Visible to the public Making Invisible Things Visible: Tracking Down Known Vulnerabilities at 3000 Companies (Showcase)

TitleMaking Invisible Things Visible: Tracking Down Known Vulnerabilities at 3000 Companies (Showcase)
Publication TypeConference Paper
Year of Publication2016
AuthorsMahmud, Gazi
Conference NameProceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4218-6
KeywordsContinuous Integration, DevOps, Nexus Firewall, Nexus Repository OSS, Open Source Software, OSS Repository Hosting, OSSRH, pubcrawl, Resiliency, Software Component Lifecycle Management, Software Variability Management, Sonatype, supply chain risk assessment, supply chain security, The Central Repository
Abstract

This year, software development teams around the world are consuming BILLIONS of open source and third-party components. The good news: they are accelerating time to market. The bad news: 1 in 17 components they are using include known security vulnerabilities. In this talk, I will describe what Sonatype, the company behind The Central Repository that supports Apache Maven, has learned from analyzing how thousands of applications use open source components. I will also discuss how organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security and how organizations can balance the need for speed with quality and security early in the development cycle.

URLhttp://doi.acm.org/10.1145/2950290.2994155
DOI10.1145/2950290.2994155
Citation Keymahmud_making_2016