The True State of Open Source Security

11,000 Voices

11,140 OVER THE FOUR YEAR STUDY

PEOPLE SHARED THEIR VIEWS

Again…why open source?

Reach the desired outcome in the most efficient way: • using the least amount of effort

• with the smallest total cost

• (and maybe in the shortest possible time)

90%

Righto, and security fits in this picture how?

Danger Driven Development!

Unmanaged Risk => Technical Debt => Less Efficiency => {future} Cost

[lots of something] x [cost] = Lots of Cost

Be aware of avoidable cost

Actively manage avoidable risk

So let’s manage our risk and enable open source use?

Half of organizations continue to run without an open source policy.

Only 21% of organisations must prove they are using secure components.

But I already manage my risk!

Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1.

The majority of developers don’t track component vulnerability over time.

PARTICIPANTS NOTED

SUCCESSFUL OR SUSPECTED OPEN SOURCE RELATED BREACHES IN PAST 12 MONTHS

Ok, so what next?

Have a strategy for enabling open source within your organisation

Understand what open source you are using

Make any process predictable, make it repeatable, automate it

Make the right way the easy way

Get the people with the right skills involved in the right places

Turn data into useable information

Give developers the information they need to

make informed decisions

Utilise iterative risk management, not point in time. Things change

Make it fast!

Make it precise!

Make it contextual!

sometimes the best solutions are the ones

people don’t even realise are there

WANT ALL THE SURVEY RESULTS?

www.sonatype.com/2014survey

Thank you and build safely!