In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains.
Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market.
However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh.
This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn:
What our analysis of 25,000 applications reveals about the quality and security of software built with open source components
How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security
Why avoiding open source components over 3 years old might be a really good idea
How to balance the need for speed with quality and security -- early in the development lifecycle
We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly.
Attend this session and gain insight as to how your organization’s application development practices compare to others. I'll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams.
After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. From 2015 - 2016, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 3,000 development organizations. As the VP and DevOps Advocate for Sonatype, Derek is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Derek is also the founder and core-organizers of the All Day DevOps Conference. Altus Consulting Happy Hour 5pm - 5:15pm (15m) Altus is proud to sponsor BSidesNoVA Happy Hour for their inaugural 2017 conference. Altus Consulting was founded in 2002 with the express intent to offer Government and Commercial customers the best and brightest technical consultants in the Northern Virginia area. Altus is focused on finding the right fit in the workplace for their Engineers, as it is their belief that in making smart employees happy, the customer receives unrivaled technical service and expertise. Altus’ core focus areas are Systems Engineering, Software Engineering, Network Engineering, Program Management and Cyber Engineering—a combination of all core technical disciplines with a primary focus on security. Altus Cyber Engineers are experts in areas including information security, computer and network defense, penetration testing and computer forensics. While these descriptions cover a wide range of capabilities, Altus Cyber Engineers are highly technical within their area of expertise and provide a range of products and services including but not limited to: reverse engineering, active and passive malware analysis, incident handling and reporting products, security product development, and red team and blue team services. Altus Consulting Cyber Engineers are highly creative andslightly devious individuals who ply their talents for good. Interested in learning more about career opportunities with Altus Consulting? Check them out at altuscc.com.!