Most organizations use open-source components to develop applications, but how do you use them safely without bringing additional risk into your organization?
The last thing you need to be doing is introducing open source, well known vulnerabilities. For 78% of companies worldwide that use open source software in their application development, many tools are ineffective in identifying and mitigating open source security risks across their application portfolios.
In this session we'll look at the problem and various techniques for mitigating the risk and explore:
The value of static and dynamic tools and where they best fit in the Secure Development Lifecycle
Why these tools are not useful in identifying known vulnerabilities in open source components
How vulnerable open source components enter code
How companies have successfully deployed open source safely
Controls development and security professionals can deploy to select, detect, manage and monitor open source for existing and newly disclosed vulnerabilities
In today's connected world, all types of software are exposed to security threats. Vulnerabilities arise from coding errors, architectural missteps, and misconfigurations, offering the "bad guys" ample opportunities for exploitation via the Internet, in the cloud and intelligent devices, or when cybercriminals gain access to assumed-secure systems through other means.
Companies use an array of security weapons to fight back. Many rely on increasingly effective static analysis tools and dynamic analysis tools. However, for the nearly 80% of companies worldwide that use open source software in their application development, these tools are ineffective in identifying and mitigating open source security risks across their application portfolios.
While open source software is no less secure than other software, its use presents unique management and supply chain challenges because 67% of open source users admit they don't monitor open source code for security vulnerabilities.
CISO's and other interested security professionals are invited to join our discussion on getting the most protection from your risk management investment
Pittenger provides strategic leadership for Black Duck's security solutions, including product direction and strategic alliances. His extensive security industry experience and expertise help Black Duck deliver solutions that mitigate security risks associated with the use of open source software. Pittenger's 30-year technology and management career includes 15 years in security. He previously served as Vice President and General Manager of @stake's product division. After @stake's acquisition by Symantec, he led the spin-out of his team to form Veracode. He later served as Vice President of the product and training division of Cigital. Pittenger has consulted independently, helping security companies identify, define and prioritize the benefits their technologies deliver; structure solutions appropriately and bring those offerings to market.