July 20–24, 2015
Portland, OR

Getting your ducks in a row - an introduction to managing components in your software supply chain

Manfred Moser (simpligility technologies inc.)
2:30pm–3:10pm Thursday, 07/23/2015
Protect E147/148
Average rating: ***..
(3.50, 2 ratings)
Slides:   external link

Prerequisite Knowledge

No prerequisites required. Experience with software development using thrid party libraries useful.


Modern software development on platforms such as the JVM, .Net, Node.js, or JavaScript using web applications largely relies on the use of third-party components. Including these components is the only possible way to build the complex applications required today.

The rise of agile development processes and the DevOps movement has only accelerated innovation, and pushed even more toward the use of open source and other components. The tooling with package managers and build tools such as Maven, Gradle, npm, Nuget, gems, and others has promoted the use of components as a standard practice. This allows developers to take advantage of the features these frameworks and libraries offer. Today, 90% of a typical application is composed of open source components. However, using these components brings ownership and responsibility with them.

A modern software development organization must be able to create an inventory of all the components used in their software, know about the suppliers, and keep track of everything. There are a number of problems that currently exist and are in need of a solution to keep up with the accelerating demands in today’s fast and agile processes.

  • 75% of organizations are not enforcing their open source policies
  • 64% don’t track changes in open source component vulnerability data
  • Only 16% of development teams must prove they are not using components with known vulnerabilities
  • 1 in 3 organizations had or suspected an open source breach in the past 12 months

We will discuss how you can face this onslaught of more work for development teams in order to identify, track, and replace components with known vulnerabilities, yet at the same time continue to accelerate releases and get more features and new products to market quickly. Heavily data-driven tools are emerging to allow you to:

  • Better understand the risks within this open source component-based software supply chain
  • Evaluate the quality and security of open source components at the speed of development
  • Continuously monitor and manage quality through component use standards, component reviews, and security audits.

We will demo some of these applications and discuss the data they expose to you and the automation you can achieve.

Photo of Manfred Moser

Manfred Moser

simpligility technologies inc.

Manfred Moser has an engineering background. He is a professional trainer for Apache Maven and Sonatype Nexus, author of books such as The Hudson Book, Repository Management with Nexus, and the Sonatype CLM documentation. As community advocate at Sonatype, he helps developers with their component usage on a daily basis. He is the project lead for the Android Maven Plugin and is involved in a number of other open source projects, as well as local user groups. With this background he has been presenting at conferences such as AnDevCon, OSCON, JavaOne, and user group meetings around the world for a number of years. Manfred lives in Victoria, BC with his wife and sons. You can follow him on twitter or G+ and check out his website for more information.

Comments on this page are now closed.


Picture of Manfred Moser
Manfred Moser
07/24/2015 2:53am PDT

The presentation slides are available online at http://goo.gl/cZ04Is