OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype
The benefits of using open source software are well known, well documented and well leveraged by organisations all over the world. The risks of using open source software are not always as well understood. The risks are real and there’s always more which can be done to manage risk but at what cost? Attend this keynote for a discussion on the results of a four-year, industry-wide study on application security practices, policies, and trends related to open source development. To date, over 11,000 professionals have participated in the study. Among the surprising survey results that will be discussed: 1-in-3 organizations had or suspected an open source breach in the past 12 months Only 16% of participants must prove they are not using components with known vulnerabilities 64% don't track changes in open source vulnerability data
OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype
- 1. The True State of Open Source Security 11,000 Voices
- 2. 11,140 OVER THE FOUR YEAR STUDY PEOPLE SHARED THEIR VIEWS
- 4. Reach the desired outcome in the most efficient way: •using the least amount of effort •with the smallest total cost •(and maybe in the shortest possible time)
- 5. 90%
- 6. Righto, and security fits in this picture how?
- 8. Unmanaged Risk => Technical Debt => Less Efficiency => {future} Cost
- 9. [lots of something] x [cost] = Lots of Cost
- 10. Be aware of avoidable cost Actively manage avoidable risk
- 11. So let’s manage our risk and enable open source use?
- 12. Half of organizations continue to run without an open source policy.
- 13. Only 21% of organisations must prove they are using secure components.
- 14. But I already manage my risk!
- 15. Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1. The majority of developers don’t track component vulnerability over time.
- 16. PARTICIPANTS NOTED SUCCESSFUL OR SUSPECTED OPEN SOURCE RELATED BREACHES IN PAST 12 MONTHS
- 17. Ok, so what next?
- 18. Have a strategy for enabling open source within your organisation
- 19. Understand what open source you are using
- 20. Make any process predictable, make it repeatable, automate it Make the right way the easy way
- 21. Get the people with the right skills involved in the right places Turn data into useable information Give developers the information they need to make informed decisions
- 22. Utilise iterative risk management, not point in time. Things change
- 23. Make it fast! Make it precise! Make it contextual!
- 24. sometimes the best solutions are the ones people don’t even realise are there
- 25. WANT ALL THE SURVEY RESULTS? www.sonatype.com/2014survey
- 26. Thank you and build safely!