Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development
Thursday, November 21 • 2:00 pm - 2:50 pm
Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch. Open source component use has skyrocketed in recent years. In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011. 90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers. Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security. Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain. When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk.
Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications. In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications.
New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle. Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.
In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications. Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous.
Key topics and takeaways include:
- How to empower developers to become the new frontline of defense in today’s cyber-security war
- Why securing the perimeter is not enough to protect the critical data housed in modern applications
- How to breakdown the traditional walls that exist between development teams and security and risk professionals
- Steps for introducing policy to govern component usage that will actually be adopted by developers
- How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
- How to give developers the tools and authority to focus on security in real-time
and Jeff Williams