Open source software (OSS) usage is on the rise and also continues to be a major source of risk for companies. OSS and 3rd party code may be inexpensive to use to build products but it comes with significant liability and maintenance costs. Even after high profile vulnerabilities in OpenSSL and other critical libraries, tracking and understanding exposure continues to challenge even at the most mature enterprise company. It doesn't matter if you are a software vendor or not, development and the use of OSS in your organization is most likely significant. It also doesn't matter if you have been developing software for years or are just getting started, or whether you have one product or one hundred, it can feel to many nearly impossible to keep up with OSS vulnerabilities or more important ensure they are properly mitigated.
This presentation looks at the real risk of using OSS and the best way to manage its use within your organization and more specifically the Product Development Lifecycle. We will examine all the current hype around OSS and separate out what are the real risks, and what organizations should be the most concerned about. We explore the true cost of using OSS and review the various factors that can be used to evaluate if a particular product or library should be used at your organization, including analyzing Vulnerability Metrics including Time to Patch. Getting your head wrapped around the issues and the need to improve OSS security is challenging, but then taking action at your organization can feel impossible. This presentation provides several real world examples that have been successful at a including: A case study of a single third party libraries vulnerability across several products will help to show why the result of investigating actual impact against your different products is valuable intelligence. We will provide learnings from your incident response function and why understanding the vulnerabilities in your current software can gain you valuable insight into creating smarter products to avoid maintenance costs. Finally, we will introduce a customized OSS Maturity Model and walk through the stages of maturity for organization developing software with regards to how they prioritize and internalize the risk presented by OSS.
Jake Kouns is the CISO for Risk Based Security that provides vulnerability anddata breach intelligence. Mr. Kouns has presented at many well-known securityconferences including Black Hat, DEF CON, CISO Executive Summit, EntNet IEEEGlobeCom, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. Heis the co-author of the book Information Technology Risk Management inEnterprise Environments, Wiley, 2010 and The Chief Information SecurityOfficer, IT Governance, 2011. He has briefed the DHS and Pentagon on CyberLiability Insurance issues and is frequently interviewed as an expert in thesecurity industry by Information Week, eWeek, Forbes, PC World, CSO, CIO andSC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and wasfeatured on the cover of SCMagazine. He holds both a Bachelor of BusinessAdministration and a Master of Business Administration with a concentration inInformation Security from James Madison University. In addition, he holds anumber of certifications including ISC2's CISSP, and ISACA's CISM, CISA andCGEIT.
Christine Gadsby is the Director of BlackBerry's global Product SecurityIncident Response Team (SIRT). This highly respected team monitors thesecurity threat landscape and responds rapidly to emerging threats for all ofBlackBerry's products and services and those of its subsidiaries andconsulting customers. Christine played a critical role in creatingBlackBerry's 30-day Android patching strategy and monthly customer advisoryprogram. She has presented security response strategies and services toseveral high assurance governments including the NSA, CESG, CSE, and GCHQ aswell as several enterprise organizations. She has contributed to publicationssuch as CSO magazine and sits on several boards of industry responseorganizations and programs. She holds a Bachelors of Science degree inInformation Technology and in Business Management from Western GovernorsUniversity.