Dealing with the fallout from a massive exploit is everyone’s nightmare. Time and time again these vulnerabilities are found in open-source software. Does this mean we can’t trust open-source and should be developing everything from scratch? No, it’s not feasible or sustainable for anyone’s environment. So how do you handle this code that is embedded everywhere? In this talk, I’ll discuss the concerns open-source code and dependencies bring to any environment. We’ll start off by taking a historical look at vulnerabilities and their impact. Through this, we’ll look at methods for discovery, triage, and remediation. I focus on core tenants of remaining flexible, scalable, and integrating automation with the overall goal of reducing both risk and operational costs. The tradeoff between productivity, cost, and security doesn’t have to be a pick 2, lose 1 type scenario.