Making Open Work
May 8–9, 2017: Training & Tutorials
May 10–11, 2017: Conference
Austin, TX

Software supply chains and the illusion of control

Derek Weeks (Sonatype)
2:35pm3:15pm Thursday, May 11, 2017
Infrastructure, Security
Location: Ballroom F
Level: Beginner

Who is this presentation for?

  • DevOps engineers, architects, and those working in security and governance

Prerequisite knowledge

  • A basic understanding of how development platforms and practices consume open source components for use in assembling applications
  • Knowledge of security, licensing, and quality risks that might be associated with the use of open source components
  • An understanding of DevOps fundamentals aimed at automating processes, removing process constraints, and building quality (useful but not required)

What you'll learn

  • Explore the results of a three-year study of open source development practices across 3,000 organizations
  • Understand the vast software supply chains these organizations employ that are simultaneously improving development productivity and undermining quality and security practices

Description

Modern software development practices are now consuming billions of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems, and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market.

However, using these components brings with it ownership and responsibility—a fact largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh.

Derek Weeks shares the results of a three-year study of open source development practices across 3,000 organizations, exploring the vast software supply chains these organizations employ that are simultaneously improving development productivity and undermining quality and security practices. Derek then outlines DevOps practices that support building in quality and security from the beginning.

Topics include:

  • What an analysis of 25,000 applications reveals about the quality and security of software built with open source components
  • How organizations like the Mayo Clinic, ExxonMobile, Capital One, the US FDA, and Intuit are utilizing the principles of software supply chain automation to improve application security
  • Why avoiding open source components over three years old might be a really good idea
  • How to balance the need for speed with quality and security early in the development lifecycle
  • How to best approach the effort for development teams to identify, track, and replace components with known vulnerabilities while getting more products and new features to market quickly
Photo of Derek Weeks

Derek Weeks

Sonatype

Derek Weeks is the vice president and DevOps advocate for Sonatype. After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. He’s passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. From 2015 to 2016, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 3,000 development organizations. Derek is also the founder and one of the core organizers of the All Day DevOps Conference.