Making Invisible Things Visible: Tracking Down Known Vulnerabilities at 3000 Companies (Showcase)
Title | Making Invisible Things Visible: Tracking Down Known Vulnerabilities at 3000 Companies (Showcase) |
Publication Type | Conference Paper |
Year of Publication | 2016 |
Authors | Mahmud, Gazi |
Conference Name | Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-4218-6 |
Keywords | Continuous Integration, DevOps, Nexus Firewall, Nexus Repository OSS, Open Source Software, OSS Repository Hosting, OSSRH, pubcrawl, Resiliency, Software Component Lifecycle Management, Software Variability Management, Sonatype, supply chain risk assessment, supply chain security, The Central Repository |
Abstract | This year, software development teams around the world are consuming BILLIONS of open source and third-party components. The good news: they are accelerating time to market. The bad news: 1 in 17 components they are using include known security vulnerabilities. In this talk, I will describe what Sonatype, the company behind The Central Repository that supports Apache Maven, has learned from analyzing how thousands of applications use open source components. I will also discuss how organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security and how organizations can balance the need for speed with quality and security early in the development cycle. |
URL | http://doi.acm.org/10.1145/2950290.2994155 |
DOI | 10.1145/2950290.2994155 |
Citation Key | mahmud_making_2016 |