SlideShare a Scribd company logo

Episode Four: Wayne Jackson of Sonatype

Download as PPTX, PDF
Contrast Security
Contrast Security

In this episode, Jeff Williams interviews Wayne Jackson of Sonatype. They discuss the results from The 2014 Open Source Development Survey, where 3,300 surveyed developers gave their honest opinions on everything from third-party code to internal policies and procedures. Topics included the implications on continuous application security, compliance measures, and application security automation.

Technology
1 of 42
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
JEFF WILLIAMS
WAYNE JACKSON “We at Sonatype focus on the supply chain and how open source is really the underpinning of software development supply team, we tend to focus on open source and how people are thinking about their use of open source.”
JEFF “It looks like the vast majority of application security practices are manual in nature. So…how does that work with software getting faster with Agile and DevOps development, and most organization doing this manual AppSec process? How does that work?”
WAYNE “Well, it doesn’t, to be candid, and it can’t.”
WAYNE “You’re essentially dooming the organization in one of two ways. Either you’re dooming the organization to be slow, or you’d be dooming people to use old code.”
JEFF “So is it possible to go fast and be secure?”
WAYNE “Only with automation.”
WAYNE “We encourage folks to find the attributes of acceptability, and let machines make pass/fail decisions.”
JEFF “I think a lot of people see automation as just putting tools in place and then the tools do whatever the tools do…You’re actually talking about a policy decision, then you use the tool infrastructure to automate.”
WAYNE “Exactly.”
JEFF “In a lot of organizations that I work with, I see them just basically adopt the tool and run it without configuring it. They just make their policy whatever the tool does out of the box.”
WAYNE “Yes, and that’s very sad.”
PCI COMPLIANCE
JEFF “Only 56% of the survey participants said their organizations have an open source policy in place. Surprising?”
WAYNE “It’s actually relatively consistent with prior years, which is a little disappointing.”
WAYNE “The bigger concern I have is whether they have policies and practices that actually move the needle.”
WAYNE “We were at a major global bank recently, and they were doing an analysis of how effective their policies were, and they found the developers who needed a thing were renaming that thing to match something that was on a white list so that they would be compliant with their policy.”
JEFF “In the survey it says that 63% of companies don’t track vulnerabilities over time. So a library that has a vulnerability one day, and then the next day vulnerability gets released, 63% of companies are not going to notice that. What does that say about the process that companies are following?”
WAYNE “I think it reflects a general immaturity…and a mistaken assumption that open source is okay and secure.”
WAYNE “There are some things missing in the open source eco-system that we take for granted in commercial relationships.”
JEFF “And you have to do it continuously, right? I mean these vulnerabilities are rolling out every week it seems.”
WAYNE
JEFF “Is there a way to tell the difference between the open-source projects that are basically doing good security stuff and open-source projects that aren’t?”
WAYNE “We’re doing a lot of work in that regard [secure open-source projects]. One of the things that we encourage folks in the commercial realm to do is to think about the dependencies and their projects and, if they have security defects, to replace them with something better.”
JEFF “I love the fact that [Sonatype] has access to so much data about the open-source community, open-source usage, and component usage.”
JEFF “What did you find in the survey that was surprising?”
WAYNE “One of the things that I found surprising, especially in the context of Struts, given how many folks are affected by it, that there weren’t dramatic shifts toward better practices.”
JEFF “I am more and more convinced that the only real approach that works with application security is pushing those activities into the development groups and having the development groups be able to do them themselves.”
WAYNE “There is just a fundamental misalignment with the group that’s designed to automate things periodically.”
WAYNE “Part of enabling tools is making the tools simple enough that it can move left [in the SDLC].”
JEFF “I think that there is a lot of room for experimentation and growth in theis space because it’s early.”
WAYNE “Agreed. Yeah, I, and again to your point, I’m not diminishing the expertise that resides in some of those groups and there need to be strategic and thought leaders around security policy. But concentrating in those groups, expertise required to actually operate a tool, to me, implies that the tools just aren’t right.
JEFF “I think that’s a fair point. And we’re both trying to fix that problem.”
JEFF WILLIAMS WITH WAYNE JACKSON OF SONATYPE

Recommended

Guide theory
Guide theoryGuide theory
Guide theoryKerry Richardson
 
Shaping Tomorrow - Theory
Shaping Tomorrow - TheoryShaping Tomorrow - Theory
Shaping Tomorrow - TheoryKerry Richardson
 
