In this episode, Jeff Williams interviews Wayne Jackson of Sonatype. They discuss the results from The 2014 Open Source Development Survey, where 3,300 surveyed developers gave their honest opinions on everything from third-party code to internal policies and procedures. Topics included the implications on continuous application security, compliance measures, and application security automation.
6. WAYNE JACKSON
“We at Sonatype focus on the supply chain and
how open source is really the underpinning of
software development supply team, we tend to
focus on open source and how people are
thinking about their use of open source.”
7. JEFF
“It looks like the vast majority of application
security practices are manual in nature.
So…how does that work with software getting
faster with Agile and DevOps development, and
most organization doing this manual AppSec
process? How does that work?”
9. WAYNE
“You’re essentially dooming the organization in
one of two ways. Either you’re dooming the
organization to be slow, or you’d be dooming
people to use old code.”
13. WAYNE
“We encourage folks to find the attributes of
acceptability, and let machines make pass/fail
decisions.”
14. JEFF
“I think a lot of people see automation as just
putting tools in place and then the tools do
whatever the tools do…You’re actually talking
about a policy decision, then you use the tool
infrastructure to automate.”
16. JEFF
“In a lot of organizations that I work with, I see
them just basically adopt the tool and run it
without configuring it. They just make their
policy whatever the tool does out of the box.”
21. WAYNE
“The bigger concern I have is whether they
have policies and practices that actually move
the needle.”
22. WAYNE
“We were at a major global bank recently, and
they were doing an analysis of how effective
their policies were, and they found the
developers who needed a thing were renaming
that thing to match something that was on a
white list so that they would be compliant with
their policy.”
23. JEFF
“In the survey it says that 63% of companies
don’t track vulnerabilities over time. So a
library that has a vulnerability one day, and
then the next day vulnerability gets released,
63% of companies are not going to notice that.
What does that say about the process that
companies are following?”
24. WAYNE
“I think it reflects a general immaturity…and a
mistaken assumption that open source is okay
and secure.”
25.
26. WAYNE
“There are some things missing in the open
source eco-system that we take for granted in
commercial relationships.”
27.
28. JEFF
“And you have to do it continuously, right? I
mean these vulnerabilities are rolling out every
week it seems.”
30. JEFF
“Is there a way to tell the difference between
the open-source projects that are basically
doing good security stuff and open-source
projects that aren’t?”
31. WAYNE
“We’re doing a lot of work in that regard
[secure open-source projects]. One of the things
that we encourage folks in the commercial
realm to do is to think about the dependencies
and their projects and, if they have security
defects, to replace them with something
better.”
32. JEFF
“I love the fact that [Sonatype] has access to so
much data about the open-source community,
open-source usage, and component usage.”
34. WAYNE
“One of the things that I found surprising,
especially in the context of Struts, given how
many folks are affected by it, that there weren’t
dramatic shifts toward better practices.”
35. JEFF
“I am more and more convinced that the only
real approach that works with application
security is pushing those activities into the
development groups and having the
development groups be able to do them
themselves.”
36. WAYNE
“There is just a fundamental misalignment with
the group that’s designed to automate things
periodically.”
37.
38. WAYNE
“Part of enabling tools is making the tools
simple enough that it can move left [in the
SDLC].”
39. JEFF
“I think that there is a lot of room for
experimentation and growth in theis space
because it’s early.”
40. WAYNE
“Agreed. Yeah, I, and again to your point, I’m
not diminishing the expertise that resides in
some of those groups and there need to be
strategic and thought leaders around security
policy. But concentrating in those groups,
expertise required to actually operate a tool,
to me, implies that the tools just aren’t right.