Untitled Document
 Register Now & Save!
Untitled Document
2008 West Diamond Sponsor
Untitled Document
2008 West Platinum Sponsor
Untitled Document
2008 West Gold Sponsors
Untitled Document
2008 West Silver Sponsors
Untitled Document
2008 West Bronze Sponsors
Untitled Document
2008 West Exhibitors
Untitled Document
2008 West Media Sponsors
Untitled Document
2008 East Diamond Sponsor
Untitled Document
2008 East Platinum Sponsors
Untitled Document
2008 East Gold Sponsors
Untitled Document
2008 East Silver Sponsors
Untitled Document
2008 East Exhibitors
Untitled Document
2008 Media Sponsors
Latest News
"CA has been doing a lot of things in the area of ...
In his session at 21st Cloud Expo, Carl J. Levine,...
Data scientists must access high-performance compu...
"NetApp is known as a data management leader but w...
"We're focused on how to get some of the attribute...
Long-term partners Fujitsu Limited and Citrix Syst...
"WineSOFT is a software company making proxy serve...
As you move to the cloud, your network should be e...
In his session at 21st Cloud Expo, Michael Burley,...
22nd International Cloud Expo, taking place June 5...
Can't Miss RSS Feed
Subscribe to the RSS Feed & Get All The Conference News As It Happens!
Software Supply Chain Report | @DevOpsSummit #DevOps #ContinuousTesting
Analysis of 25,000 applications reveals 6.8% of packages / components used included known defects

Analysis of 25,000 applications reveals 6.8% of packages/components used included known defects. Organizations standardizing on components between 2 - 3 years of age can decrease defect rates substantially.

Open source and third-party packages/components live at the heart of high velocity software development organizations.  Today, an average of 106 packages / components comprise 80 - 90% of a modern application, yet few organizations have visibility into what components are used where.

Use of known defective components leads to quality and security issues within applications. While developers save tremendous amounts of time by sourcing software components from outside their organizations, they often don't have time to check those component versions against known vulnerability databases or internal policies.

In Sonatype's 2016 State of the Software Supply Chain report, analysis of 25,000 scans reveals that 1 in 16 (6.8%) components being used in applications contained at least one known security vulnerability.  This finding demonstrates that defective components are making their way across the entire software supply chain -- from initial sourcing to use in finished goods.

Screen Shot 2016-08-01 at 10.53.06 AM.png

Newer components make better software
Analysis of the scanned applications also revealed that the latest versions of components had the lowest percentage of known defects. Components under three years in age represented 38% of parts used in the average application; these components had security defect rates under 5%.

By comparison, components between five and seven years old had 2x the known security defect rate. The 2016 Verizon Data Breach and Investigations Report confirms that the vast majority of successful exploits last year were from CVE's (Common Vulnerabilities and Exposures) published 1998 - 2013. Combining the Verizon data with Sonatype's analysis further demonstrates the economic value of using newer, higher quality components.

Screen Shot 2016-08-01 at 11.03.29 AM.png

In summary, components greater than two years old represent 62% of all components scanned and account for 77% of the risk. Better component selection not only improves the quality of the finished application, it also reduces the number of break-fixes and unplanned work to remediate the defects.

Older components die off
Research shows that new versions of open source components are released an average of 14x per year. The new versions deliver greater functionality, improved performance, and fewer known defects. Just as in traditional manufacturing, using the newest versions of any part typically results in a higher quality finished product.

In their 2016 report, Sonatype discovered that component versions seven years or older made up approximately 18% of the footprint of the 25,000 application scans. For the older components, analysis showed that as many as 23% were on the latest version -- meaning, the open source projects for those components were inactive, dead...or perhaps they are just incredibly stable.

Screen Shot 2016-08-01 at 11.04.16 AM.png

Discovery of components with known security vulnerabilities or other defects used in applications is not something anyone desires. Unfortunately, when these defects are discovered in older components, chances of remediating the issue by upgrading to a newer component version are greatly diminished. If a new version does not exist, only a few options exist:

  1. Keep the vulnerable component in the application

  2. Wwitch to a newer like component from another open source project

  3. Make a software change to add a mitigating control, or

  4. Code the functionality required from scratch in order to replace the defect.

None of these options comes without a significant cost.
As discussed in Cisco's 2015 Midyear Security Report, "With open-source software in place in many enterprises, security professionals need to gain a deeper understanding of where and how open-source is used in their organizations, and whether their open-source packages or libraries are up to date. This means that, moving forward, software supply chain management becomes even more critical."

More information about software supply chain management practices and open source component quality can be found in the 2016 State of the Software Supply Chain Report.

About Derek Weeks
In 2015, Derek Weeks led the largest and most comprehensive analysis of software supply chain practices to date across 160,000 development organizations. He is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce costs, and sustain long-lasting competitive advantages.

