owf14 - plenary session : david jones, chief solutions architect, sonatype
DESCRIPTION
The benefits of using open source software are well known, well documented and well leveraged by organisations all over the world. The risks of using open source software are not always as well understood. The risks are real and there’s always more which can be done to manage risk but at what cost? Attend this keynote for a discussion on the results of a four-year, industry-wide study on application security practices, policies, and trends related to open source development. To date, over 11,000 professionals have participated in the study. Among the surprising survey results that will be discussed: 1-in-3 organizations had or suspected an open source breach in the past 12 months Only 16% of participants must prove they are not using components with known vulnerabilities 64% don't track changes in open source vulnerability dataTRANSCRIPT
The True State of Open Source Security
11,000 Voices
11,140 OVER THE FOUR YEAR STUDY
PEOPLE SHARED THEIR VIEWS
Again…why open source?
Reach the desired outcome in the most efficient way: • using the least amount of effort
• with the smallest total cost
• (and maybe in the shortest possible time)
90%
Righto, and security fits in this picture how?
Danger Driven Development!
Unmanaged Risk => Technical Debt => Less Efficiency => {future} Cost
[lots of something] x [cost] = Lots of Cost
Be aware of avoidable cost
Actively manage avoidable risk
So let’s manage our risk and enable open source use?
Half of organizations continue to run without an open source policy.
Only 21% of organisations must prove they are using secure components.
But I already manage my risk!
Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1.
The majority of developers don’t track component vulnerability over time.
PARTICIPANTS NOTED
SUCCESSFUL OR SUSPECTED OPEN SOURCE RELATED BREACHES IN PAST 12 MONTHS
Ok, so what next?
Have a strategy for enabling open source within your organisation
Understand what open source you are using
Make any process predictable, make it repeatable, automate it
Make the right way the easy way
Get the people with the right skills involved in the right places
Turn data into useable information
Give developers the information they need to
make informed decisions
Utilise iterative risk management, not point in time. Things change
Make it fast!
Make it precise!
Make it contextual!
sometimes the best solutions are the ones
people don’t even realise are there
WANT ALL THE SURVEY RESULTS?
www.sonatype.com/2014survey
Thank you and build safely!