Making Invisible Things Visible: Revealing Secrets from 25,000 Applications

Presented at AppSec USA 2016, Oct. 14, 2016, 1:55 p.m. (35 minutes).

Every software development organization on the planet relies on a software supply chain -but most can't see it and don't understand the volume of components flowing through it. In the 2016 State of the Software Supply Chain Report, I detailed the practices of over 35,000 software development organizations who consumed billions open source and third-party components in 2015. Across billions components downloaded, I found that 1 in 17 had a known security vulnerability.  I also found a similar ratio of components flowing through these software supply chains into finished applications.   Those leading AppSec and DevOps practices who have pursued improved visibility, supplier choices, and control mechanisms across their software supply chains have boosted developer productivity by as much as 30%, crumbled mountains of security debt, and shifted millions of dollars from sustaining operations to accelerating innovation. Yet the vast majority of organizations developing software are blind to their free-for-all consumption volume, patterns, and velocity. Their software supply chain practices are silently sabotaging efforts to accelerate development, improve efficiency and maintain the integrity of their applications.   Results from the report will be shared with attendees, including:   Using one of the latest versions of a software component can cut vulnerability ratio in half. 75% of organizations lack policies that control the use of open source and third-party components 97% of development organizations lack any vetting process for components being electively procured for use in applications.   This discussion is not intended to simply shed light on bad practices.  It is about making your software supply chain visible. Attendees will learn how those on the forefront of Development and Application Security are improving the quality and security of components used across their software supply chains.

Presenters:

  • Derek Weeks - VP and Rugged DevOps Advocate - Sonatype
    Derek is a huge advocate of applying proven supply chain management principles into development and application security practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. Over the past two years, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 3,000 development organizations. His research detailed the consumption of billions of open source and third-party software components while also shedding new light on the scale of known vulnerable software being ingested by development organizations worldwide. Derek is a distinguished international speaker, having delivered his research at AppSec USA, InfoSec Europe, LASCON, HP Protect, Air Force Cyber Security Forum, and numerous OWASP meet-ups.

Links:

Similar Presentations: