INAIL e la cultura cybersecurity: dal DevSecOps alla tutela applicativa. Evento digitale a cura di Emerasoft e Sonatype trasmesso il 26 novembre online.
Presentazione a cura di Sonatype: Advanced Development Pack.
Per rivedere l'evento: https://youtu.be/gCPK6iydIcE
Vuoi saperne di più? vai su www.sonatype.com o scrivi a sales@emerasoft.com per una consulenza personalizzata
2. 2015
Putting
Power Into
the Hands
of the
Developers 2020 2025
DevelopmentSecurity
10%
20%
30%
40%
50%
The Market Shift
90%
80%
70%
60%
We were historically
successful selling here.
We are highly differentiated
in this market.
Security acts as a gate
for code deployment.
Empower the developers.
Integrated and automated
end-to-end quality.
(They have been
historically ineffective at
truly integrating
into development.)
100%
~60%
~40%
~80%
~20%
3. Making Developer’s Lives Easier
CHOOSE THE BEST COMPONENTS
Smarter component selection with our new Exemplar ratings for
OSS projects.
AVOID SUSPICIOUS PACKAGES
Decrease the risk of a security breach or defective code by blocking
potentially malicious and harmful OSS releases from entering
production environments.
KNOW WHAT WILL BREAK
Fewer breaking changes and policy violations with simple OSS
upgrades and insight into level of effort between version
migrations.
FIX DEPENDENCIES FASTER
Improved dependency management with single click upgrades and
guidance on when to upgrade a dependency and why.
4. Less rework and maintenance due to higher-quality “pool” of
components and contextual understanding of what fits organizational
requirements.
Improved Project Quality with early warning of suspicious behavior in
code and access to components from the best suppliers.
Increased Bandwidth and Time to Innovate due to reduction in time
spent researching quality OSS components.
Decreased “Level of Effort” when upgrading to the next best OSS
component with our recommendations and single click migrations.
Benefits
6. Capability
Overview
Transitive SolverBreaking ChangesComponent Chooser
Gives a recommended
version for the direct
dependency which also
resolves the transitive
dependency without
violating policy or
breaking builds.
Provides teams with data
on “what” will break & how
much effort it’ll take to
upgrade between current
& newer versions.
Release Integrity
Enhances Nexus Firewall’s
capabilities to automatically
detect & block suspicious
and potentially malicious
OSS components before
they enter the development
environment.
Fix Faster
We’ll suggest the best ways to
resolve problems more effectively
when they come up.
Enables development teams
select the highest-quality OSS
components for their projects.
They can search and compare
components based on hygiene
ratings (exemplar, laggard,
neutral), view additional
component insights, and see
what’s already being
used/approved within their
organization.
Develop Seamlessly
Make better decisions about components
being used in the applications.
7. Ratings include:
● Exemplar
● Neutral
● Laggard
Select the best quality components
based on component cleanliness,
committer behavior, etc.
Easily compare the viability
of different components
based on their rating.
Showing You Only the Best OSS Components
Health & Hygiene Data
8. Early warning and identification of
next-gen software supply chain
attacks (currently npm only).
Avoid threats like typosquatting
and malicious code injection.
Component risk score to assess
level of risk you could take on by
choosing that component.
Release Integrity with Firewall.
Release Integrity
9. Breaking Changes Intelligence
Prioritize component upgrades
by development effort.
Pinpoint simple upgrades and
assess upgrade challenges.
Quickly find the best version upgrade
without “breaking” the project.
10. Transitive Solver
Comprehensive view into your
open source risk profile.
Easily solve for direct
and transitive
dependency violations
without failing builds
or violating policies.
One-click remediation and
improved prioritization.
13. 2015
Dev Sponsor: ~10%
Security Sponsor: ~90%
Dev Sponsor: ~40%
Security Sponsor: ~60%
Dev Sponsor: ~80%
Security Sponsor: ~20%
Putting
Power Into
the Hands
of the
Developers
2020 2025
DevelopmentSecurity
10%
20%
30%
40%
50%
100%
90%
80%
70%
60%
14. The
Market
Shift
Security acts as a gate
for code deployment.
Empower the
developers.
Integrated and
automated end-to-end
quality.
We were
historically successful
selling here.
We are highly
differentiated
in this market.
(They have been
historically ineffective at
truly integrating
into development.)
15. What Makes a Project Exemplary?
Constructing the Data Set
Small Exemplar
Small development teams (1.6
devs), exemplary MTTU, likely
to be commercially supported
and 4.3x more popular.
Large Exemplar
Large development teams (8.3
devs), exemplary MTTU, likely
to be foundation supported,
2.5x more popular.
Laggard
Poor MTTU, high
stale dependency
count, more likely
to be commercially
supported.
Features First
Frequent releases,
but poor TTU. Still
reasonably popular.
Cautious
Good TTU, but
seldom completely
up to date.