Wayne Jackson's Presentation at RSA 2012
Upcoming SlideShare
Loading in...5
×
 

Wayne Jackson's Presentation at RSA 2012

on

  • 1,163 views

 

Statistics

Views

Total Views
1,163
Views on SlideShare
576
Embed Views
587

Actions

Likes
1
Downloads
2
Comments
0

5 Embeds 587

http://www.sonatype.com 557
http://blog.sonatype.com 22
http://feeds.feedburner.com 6
http://www.newsblur.com 1
http://reader.googleusercontent.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • THAT AWARENESS IS VITAL, IN PART BECAUSE THE OPEN SOURCE ECOSYSTEM HAS NO NOTIFICATIONINFRASTRUCTURE. IMAGINE YOUR DESKTOP WITHOUT AUTO-UPDATE. IMAGINE DIGGING THROUGH THOUSANDS OF WEB SITES, SIFTING THROUGH RELEASE NOTES, SEARCHING FOR SECURITY BULLETINS, TRACKING DOWN CRITICAL FIXES.
  • AND THE ECOSYSTEM AFFECTED BY THIS CONDITION IS VAST - MORE THAN 80% OF MODERN SOFTWARE IS OPEN SOURCE AND THE TYPICAL ORGANIZATION USES THOUSANDS OF THESE OFTEN COMPLEX COMPONENTS.
  • THE COMPOUNDING REALITY IS THAT WHEN ISSUES DO ARISE, THE EFFECTS ARE VIRAL, WHILE THE FIXES ARE NOT. FOR EXAMPLE,PATCHING SPRING 2.5.6 DID NOTHING TO FIX THE 1,447 COMPONENTS THAT ITCOMPROMISEDOR THE UNTOLD NUMBERS OF DOWNSTREAMAPPLICATIONS THAT USED THEM.
  • THE RESULT IS SITUATIONS LIKE THIS... 6,982 ORGANIZATIONS – INCLUDING GLOBAL FINANCIAL INSTITUTIONS AND THE DEPARTMENT OF HOMELAND SECURITY – ARE ACTIVELY USING A THREE YEAR OLD CRYPTO LIBRARY WITH A REMOTELY EXPLOITABLE, BAD AS IT GETS, SECURITY FLAW WITH PUBLISHED EXPLOIT CODE.
  • SONATPYE IS FOCUSED OBSESSIVELY ON CREATING ORDER AMIDST THIS CHAOS, DEVELOPING AN EXTRAORDINARY CAPACITY FOR BRIDGING CRITICAL AWARENESS GAPS. FIRST, BUILDING SOPHISTICATED INFRASTRUCTURE FOR MINING VIRTUALLY EVERYTHING KNOWABLE ABOUT A GIVEN SOFTWARE COMPONENT. AND, SECOND…
  • A PLATFORM FOR DELIVERING KNOWLEDGE DIRECTLY INTO THE TOOLS THAT DEVELOPERS AND DEVELOPMENT MANAGERS USE EVERY DAY. THAT PLATFORM, SONATYPE INSIGHT, ENABLES ORGANIZATIONS TO GOVERN DEVELOPMENT PROCESSES, TO CONTINUOUSLY MONITOR THE HEALTH OF THEIR REPOSITORIES, AND TO RETRIEVE REAL-TIME ALERTS WHEN CRITICAL APPLICATIONS ARE AFFECTED BY NEWLY DISCOVERED THREATS.
  • SO…TODAY, WE HAVE A VITAL, FRIGHTENINGLY COMPLEX ECOSYSTEM WITH VIRAL ISSUE PROPOGATION AND NO NOTIFICATION INFRASTRUCTURE… TOMORROW, WILL BE A LOT LESS FRIGHTENING. THE LAUNCH OF INSIGHTIS HAPPENING AS WE SPEAK. PRE-LAUNCH ACTIVITIES HAVE GENERATED MORE THAN 300 CUSTOMERS AND OVER THE NEXT FEW MONTHS, WE EXPECT THOUSANDS OF OTHERS TO JOIN THEM. A SIGNIFICANT ADVANCE, WE HOPE, IN THE STATE OF SOFTWARE INTEGRITY AND APPLICATION SECURITY.

Wayne Jackson's Presentation at RSA 2012 Wayne Jackson's Presentation at RSA 2012 Presentation Transcript

  • From the authors of Maven,Nexus, m2eclipse and otherleading technologies. The Sorry State of Application Security Wayne Jackson Chief Executive OfficerUsed by 80,000 organizations worldwide
  • Central: Where Open Source Lives Sonatype
  • Ecosystem Lacks Change Awareness WE DON’T KNOW ABOUT WE CAN BELIEVE IN 14,334 Components Were Updated in 2011 On Average, 400 Updates per Day
  • Component Dependencies are Complex of modern software80% is open source. The global 2000 average more than 1,000 unique components per month
  • Issues are Viral… 1,447 projects contain the flawed component …the Fixes are NOT
  • Houston, We Have a Problem! • In the Last Year… • 6,982 Organizations • Crypto Library • Level 10 Flaw • 3 Years After Fix
  • Event-Driven Knowledge Engine License Detail Update Events Knowledge Project Detail Component Detail Consumption Events Consumption Metadata Events Flaw Update Correlation Detail Reason CreationThe Central Repository Public & Private Component Usage Events Metadata Resources
  • Delivering Knowledge. In Context. Sonatype Insight
  • Sonatype: Transforming Software IntegrityStarted – Q3 2010Insight Pre-Launch – Q4 2011Insight Launch – RSA 2012 Already, more than 300 customers
  • From the authors of Maven,Nexus, m2eclipse and otherleading technologies. Thank You!Used by 80,000 organizations worldwide