owf14 - plenary session : david jones, chief solutions architect, sonatype
DESCRIPTION
The benefits of using open source software are well known, well documented and well leveraged by organisations all over the world. The risks of using open source software are not always as well understood. The risks are real and there’s always more which can be done to manage risk but at what cost? Attend this keynote for a discussion on the results of a four-year, industry-wide study on application security practices, policies, and trends related to open source development. To date, over 11,000 professionals have participated in the study. Among the surprising survey results that will be discussed: 1-in-3 organizations had or suspected an open source breach in the past 12 months Only 16% of participants must prove they are not using components with known vulnerabilities 64% don't track changes in open source vulnerability dataTRANSCRIPT
![Page 1: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/1.jpg)
The True State of Open Source Security
11,000 Voices
![Page 2: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/2.jpg)
11,140 OVER THE FOUR YEAR STUDY
PEOPLE SHARED THEIR VIEWS
![Page 3: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/3.jpg)
Again…why open source?
![Page 4: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/4.jpg)
Reach the desired outcome in the most efficient way: • using the least amount of effort
• with the smallest total cost
• (and maybe in the shortest possible time)
![Page 5: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/5.jpg)
90%
![Page 6: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/6.jpg)
Righto, and security fits in this picture how?
![Page 7: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/7.jpg)
Danger Driven Development!
![Page 8: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/8.jpg)
Unmanaged Risk => Technical Debt => Less Efficiency => {future} Cost
![Page 9: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/9.jpg)
[lots of something] x [cost] = Lots of Cost
![Page 10: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/10.jpg)
Be aware of avoidable cost
Actively manage avoidable risk
![Page 11: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/11.jpg)
So let’s manage our risk and enable open source use?
![Page 12: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/12.jpg)
Half of organizations continue to run without an open source policy.
![Page 13: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/13.jpg)
Only 21% of organisations must prove they are using secure components.
![Page 14: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/14.jpg)
But I already manage my risk!
![Page 15: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/15.jpg)
Even when component versions are updated 4-5 times a year to fix known security, license or quality issues1.
The majority of developers don’t track component vulnerability over time.
![Page 16: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/16.jpg)
PARTICIPANTS NOTED
SUCCESSFUL OR SUSPECTED OPEN SOURCE RELATED BREACHES IN PAST 12 MONTHS
![Page 17: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/17.jpg)
Ok, so what next?
![Page 18: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/18.jpg)
Have a strategy for enabling open source within your organisation
![Page 19: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/19.jpg)
Understand what open source you are using
![Page 20: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/20.jpg)
Make any process predictable, make it repeatable, automate it
Make the right way the easy way
![Page 21: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/21.jpg)
Get the people with the right skills involved in the right places
Turn data into useable information
Give developers the information they need to
make informed decisions
![Page 22: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/22.jpg)
Utilise iterative risk management, not point in time. Things change
![Page 23: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/23.jpg)
Make it fast!
Make it precise!
Make it contextual!
![Page 24: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/24.jpg)
sometimes the best solutions are the ones
people don’t even realise are there
![Page 25: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/25.jpg)
WANT ALL THE SURVEY RESULTS?
www.sonatype.com/2014survey
![Page 26: OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype](https://reader033.vdocuments.us/reader033/viewer/2022042815/5584f9a8d8b42ae71b8b471b/html5/thumbnails/26.jpg)
Thank you and build safely!