P4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsP4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsDan Rockwell
 
3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory 3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory Kerry Richardson
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
 
Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Nathan Gerber
 
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
 

Recommended

Guide theory
Guide theoryGuide theory
Guide theoryKerry Richardson
 
Shaping Tomorrow - Theory
Shaping Tomorrow - TheoryShaping Tomorrow - Theory
Shaping Tomorrow - TheoryKerry Richardson
 
P4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsP4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsDan Rockwell
 
3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory 3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory Kerry Richardson
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
 
Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Nathan Gerber
 
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
 
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Jason Hong
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentContrast Security
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationDavid Neville
 
Winning Websites
Winning WebsitesWinning Websites
Winning WebsitesCeci Dadisman
 
Research process funding local_services_general
Research process funding local_services_generalResearch process funding local_services_general
Research process funding local_services_generalRanjan sahoo
 
State of on call report 2014
State of on call report 2014State of on call report 2014
State of on call report 2014Todd Vernon
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsContrast Security
 
Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comContrast Security
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceGlobeSync Technologies
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsInnovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsIdealware
 
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Sauvik Das
 
The Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsThe Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsJavier Canovas
 
Data Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsData Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsChristy Hunt
 
AaE Final Findings And Decisions
AaE Final Findings And DecisionsAaE Final Findings And Decisions
AaE Final Findings And DecisionsKevin Gamble
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
Case study ThinkEvans
Case study ThinkEvansCase study ThinkEvans
Case study ThinkEvansLeo Champion
 
Democratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comDemocratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comLukas Vermeer
 
Understanding Search
Understanding SearchUnderstanding Search
Understanding SearchChristina Wodtke
 
KM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)Deloitte Australia
 

More Related Content

What's hot

Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Jason Hong
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentContrast Security
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationDavid Neville
 
Research process funding local_services_general
Research process funding local_services_generalResearch process funding local_services_general
Research process funding local_services_generalRanjan sahoo
 
State of on call report 2014
State of on call report 2014State of on call report 2014
State of on call report 2014Todd Vernon
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsContrast Security
 

What's hot (7)

Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation Entertainment
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
 
Winning Websites
Winning WebsitesWinning Websites
Winning Websites
 
Research process funding local_services_general
Research process funding local_services_generalResearch process funding local_services_general
Research process funding local_services_general
 
State of on call report 2014
State of on call report 2014State of on call report 2014
State of on call report 2014
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
 

Similar to Episode Four: Wayne Jackson of Sonatype

Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comContrast Security
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceGlobeSync Technologies
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsInnovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsIdealware
 
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Sauvik Das
 
The Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsThe Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsJavier Canovas
 
Data Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsData Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsChristy Hunt
 
AaE Final Findings And Decisions
AaE Final Findings And DecisionsAaE Final Findings And Decisions
AaE Final Findings And DecisionsKevin Gamble
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
Case study ThinkEvans
Case study ThinkEvansCase study ThinkEvans
Case study ThinkEvansLeo Champion
 
Democratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comDemocratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comLukas Vermeer
 
KM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)Deloitte Australia
 
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyStakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyEero Laukkanen
 
An Introduction to Usability
An Introduction to UsabilityAn Introduction to Usability
An Introduction to Usabilitydirk.swart
 
ARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group ReportARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group ReportFederated Sample
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations CenterAmanda Garrett
 
Gen Y Hacks and Workarounds
Gen Y Hacks and WorkaroundsGen Y Hacks and Workarounds
Gen Y Hacks and WorkaroundsBill Jensen
 

Similar to Episode Four: Wayne Jackson of Sonatype (20)

Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.com
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsInnovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for Nonprofits
 
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
 
The Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsThe Role of Foundations in Open Source Projects
The Role of Foundations in Open Source Projects
 
Data Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsData Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About Individuals
 
AaE Final Findings And Decisions
AaE Final Findings And DecisionsAaE Final Findings And Decisions
AaE Final Findings And Decisions
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
Case study ThinkEvans
Case study ThinkEvansCase study ThinkEvans
Case study ThinkEvans
 
Democratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comDemocratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.com
 
Understanding Search
Understanding SearchUnderstanding Search
Understanding Search
 
KM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network Analysis
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)
 
