Post on 16-Apr-2017
transcript
Integrating Black Duck in your Agile DevOps
EnvironmentUtsav Sanghani
Product Manager Black Duck Software
2Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
nDevelopment
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC
3Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
nDevelopment
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC
4Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
nDevelopment
Configure
& Release
Packaging
CONVENTIONAL CHECKS HAPPEN VERY LATE IN THE SDLC; APPLICATIONS SHIP WITH VULNERABILITIES
5Black Duck Customer Conference
Continuous
Build & Test
Configure
& Release
Packaging
THE PROCESS IS MANUAL & NON LINEAR WITH ADDED TIME IN QUEUE BEFORE RELEASE
How are Companies Managing Open Source Today? Not Well.HOW ARE COMPANIES MANAGING OPEN SOURCE TODAY? NOT WELL.
TRACKING VULNERABILITIES• No single responsible entity
• Manual effort and labor intensive
• Unmanageable (11/day)
• Match applications, versions, components,
vulnerabilities
SPREADSHEET INVENTORY• Depends on developer best effort or memory
• Difficult maintenance
• Not source of truth
MANUAL TABULATION• Architectural Review Board
• Occurs at end of SDLC
• High effort and low accuracy
• No controls
VULNERABILITY DETECTIONRun monthly/quarterly vulnerability assessment
tools (e.g., Nessus, Nexpose) against all
applications to identify exploitable instances
IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
7Black Duck Customer Conference
1. REDUCED COSTSAvoid human overhead costs
IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
8Black Duck Customer Conference
1. REDUCED COSTSAvoid human overhead costs
2. REDUCED TIME TO MARKETIn process automation checks over post processing
IT IS IMMENSELY ADVANTAGEOUS TO MOVE LEFT
9Black Duck Customer Conference
1. REDUCED COSTSAvoid human overhead costs
2. REDUCED TIME TO MARKETIn process automation checks over post processing
3. REDUCED RISKMove checks to the left to facilitate higher remediation time with lower impact
Dev Ops
10Black Duck Customer Conference
Continuous
Build & Test
Code
Assimilatio
n
Development
Configure
& Release
Packaging
FEEDBACK
A FEEDBACK LINK BETWEEN CI & DEVELOPMENT IS NEEDED TO SHIP COMPLIANT AND SECURE PRODUCTS
BLACK DUCK PROVIDES FEEDBACK: CI/BUILD IS THE PLACE TO PLUG IN AUTOMATED CHECKS (CURRENTLY)
11Black Duck Customer Conference
Continuou
s Build &
Test
Configure
& Release
Packaging
WHAT SHOULD YOU ASK YOU BUILD/RELEASE TEAM?
12Black Duck Customer Conference
• Does the build contain only approved open source
components?
• How secure is the build? Does it have any known
security vulnerabilities?
• Can we add diligence and remain agile?
• Where are you deploying the production builds?
13Black Duck Customer Conference
JENKINS DEMO (7-10 MINS)
OBTAIN COMPREHENSIVE RESULTS INCLUDING DEPENDENCIES FROM BUILD TOOLS LIKE MAVEN/GRADLE
14Black Duck Customer Conference
MANAGE CORRESPONDING ISSUES USING JIRA
15Black Duck Customer Conference
MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
16Black Duck Customer Conference
MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
17Black Duck Customer Conference
MANAGING THE ENTIRE POST BUILD AUTOMATION ACROSS CI PLATFORMS
18Black Duck Customer Conference
CONTINUOUS BUILD & INTEGRATION IS THE PLACE TO PLUG IN AUTOMATED CHECKS (2017)
19Black Duck Customer Conference
Continuou
s Build &
Test
Configure
& Release
Packaging
1 5
4
3
2
COMPLIANT AND SECURE BUILDS VIA JENKINS: CHECK
20Black Duck Customer Conference
ALERTNew Vulnerabilities
Affecting You
IDENTIFTYLicense
Compliance Risks
21Black Duck Customer Conference
THANK YOU