Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development

Schedule Speakers

Thursday, November 21 • 2:00 pm - 2:50 pm

Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceedingly common – 71 percent of applications contain components with known security flaws classified as severe or critical.  Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk.  The pressure to add more features and put applications into production quickly comes at a devastating tradeoff – to go fast or be secure.  Using never-before-seen data from the Central Repository – the industry’s primary source for open source components receiving 8 billion requests annually this presentation will examine how modern development is ushering in massive amounts of unmanaged risk demanding a new approach to mitigating the risk in modern, component-based applications – one that is significantly simpler to use, integrated throughout the software lifecycle and shows real, sustainable results. 

Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch.  Open source component use has skyrocketed in recent years.  In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011.  90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers.  Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security.  Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain.  When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk. 

 Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications.  In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications. 

 New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle.  Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.

In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications.  Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous. 

Key topics and takeaways include:

  • How to empower developers to become the new frontline of defense in today’s cyber-security war
  • Why securing the perimeter is not enough to protect the critical data housed in modern applications
  • How to breakdown the traditional walls that exist between development teams and security and risk professionals
  • Steps for introducing policy to govern component usage that will actually be adopted by developers
  • How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
  • How to give developers the tools and authority to focus on security in real-time
Speakers:
Ryan Berg

Chief Security Officer Sonatype December 2012 – Present (5 months)Austin, Texas Area IBM Cloud Security Strategy Lead IBM August 2009 – Present (3 years 9 months)Austin, Texas Area Ounce Labs Chief Scientist - Co-Founder Ounce Labs January 2002 – August 2009 (7 years 8 months) Chief Architect - Co-Founder Qiave 1999 – 2001 (2 years) Engineer ADP GTE Internetworking 1997 – 1999 (2 years)

Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management, and secure application development. Prior to Ounce Labs, Ryan co-founded Qiave Technologies, a pioneer in kernel-level security, which later sold to WatchGuard Technologies in 2000. In the late 1990's, Ryan also designed and developed the infrastructure for GTE Internetworking/Genuity's appliance-based managed security services.

and Jeff Williams

https://www.owasp.org/index.php/User:Jeff_Williams

Jeff is a founder and CEO of Aspect Security, offering practical application security products and services for enterprises with critical applications. Jeff served as the volunteer Chair of OWASP for 8 years, and helped grow the organization from a mailing list to a thriving community. Jeff started the OWASP Chapter program and spearheaded many of OWASP's flagship projects. Jeff is very easy to find if you want to talk about instrumenting applications to find vulnerabilities in real time, play some basketball, or just grab a beer. You can contact him at jeff.williams@aspectsecurity.com

See more of: Presentations
www.appsecusa.org
<< Previous Presentation | Next Presentation >>