulnerability was fixed.
Large Enteprise Customer in Financial Sector CVE Central Downloads Downloads 900k 60k Industry Average ………… 6.22%
Asus – Possible $206M future fine 12,937 vulnerable • routers found Login credenMals for • 3,131 stolen Future fine $16,000 per • instance ASUS must get in contact with existing customers to tell them about the need for firmware upgrades and to tell them about bug fixes within 30 days of them becoming available. If it violates this, the firm will have to pay $16,000 for every instance where it fails in the future. 06/03/1 17 Source: h=p://www.theregister.co.uk/2016/02/23/asus_router_flaws_se=lement/ 6
What if manufacturers built cars the way we build so6ware: without supply chain visibility, process and automa$on … Manufacturers Any part could choose There is Since parts There is can be chosen any supplier no inventory aren’t tracked, no quality even if it is they want for of the parts that it’s control outdated or any given part, were used, or challenging to or consistency known to be regardless of where. issue a recall . from car to car. unsafe. quality.
Supply chain advantage Source: Toyota Supply Chain Management: A Strategic Approach to Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri
Supply chain advantage Toyota Toyota Chevy Advantage Prius Volt Unit Retail Price 61% $24,200 $39,900 Units Sold/Month 13x 23,294 1,788 In-House ProducMon 50% 27% 54% Plant Suppliers 16% 125 800 Source: Toyota Supply Chain Management: A Strategic Firm-Wide Suppliers 4% 224 5,500 Approach to Toyota’s Renowned System, by Ananth Iyer and Sridhar Seshadri
Speed, efficiency & quality for agile, con$nuous, and DevOps Automate your so6ware supply chain with three proven principles: Use better & fewer Use higher Track what you use suppliers quality parts and where
Speed, efficiency & quality for agile, con$nuous, and DevOps Op$mize the movement of parts, assemblies, and finished goods from development to delivery. 22
Enterprise Requirements Hundreds to thousands of applica$ons. Hundreds to tens of thousands of developers. Diverse ecosystem support. Automa$on Integra$on Ecosystems THE KEY TO OPERATING MAKE DEVELOPERS MORE MUST SUPPORT DIVERSE AT SCALE PRODUCTIVE—NOT LESS TECHNOLOGY ENVIRONMENTS In order to automate: In order to empower: In order to support: • Precise idenMficaMon is • Real-Mme informaMon • Coordinate system must be essenMal delivery abstracted • Metadata must be • InformaMon must be • Crowd must drive data research machine acMonable intuiMve and acMonable • Must support other • Policies must conform • CorrecMve acMon must be requirements for scale to the business in context An$pajern: Infrastructure An$pajern: humans An$pajern: bound to a single ecosystem in the flow of analysis asynchronous audits and (re)ac$on driving unplanned, unscheduled rework 23
Tools for So6ware Integrity Two very dis$nctly different classes of technology • Very comprehensive • Requires human analysis • Comprehensive at wire speed Asynchronous • Machines Synchronous automate acMon 24
Nexus Lifecycle – Where do you fit in? Sonatype Security Alerts OSS Operations Policy Policy Center IQ Server Board Monitor Policy Policy Policy Manage Policy Exception Handling Build Project Owner Reports Third Party & Create Components OSS Fix Production Components Managers Components Developers Nexus repo OSS Components
Nexus plaoorm of So6ware Supply Chain solu$ons Nexus Lifecycle Nexus Auditor Nexus Firewall Nexus Repository Build Stage Release Nexus Lifecycle (supply chain automa$on)
Tools for So6ware Integrity Asynchronous So6ware Composi$on Analysis Scan ︎ Wait ︎ Analyze ︎ Stop ︎ React ︎ Scan ︎ Wait ︎ Analyze ︎ Stop ︎ React ︎ Synchronous So6ware Supply Chain Automa$on Attributes ︎ Automation in ︎ Continuously ︎ of Acceptability ︎ Traceability ︎ the Tool Chain ︎
THANK YOU! Come say hi to us at Booth #3 in the Benjamin Brijen Lounge State of the so6ware Supply Chain 2015: h=p://www.sonatype.com/speedbumps
Recommend
More recommend
