Welcome!

@DevOpsSummit Authors: Yeshim Deniz, Zakia Bouachraoui, Liz McMillan, Elizabeth White, Pat Romanski

Related Topics: @DevOpsSummit, Microservices Expo, Containers Expo Blog, Cloud Security

@DevOpsSummit: Article

Software Supply Chain Report | @DevOpsSummit #DevOps #ContinuousTesting

Analysis of 25,000 applications reveals 6.8% of packages / components used included known defects

Analysis of 25,000 applications reveals 6.8% of packages/components used included known defects. Organizations standardizing on components between 2 - 3 years of age can decrease defect rates substantially.

Open source and third-party packages/components live at the heart of high velocity software development organizations.  Today, an average of 106 packages / components comprise 80 - 90% of a modern application, yet few organizations have visibility into what components are used where.

Use of known defective components leads to quality and security issues within applications. While developers save tremendous amounts of time by sourcing software components from outside their organizations, they often don't have time to check those component versions against known vulnerability databases or internal policies.

In Sonatype's 2016 State of the Software Supply Chain report, analysis of 25,000 scans reveals that 1 in 16 (6.8%) components being used in applications contained at least one known security vulnerability.  This finding demonstrates that defective components are making their way across the entire software supply chain -- from initial sourcing to use in finished goods.

Screen Shot 2016-08-01 at 10.53.06 AM.png

Newer components make better software
Analysis of the scanned applications also revealed that the latest versions of components had the lowest percentage of known defects. Components under three years in age represented 38% of parts used in the average application; these components had security defect rates under 5%.

By comparison, components between five and seven years old had 2x the known security defect rate. The 2016 Verizon Data Breach and Investigations Report confirms that the vast majority of successful exploits last year were from CVE's (Common Vulnerabilities and Exposures) published 1998 - 2013. Combining the Verizon data with Sonatype's analysis further demonstrates the economic value of using newer, higher quality components.

Screen Shot 2016-08-01 at 11.03.29 AM.png

In summary, components greater than two years old represent 62% of all components scanned and account for 77% of the risk. Better component selection not only improves the quality of the finished application, it also reduces the number of break-fixes and unplanned work to remediate the defects.

Older components die off
Research shows that new versions of open source components are released an average of 14x per year. The new versions deliver greater functionality, improved performance, and fewer known defects. Just as in traditional manufacturing, using the newest versions of any part typically results in a higher quality finished product.

In their 2016 report, Sonatype discovered that component versions seven years or older made up approximately 18% of the footprint of the 25,000 application scans. For the older components, analysis showed that as many as 23% were on the latest version -- meaning, the open source projects for those components were inactive, dead...or perhaps they are just incredibly stable.

Screen Shot 2016-08-01 at 11.04.16 AM.png

Discovery of components with known security vulnerabilities or other defects used in applications is not something anyone desires. Unfortunately, when these defects are discovered in older components, chances of remediating the issue by upgrading to a newer component version are greatly diminished. If a new version does not exist, only a few options exist:

  1. Keep the vulnerable component in the application

  2. Wwitch to a newer like component from another open source project

  3. Make a software change to add a mitigating control, or

  4. Code the functionality required from scratch in order to replace the defect.

None of these options comes without a significant cost.
As discussed in Cisco's 2015 Midyear Security Report, "With open-source software in place in many enterprises, security professionals need to gain a deeper understanding of where and how open-source is used in their organizations, and whether their open-source packages or libraries are up to date. This means that, moving forward, software supply chain management becomes even more critical."

More information about software supply chain management practices and open source component quality can be found in the 2016 State of the Software Supply Chain Report.

More Stories By Derek Weeks

In 2015, Derek Weeks led the largest and most comprehensive analysis of software supply chain practices to date across 160,000 development organizations. He is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce costs, and sustain long-lasting competitive advantages.

As a 20+ year veteran of the software industry, he has advised leading businesses on IT performance improvement practices covering continuous delivery, business process management, systems and network operations, service management, capacity planning and storage management. As the VP and DevOps Advocate for Sonatype, he is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Follow him here @weekstweets, find me here www.linkedin.com/in/derekeweeks, and read me here http://blog.sonatype.com/author/weeks/.

@DevOpsSummit Stories
Sanjeev Sharma Joins November 11-13, 2018 @DevOpsSummit at @CloudEXPO New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a multi-faceted approach of strategy and enterprise business development. Andrew graduated from Loyola University in Maryland and University of Auckland with degrees in economics and international finance.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.