As a 20+ year veteran of the software industry, he has advised leading businesses on IT performance improvement practices covering continuous delivery, business process management, systems and network operations, service management, capacity planning and storage management. As the VP and DevOps Advocate for Sonatype, he is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Follow him here @weekstweets, find me here www.linkedin.com/in/derekeweeks, and read me here http://blog.sonatype.com/author/weeks/.

Untitled Document

Call 201 802-3020 or Click Here to Save $100!

Save $100

 Sponsorship Opportunities

Virtualization Conference & Expo, California and London is the leading event in its third year covering the booming market of Virtualization for the enterprise. Now featuring Cloud Computing Expo, this leading event will surely deliver the #1 i-technology educational and networking opportunity of the year for leading Virtualization technology providers.



Who Should Attend?

Senior Technologists including CIOs, CTOs, VPs of technology, IT directors and managers, network and storage managers, network engineers, enterprise architects, communications and networking specialists, directors of infrastructure Business Executives including CEOs, CMOs, CIOs, presidents, VPs, directors, business development; product and purchasing managers.

Cloud Computing Bootcamp

Introducing at Cloud Computing Expo 2008 West the world's first-ever full one-day, immersive "Cloud Computing Bootcamp" - led by developer-entrepreneur Alan Williamson, Founder of Blog-City.com and creator of the OpenBlueDragon CFML runtime engine.

View the full one-day schedule

Video Coverage of Virtualization Conference
on SYS-CON.TV

David Greschler: Virtualization Beyond the Datacenter to the Desktop
Miko Matsumura: Time Oriented Architecture: Evolution by Design?
Brian Stevens: The Future of the Virtual Enterprise
Kevin Brown: Leveraging Desktop Virtualization for Security, Manageability and Usability Beyond the Perimeter

Video Coverage of the Virtualization Power Panel 2007

Virtualization Power Panel 2007 with Gordon Jackson, David Christian, Ken Jisser and Ben Rudolf

 Conference Media Sponsor: Cloud Computing Journal

Cloud Computing Journal aims to help open the eyes of Enterprise IT professionals to the economics and strategies that utility/cloud computing provides. Cloud computing - the provision of scalable IT resources as a service, using Internet technologies - potentially impacts every aspect of how IT deploys and operates software.

Cloud Computing Expo 2008 Speakers Include...


VOGELS
Amazon


FEINBERG
EMC


WELTMAN
Yahoo

NICKOLOV
3Tera

HAAR
Appistry

ZHOU
Platform Computing

HERROD
VMware

KEAGY
GoGrid

KRISHNAN
ParaScale

COHEN
Enomaly

EATON
Cloudworks

BRYCE
Mosso

SHALOM
GigaSpaces

SOMAL
VMware

CHU
VMware

THORSTEN VON EICKEN
RightScale



SYS-CON EVENTS


Past Events Archive

SOAWorld Conference & Expo 2008 East
soa2008east.sys-con.com
Virtualization Conference & Expo 2008 East
virt2008east.sys-con.com
AJAXWorld 2008 Conference & Expo East
ajaxmar08.sys-con.com
SOAWorld Conference & Expo 2007 West
www.soaworld2007.com
Virtualization Conference & Expo 2007 West
virt2007west.sys-con.com
AJAXWorld 2007 Conference & Expo West
ajaxoct07.sys-con.com
SOAWorld Conference & Expo 2007 East
soa2007east.sys-con.com
Virtualization Conference & Expo 2007 East
virt2007east.sys-con.com
AJAXWorld 2007 Conference & Expo East
ajaxmarch07.sys-con.com
Other SYS-CON Events
events.sys-con.com

SOAWorld & Conference Alumni Delegates Represents...

• AccuRev
• Adea Solutions
• Adobe Systems, Inc [3 delegates]
• ADP
• Aeropostale, Inc
• Aetna
• Akbank Training Center
• American Family Insurance
• American International College
• American Modern Insurance
• Amphion Innovations
• Amplify LLC, Clipmarks [2 delegates]
• Anderson Consulting
• Arrow Electronics [3 delegates]
• Ashcroft Inc
• Athabasca University
• ATS
• Audatex
• Avanade, Inc.
• Avaya Inc. [5 delegates]
• Azul [2 delegates]
• Backbase [2 delegates]
• Bank of America
• Bank of NY
• Barnes and Noble
• Barnex Investment International Limited
• BEA
• Bear Stearns [2 delegates]
• Bendel Newspaper Company Limited
• BizInnovative
• Bloomberg [2 delegates]
• BlueBrick Inc.
• BMC Software
• Boeing
• Bottomline Technologies [2 delegates]
• BP
• Broadcom

   read more...
Cloud Computing Blogs
In other words, VMware’s server density is higher. Boles suggests this means that customers should be “assessing virtualisation on a ‘cost per application’ basis. VM density has a sign
Traditionally, the way people have implemented high availability is by using a high-availability management package like Linux-HA[1], then configure it in detail for each application, file system moun