A Practitioners Tale: Uniting Dev, Sec, And Ops TribesCurtis YankoSr. Principal Architect

A Bit About Me

• Started programming in the 1970’s• I’ve seen the rise of and used…

• ...OOP, 4th Gen languages, UML, XP, Agile, ERP, SOA, CI, CD...• Started programming proffessionally in the 1990’s

• ...like a lot of junior programmers I got stuck with the build/SCM• Did Enterprise CI at a Fortune 25 company• Did CI/CD at a Fortune 100 company• Launched a DevOps Center of ‘Enablement’

For Fun

• Night Hikes• Board game night• Ultimate Frisbee• Volunteer for ECAD to help raise

and train service dogs• @onCommit• DevOps in the Enterprise on

Flipboard

Agenda

• Why we should care• Practitioners Tale

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Seriously?

Count of exploited CVE’s in 2014 by year published

8 years later, vulnerable versions of Bouncy Castle were downloaded…

5.8M times

CVE-2007-6721CVSS Base Score: 10.0 HIGHImpact Subscore: 10.0Exploitability Subscore: 10.0

2007 2015

USE THE HIGHEST QUALITY PARTS

Why Sec hates Dev

Security can’t keep up with the pace of modern development practices and the complexities of component dependencies.

229,898downloads

orders

5,275components - all versions

parts

2,071components

suppliers

Analysis of 3,000 organizations

Why Dev hate Sec

Developers don’t like security slowing them down by dumping scan reports on them weeks or months after the fact

SOFTWARE IS MANUFACTURED FROM PARTS

“Software is eating the world”

-- Marc Andreesen

“If you want to make enemies, try to change something”

-- Woodrow Wiilson

Empathy

A pictureCI CD

Public Repos

Binary RepoBuild

Source Code Deploy

Dev

QA

UAT

Prod

Software Factory & Component Based Development

INNOVATION WAVE IN YOUR SOFTWARE

FACTORY

WhatvsHow There is a difference

between Policies and Governance

AUTOMATE AUTOMATE AUTOMATE

DESIGN A FRICTIONLESS APPROACH

@sonatype

CREATE A SOFTWARE BILL OF MATERIALS

bit.ly/softwareBOM@sonatype

ZTTR (Zero Time to Remediation)

EMPOWER DEVELOPERS FROM THE START

@weekstweets

Say Hello to Your Software Supply Chain…

Automate your software supply chain with three proven principles:

Use higher quality parts

Use better & fewer suppliers

Track what you use and where

Fast Forward

Forrester Report

Thank You!