Back To Schedule
Thursday, November 21 • 2:00pm - 2:50pm
Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Organizations are exposed to significant risks caused by their increasing reliance on open-source components. Component flaws are exceedingly common – 71 percent of applications contain components with known security flaws classified as severe or critical.  Everything from Big Data, to cloud and mobile applications are exposed to unmanaged risk.  The pressure to add more features and put applications into production quickly comes at a devastating tradeoff – to go fast or be secure.  Using never-before-seen data from the Central Repository – the industry’s primary source for open source components receiving 8 billion requests annually this presentation will examine how modern development is ushering in massive amounts of unmanaged risk demanding a new approach to mitigating the risk in modern, component-based applications – one that is significantly simpler to use, integrated throughout the software lifecycle and shows real, sustainable results. 
Like automobile manufacturers, today’s software developers assemble applications using existing components or parts rather than writing applications from scratch.  Open source component use has skyrocketed in recent years.  In 2012, the Central Repository registered eight billion component downloads, doubling activity from 2011.  90% of a typical application today is now comprised of components, the bulk of these are open source, coming from dozens, if not hundreds, of individual suppliers.  Yet, 71 percent of applications contain components with known security flaws classified as severe or critical, pointing to a major breakdown in application security.  Unlike manufacturing, the software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain.  When coupled with a trend toward agile development, enterprises are finding themselves with massive, unmanaged risk. 
 Few organizations have the controls or processes to identify which components are in use, to govern their usage or to eradicate flawed components from applications.  In the annual Open Source Development Survey – the largest study of its kind surveying more than 3,500 developers, architects and IT managers using open source – 76 percent of respondents shared that they have no control over what components are being used in software development projects and more than half cited a failure to maintain an inventory of components used in production applications. Like operating systems or database, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications. 
 New to the OWASP Top 10 Guidelines is A9: Use of Insecure Libraries, acknowledging the widespread use of open source components in today’s applications and the significant security risks that exists when organizations lack proper internal controls or fail to address security vulnerabilities throughout the software development lifecycle.  Joint research from Aspect Security and Sonatype found the probability of having at least one vulnerability in an application due to a KNOWN insecure library is 95%.
In this presentation, Ryan Berg, CSO of Sonatype and Jeff Williams, CEO of Aspect Security will examine why traditional approaches to application security can’t protect today’s applications.  Using exclusive data from the Central Repository and sharing the findings of joint research, Berg and Williams will show why organizations must extend defense-in-depth to the application layer and how to deploy new approaches to software assurance that are simple, quick and continuous. 
Key topics and takeaways include: • How to empower developers to become the new frontline of defense in today’s cyber-security war
• Why securing the perimeter is not enough to protect the critical data housed in modern applications
• How to breakdown the traditional walls that exist between development teams and security and risk professionals
• Steps for introducing policy to govern component usage that will actually be adopted by developers
• How organizations can expedite development (go fast) and govern/manage (be secure) the entire application lifecycle to ensure the integrity of the software supply chain
• How to give developers the tools and authority to focus on security in real-time

avatar for Ryan Berg

Ryan Berg

Chief Security Officer, Sonatype
Ryan is the Chief Security Officer at Sonatype. Before joining Sonatype, Ryan was a co-founder and chief scientist for Ounce Labs which was acquired by IBM in 2009. Ryan holds multiple patents and is a popular speaker, instructor and author, in the fields of security, risk management... Read More →
avatar for Jeff Williams

Jeff Williams

Co-founder and CTO, Contrast Security
I've been in security since the late 1980's and have been blessed with the opportunity to help start three great application security organizations: Contrast Security, OWASP, and Aspect Security (recently sold to EY).I'm coming to LASCON to meet *you*. I'm easy to find :-) and love... Read More →

Thursday November 21, 2013 2:00pm - 2:50pm EST
Salon 1 (5th Floor Ballroom) NY Marriott Marquis

Attendees (0)