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyStakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
 
An Introduction to Usability
An Introduction to UsabilityAn Introduction to Usability
An Introduction to Usability
 
ARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group ReportARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group Report
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
 
Gen Y Hacks and Workarounds
Gen Y Hacks and WorkaroundsGen Y Hacks and Workarounds
Gen Y Hacks and Workarounds
 

Recently uploaded

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

Episode Four: Wayne Jackson of Sonatype

  • 1. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
  • 2. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
  • 3.
  • 4.
  • 6. WAYNE JACKSON “We at Sonatype focus on the supply chain and how open source is really the underpinning of software development supply team, we tend to focus on open source and how people are thinking about their use of open source.”
  • 7. JEFF “It looks like the vast majority of application security practices are manual in nature. So…how does that work with software getting faster with Agile and DevOps development, and most organization doing this manual AppSec process? How does that work?”
  • 8. WAYNE “Well, it doesn’t, to be candid, and it can’t.”
  • 9. WAYNE “You’re essentially dooming the organization in one of two ways. Either you’re dooming the organization to be slow, or you’d be dooming people to use old code.”
  • 10. JEFF “So is it possible to go fast and be secure?”
  • 12.
  • 13. WAYNE “We encourage folks to find the attributes of acceptability, and let machines make pass/fail decisions.”
  • 14. JEFF “I think a lot of people see automation as just putting tools in place and then the tools do whatever the tools do…You’re actually talking about a policy decision, then you use the tool infrastructure to automate.”
  • 16. JEFF “In a lot of organizations that I work with, I see them just basically adopt the tool and run it without configuring it. They just make their policy whatever the tool does out of the box.”
  • 19. JEFF “Only 56% of the survey participants said their organizations have an open source policy in place. Surprising?”
  • 20. WAYNE “It’s actually relatively consistent with prior years, which is a little disappointing.”
  • 21. WAYNE “The bigger concern I have is whether they have policies and practices that actually move the needle.”
  • 22. WAYNE “We were at a major global bank recently, and they were doing an analysis of how effective their policies were, and they found the developers who needed a thing were renaming that thing to match something that was on a white list so that they would be compliant with their policy.”
  • 23. JEFF “In the survey it says that 63% of companies don’t track vulnerabilities over time. So a library that has a vulnerability one day, and then the next day vulnerability gets released, 63% of companies are not going to notice that. What does that say about the process that companies are following?”
  • 24. WAYNE “I think it reflects a general immaturity…and a mistaken assumption that open source is okay and secure.”
  • 25.
  • 26. WAYNE “There are some things missing in the open source eco-system that we take for granted in commercial relationships.”
  • 27.
  • 28. JEFF “And you have to do it continuously, right? I mean these vulnerabilities are rolling out every week it seems.”
  • 29. WAYNE
  • 30. JEFF “Is there a way to tell the difference between the open-source projects that are basically doing good security stuff and open-source projects that aren’t?”
  • 31. WAYNE “We’re doing a lot of work in that regard [secure open-source projects]. One of the things that we encourage folks in the commercial realm to do is to think about the dependencies and their projects and, if they have security defects, to replace them with something better.”
  • 32. JEFF “I love the fact that [Sonatype] has access to so much data about the open-source community, open-source usage, and component usage.”
  • 33. JEFF “What did you find in the survey that was surprising?”
  • 34. WAYNE “One of the things that I found surprising, especially in the context of Struts, given how many folks are affected by it, that there weren’t dramatic shifts toward better practices.”
  • 35. JEFF “I am more and more convinced that the only real approach that works with application security is pushing those activities into the development groups and having the development groups be able to do them themselves.”
  • 36. WAYNE “There is just a fundamental misalignment with the group that’s designed to automate things periodically.”
  • 37.
  • 38. WAYNE “Part of enabling tools is making the tools simple enough that it can move left [in the SDLC].”
  • 39. JEFF “I think that there is a lot of room for experimentation and growth in theis space because it’s early.”
  • 40. WAYNE “Agreed. Yeah, I, and again to your point, I’m not diminishing the expertise that resides in some of those groups and there need to be strategic and thought leaders around security policy. But concentrating in those groups, expertise required to actually operate a tool, to me, implies that the tools just aren’t right.
  • 41. JEFF “I think that’s a fair point. And we’re both trying to fix that problem.”