Welcome!

Government Cloud Authors: Elizabeth White, Liz McMillan, Gopala Krishna Behara, Raju Myadam, Kevin Jackson

Related Topics: FinTech Journal, Linux Containers, Containers Expo Blog, @CloudExpo, Government Cloud, @DevOpsSummit

FinTech Journal: Article

Government Asks: What's in Your Software? | @DevOpsSummit #CD #FedRAMP

U.S. Government pays closer attention to software components

Multiple agencies across the U.S. government are paying closer attention to the software they are buying.  More specifically, they want to know what open source and third party components were used to build the software applications.  The report notes:

Similar moves by the National Institute of Standards and Technology (NIST), Underwriters Laboratories (UL), and the U.S. General Services Administration's (GSA) 18F Group have also been noted over the past year. The common thread among these initiatives is a need for a Software Bill of Materials.

According to wikipedia, a "Software Bill of Materials (software BOM) is a list of components in a piece of software. Software vendors often create products by assembling open source and commercial software components. The software BOM describes the components in a product. It is analogous to a list of ingredients on food packaging."

What's in your software?

Nowadays, that question is not difficult to answer.  Where software applications of the past were coded from scratch -- each one being like a unique snowflake, today's applications are assembled with reusable open source and third party components.  With 80 - 90% of an application now built from open source and third-party components, it is easy for organizations to quickly produce a Software Bill of Materials.

The same rules apply to software

You don't want to purchase spoiled food, buy a car with defective airbags, or have a relative  receive a defective pacemaker.  Modern society would not accept products built this way.  The same rules apply to software.

Recent analysis of 25,000 applications that revealed 6.8% (about 1 in 16) of components used by development teams included a known security defect. The defects are known security vulnerabilities in open source and third party components used to build the applications.  With known defect rates in software manufacturing so high compared to other manufacturing industries, it's no wonder government agencies are paying more attention.

The same guidelines apply outside of the government

Industry organizations like the American Bankers Association (ABA) and the Energy Sector Control Systems Working Group (ESCSWG), along with private sector organizations like Exxon and The Mayo Clinic, are also mandating use of a Software Bill of Materials.  Producing a Software Bill of Materials will soon be a common practice across development organizations, just as it is across other manufacturing industries.

A bill of materials provides a useful ingredient list.  For some organizations, that ingredient list serves to inform businesses and government organizations that they are not buying products with known defective parts.  Other organizations will rely on the bill of materials as a point of record for what parts were used within a released software application -- again, another common practice in manufacturing.

Just yesterday, I received a recall notice from Toyota informing me that my car had a known defective Takata airbag.  Toyota knows exactly what part was used in the car they sold me 10 years ago and tracked me down.  The company informed me that they are working on a remedy to fix or replace that defective part in my car.

Imagine if application developers, using a Software Bill of Materials, could do the same thing as Toyota.  Imagine the next OpenSSL heartbleed-like vulnerability is announced tomorrow.  How many software practices could immediately identify if they used the specific version of that flawed component in their application.  How many of those organizations could track that component down in seconds?  How many of them would offer to remediate that critical defect in a timely manner?

It's not just rules, it's software supply chain optimization

One of my favorite quotes from The Phoenix Project (a must-read novel about DevOps) goes like this "You win when you protect the organization without putting meaningless work into the IT system.  And you win even more when you can take meaningless work out of the system."

An average application includes 106 open source and third party components.  If you select the best components, you can build the best software.  Use known defective components and you are introducing waste, rework, and technical debt into the system -- a.k.a., meaningless work.

Producing a Software Bill of Materials can help organizations quickly identify what parts have been used in an application -- good or bad.  In a recent discussion with VMTurbo's Chief Architect, Sylvia Isler, she shared:

"Zero tolerance for risk is also why some customers require us to provide proof that our applications do not contain hidden security or licensing vulnerabilities.  By partnering with Sonatype, we're able to provide our customers with a detailed Software Bill of Materials validating that VMTurbo applications consist of only the highest quality open source components."

Not only does their zero-tolerance policy improve customer satisfaction, it also helps them by removing meaningless work from their system.  Customers are happy and so are their development teams.

Screen_Shot_2016-07-29_at_4.53.51_PM.png

A free Software Bill of Materials in 15 seconds

If you would like to understand what open source and third party components have been used in your application, Sonatype offers a free service to produce a Software Bill of Materials.  Analyzing a typical application might take 20 seconds.  The service produces a list of all open source components, identifies their name, version, license type, known security vulnerabilities, adoption rates, age, and other attributes.

If governments and customers are paying closer attention to what's in the software they are buying, it might just be time to figure out what's in the software you are building.

More Stories By Derek Weeks

In 2015, Derek Weeks led the largest and most comprehensive analysis of software supply chain practices to date across 160,000 development organizations. He is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce costs, and sustain long-lasting competitive advantages.

As a 20+ year veteran of the software industry, he has advised leading businesses on IT performance improvement practices covering continuous delivery, business process management, systems and network operations, service management, capacity planning and storage management. As the VP and DevOps Advocate for Sonatype, he is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Follow him here @weekstweets, find me here www.linkedin.com/in/derekeweeks, and read me here http://blog.sonatype.com/author/weeks/.

@ThingsExpo Stories
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
I think DevOps is now a rambunctious teenager - it's starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...