[Owasp-boston] April 3 OWASP Boston Meeting -
jim.weiler at owasp.org
Wed Mar 27 14:32:24 UTC 2013
6:30 pm Akamai, Cambridge MA.
Title: Go Fast. Be Secure: Effectively Govern the Use of Open Source
Components Throughout the SDLC
Presented by Sonotype
• Open Source Software (OSS) Component supply chain complexities and
realities. Open source is constantly changing and knowing the version in
your software, as well as the current version history of the component (how
do you show an auditor you are using a current version) is important.
• Open Source Consumption Patterns from the Central Repository. Which
versions are the most popular can tell you which versions are the most
stable, useful, secure etc.
• OWASP Top 10 (A9) - Using Components with Known Vulnerabilities. To
decide on the risk of OSS components with vulnerabilities, you need to know
the vulnerabilities, their severity and which components they occur in as
well as where in the code dependency tree they are.
• OSS Security, Quality and License policies must be woven into the
development process. Knowing the number and type of open source licenses in
your software can be important to the legal standing of your code and if it
conflicts with any corporate standards. The licensing is also important in
order to know the restrictions on changing the software.
• OSS Component Policy Examples
• Example Application Compositions Reports
• Example Use cases IDE, CI, repository, production applications
Sonatype operates the Central Repository, the industry's primary source for
open-source components, housing more than 400,000 components and serving
more than five billion requests per year from more than 60,000
organizations. The company has been a pioneer in component-based software
development since its founding by Jason van Zyl, the creator of the Apache
Maven build management system and the Central Repository.
Pizza and Soda sponsored by Akamai
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-boston