Welcome!

Government Cloud Authors: Carmen Gonzalez, Kevin Jackson, Automic Blog, Elizabeth White, Dana Gardner

Related Topics: FinTech Journal, Linux Containers, Containers Expo Blog, @CloudExpo, Government Cloud, @DevOpsSummit

FinTech Journal: Article

Government Asks: What's in Your Software? | @DevOpsSummit #CD #FedRAMP

U.S. Government pays closer attention to software components

Multiple agencies across the U.S. government are paying closer attention to the software they are buying.  More specifically, they want to know what open source and third party components were used to build the software applications.  The report notes:

Similar moves by the National Institute of Standards and Technology (NIST), Underwriters Laboratories (UL), and the U.S. General Services Administration's (GSA) 18F Group have also been noted over the past year. The common thread among these initiatives is a need for a Software Bill of Materials.

According to wikipedia, a "Software Bill of Materials (software BOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The software BOM describes the components in a product. It is analogous to a list of ingredients on food packaging."

What's in your software?

Nowadays, that question is not difficult to answer.  Where software applications of the past were coded from scratch -- each one being like a unique snowflake, today's applications are assembled with reusable open source and third party components.  With 80 - 90% of an application now built from open source and third-party components, it is easy for organizations to quickly produce a Software Bill of Materials.

The same rules apply to software

You don't want to purchase spoiled food, buy a car with defective airbags, or have a relative  receive a defective pacemaker.  Modern society would not accept products built this way.  The same rules apply to software.

Recent analysis of 25,000 applications that revealed 6.8% (about 1 in 16) of components used by development teams included a known security defect. The defects are known security vulnerabilities in open source and third party components used to build the applications.  With known defect rates in software manufacturing so high compared to other manufacturing industries, it's no wonder government agencies are paying more attention.

The same guidelines apply outside of the government

Industry organizations like the American Bankers Association (ABA) and the Energy Sector Control Systems Working Group (ESCSWG), along with private sector organizations like Exxon and The Mayo Clinic, are also mandating use of a Software Bill of Materials.  Producing a Software Bill of Materials will soon be a common practice across development organizations, just as it is across other manufacturing industries.

A bill of materials provides a useful ingredient list.  For some organizations, that ingredient list serves to inform businesses and government organizations that they are not buying products with known defective parts.  Other organizations will rely on the bill of materials as a point of record for what parts were used within a released software application -- again, another common practice in manufacturing.

Just yesterday, I received a recall notice from Toyota informing me that my car had a known defective Takata airbag.  Toyota knows exactly what part was used in the car they sold me 10 years ago and tracked me down.  The company informed me that they are working on a remedy to fix or replace that defective part in my car.

Imagine if application developers, using a Software Bill of Materials, could do the same thing as Toyota.  Imagine the next OpenSSL heartbleed-like vulnerability is announced tomorrow.  How many software practices could immediately identify if they used the specific version of that flawed component in their application.  How many of those organizations could track that component down in seconds?  How many of them would offer to remediate that critical defect in a timely manner?

It's not just rules, it's software supply chain optimization

One of my favorite quotes from The Phoenix Project (a must-read novel about DevOps) goes like this "You win when you protect the organization without putting meaningless work into the IT system.  And you win even more when you can take meaningless work out of the system."

An average application includes 106 open source and third party components.  If you select the best components, you can build the best software.  Use known defective components and you are introducing waste, rework, and technical debt into the system -- a.k.a., meaningless work.

Producing a Software Bill of Materials can help organizations quickly identify what parts have been used in an application -- good or bad.  In a recent discussion with VMTurbo's Chief Architect, Sylvia Isler, she shared:

"Zero tolerance for risk is also why some customers require us to provide proof that our applications do not contain hidden security or licensing vulnerabilities.  By partnering with Sonatype, we're able to provide our customers with a detailed Software Bill of Materials validating that VMTurbo applications consist of only the highest quality open source components."

Not only does their zero-tolerance policy improve customer satisfaction, it also helps them by removing meaningless work from their system.  Customers are happy and so are their development teams.

Screen_Shot_2016-07-29_at_4.53.51_PM.png

A free Software Bill of Materials in 15 seconds

If you would like to understand what open source and third party components have been used in your application, Sonatype offers a free service to produce a Software Bill of Materials.  Analyzing a typical application might take 20 seconds.  The service produces a list of all open source components, identifies their name, version, license type, known security vulnerabilities, adoption rates, age, and other attributes.

If governments and customers are paying closer attention to what's in the software they are buying, it might just be time to figure out what's in the software you are building.

More Stories By Derek Weeks

In 2015, Derek Weeks led the largest and most comprehensive analysis of software supply chain practices to date across 160,000 development organizations. He is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce costs, and sustain long-lasting competitive advantages.

As a 20+ year veteran of the software industry, he has advised leading businesses on IT performance improvement practices covering continuous delivery, business process management, systems and network operations, service management, capacity planning and storage management. As the VP and DevOps Advocate for Sonatype, he is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Follow him here @weekstweets, find me here www.linkedin.com/in/derekeweeks, and read me here http://blog.sonatype.com/author/weeks/.

@ThingsExpo Stories
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the USA and Europe, we work with a variety of customers from emerging startups to Fortune 1000 companies.
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search an...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...