A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Software Supply Chains and the Illusion of Control - Derek Weeks BSides NOVA 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Software Supply Chains and the Illusion of Control
Derek Weeks
BSides NOVA 2017

In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains. Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn: - What our analysis of 25,000 applications reveals about the quality and security of software built with open source components - How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security - Why avoiding open source components over 3 years old might be a really good idea - How to balance the need for speed with quality and security -- early in the development lifecycle We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly. Attend this session and gain insight as to how your organization’s application development practices compare to others. I'll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams.

After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. From 2015 - 2016, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 3,000 development organizations. As the VP and DevOps Advocate for Sonatype, Derek is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Derek is also the founder and core-organizers of the All Day DevOps Conference.


Back to BSides NOVA 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast