DevOps.com, profile picture
Uploaded byDevOps.com
190 views

The DevOps Challenge: Open Source Security at Scale

The document discusses the challenges of securing open source components in DevOps, highlighting that 96.8% of developers rely on them, yet security vulnerabilities are rising, with a 51% increase in reported vulnerabilities in 2017. It emphasizes the need for efficient prioritization of fixes based on business impact and suggests integrating security throughout the software development lifecycle by automating scanning, prioritization, and remediation. Key takeaways include knowing your code and monitoring it frequently to enhance security measures.

Embed presentation

Downloaded 17 times
Open Source Security at Scale The DevOps Challenge
Hello! Shiri Arad Ivtsan Product Manager @WhiteSource Shiri.ivtsan@WhiteSourceSoftware.com
Continuous Delivery
Continuous Delivery
Open Source 96.8%of the developers rely on open source components
Security in Open Source
Some Basic Statistics * Based on a survey conducted in more than 650 companies
OSS Security Vulnerabilities Are On The Rise 51% The observed YoY rise of reported vulnerabilities in 2017
Open Source Challenges Onechallenging area in particular is pronounced
Companies Do Not Prioritize Their Fixes Efficiently Criticality of the project that might be impacted by the vulnerability Availability of the suggested fix Perceived impact of the vulnerability on projects Number of software libraries containing the vulnerability Vulnerability severity Creation date of the vulnerability alert prioritize based on the real business impact ~56% Just
Recent News Integrity Availability Security-Protection
Security Throughout The SDLC Pipeline
Scan
CI/CD Pipeline Code Build Package Deploy
Code Code Build Package Deploy • Choose the right component from the earliest stages • Automatically open pull requests for patches • Restrict merges if vulnerabilities exist
Build Code Build Package Deploy • Scan on any build • Fail builds based on policies (i.e high severity vulnerabilities)
Package Code Build Package Deploy • Scan Docker images – in private and public image registries
Deploy Code Build Package Deploy • Scan upon deployment to your production platform • Monitor running applications in production for newly published vulnerabilities
Key Takeaways Know your code Monitor it frequently Make it simple & faster: Automate • Automate the scanning • Automate the prioritization • Automate your remediation
Q&A

More Related Content

PDF
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
PDF
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
byWhiteSource
 
PDF
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
byWhiteSource
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PDF
Tackling the Risks of Open Source Security: 5 Things You Need to Know
byWhiteSource
 
PDF
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
byDevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
Scale DevSecOps with your Continuous Integration Pipeline
byDevOps.com
 
Empowering Financial Institutions to Use Open Source With Confidence
byWhiteSource
 
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
The State of Open Source Vulnerabilities Management
byWhiteSource
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
byWhiteSource
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
byDevOps.com
 

What's hot

PDF
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
PDF
Dev secops. Real experience.
byVitaly Balashov
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
Taking Open Source Security to the Next Level
byWhiteSource
 
PPTX
Why Serverless is scary without DevSecOps and Observability
byEficode
 
PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
byWhiteSource
 
PDF
Addressing the Challenges of Mobile Test Automation
byTechWell
 
PDF
Pentest as a Service Impact 2020
byDevOps.com
 
PDF
Secure your Azure and DevOps in a smart way
byEficode
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
PDF
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
PPTX
DevSecOps - It can change your life (cycle)
byQualitest
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
PPTX
How to apply DevOps in a regulated organisation
byColin Domoney
 
PDF
Keynote: Puppet camp compliance
byPuppet
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PDF
PIACERE - DevSecOps Automated
byPIACERE
 
Microsoft DevOps Forum 2021 – DevOps & Security
byNico Meisenzahl
 
Dev secops. Real experience.
byVitaly Balashov
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
Taking Open Source Security to the Next Level
byWhiteSource
 
Why Serverless is scary without DevSecOps and Observability
byEficode
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
byWhiteSource
 
Addressing the Challenges of Mobile Test Automation
byTechWell
 
Pentest as a Service Impact 2020
byDevOps.com
 
Secure your Azure and DevOps in a smart way
byEficode
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
DevSecOps - It can change your life (cycle)
byQualitest
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
How to apply DevOps in a regulated organisation
byColin Domoney
 
Keynote: Puppet camp compliance
byPuppet
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
RSAC DevSecOpsDays 2018 - We are all Equifax
bySonatype
 
PIACERE - DevSecOps Automated
byPIACERE
 

Similar to The DevOps Challenge: Open Source Security at Scale

PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
byWhiteSource
 
PPTX
Software Security Assurance for Devops
byJerika Phelps
 
PPTX
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
byBlack Duck by Synopsys
 
PPTX
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
PDF
(In)security in Open Source
byShane Coughlan
 
PPTX
Security in the Age of Open Source
byBlack Duck by Synopsys
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
byWhiteSource
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
PDF
All Things Open 2022 - State of OSS Security & Support
byJavier Perez
 
PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
PPTX
A question of trust - understanding Open Source risks
byTim Mackey
 
PPTX
All You need to Know about Secure Coding with Open Source Software
byJavier Perez
 
PPTX
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
bySBWebinars
 
PPTX
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
PPTX
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
byBlack Duck by Synopsys
 
PPTX
Security in the age of open source - Myths and misperceptions
byTim Mackey
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
PDF
DevSecOps: The Open Source Way
byBlack Duck by Synopsys
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
byWhiteSource
 
Software Security Assurance for Devops
byJerika Phelps
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
byBlack Duck by Synopsys
 
Software Security Assurance for DevOps
byBlack Duck by Synopsys
 
(In)security in Open Source
byShane Coughlan
 
Security in the Age of Open Source
byBlack Duck by Synopsys
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
byWhiteSource
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
All Things Open 2022 - State of OSS Security & Support
byJavier Perez
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
A question of trust - understanding Open Source risks
byTim Mackey
 
All You need to Know about Secure Coding with Open Source Software
byJavier Perez
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
The State of Open Source Vulnerabilities Management
bySBWebinars
 
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
byBlack Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
byTim Mackey
 
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
DevSecOps: The Open Source Way
byBlack Duck by Synopsys
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 

More from DevOps.com

PDF
Modernizing on IBM Z Made Easier With Open Source Software
byDevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
PPTX
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
PDF
Next Generation Vulnerability Assessment Using Datadog and Snyk
byDevOps.com
 
PPTX
Vulnerability Discovery in the Cloud
byDevOps.com
 
PDF
2021 Open Source Governance: Top Ten Trends and Predictions
byDevOps.com
 
PDF
A New Year’s Ransomware Resolution
byDevOps.com
 
PPTX
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
byDevOps.com
 
PDF
Don't Panic! Effective Incident Response
byDevOps.com
 
PDF
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
byDevOps.com
 
PDF
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
byDevOps.com
 
PDF
Monitoring Serverless Applications with Datadog
byDevOps.com
 
PDF
Deliver your App Anywhere … Publicly or Privately
byDevOps.com
 
PPTX
Securing medical apps in the age of covid final
byDevOps.com
 
PDF
How to Build a Healthy On-Call Culture
byDevOps.com
 
PPTX
The Evolving Role of the Developer in 2021
byDevOps.com
 
PDF
Service Mesh: Two Big Words But Do You Need It?
byDevOps.com
 
PPTX
Secure Data Sharing in OpenShift Environments
byDevOps.com
 
PPTX
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
byDevOps.com
 
PDF
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
byDevOps.com
 
Modernizing on IBM Z Made Easier With Open Source Software
byDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
Comparing Microsoft SQL Server 2019 Performance Across Various Kubernetes Pla...
byDevOps.com
 
Next Generation Vulnerability Assessment Using Datadog and Snyk
byDevOps.com
 
Vulnerability Discovery in the Cloud
byDevOps.com
 
2021 Open Source Governance: Top Ten Trends and Predictions
byDevOps.com
 
A New Year’s Ransomware Resolution
byDevOps.com
 
Getting Started with Runtime Security on Azure Kubernetes Service (AKS)
byDevOps.com
 
Don't Panic! Effective Incident Response
byDevOps.com
 
Creating a Culture of Chaos: Chaos Engineering Is Not Just Tools, It's Culture
byDevOps.com
 
Role Based Access Controls (RBAC) for SSH and Kubernetes Access with Teleport
byDevOps.com
 
Monitoring Serverless Applications with Datadog
byDevOps.com
 
Deliver your App Anywhere … Publicly or Privately
byDevOps.com
 
Securing medical apps in the age of covid final
byDevOps.com
 
How to Build a Healthy On-Call Culture
byDevOps.com
 
The Evolving Role of the Developer in 2021
byDevOps.com
 
Service Mesh: Two Big Words But Do You Need It?
byDevOps.com
 
Secure Data Sharing in OpenShift Environments
byDevOps.com
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
byDevOps.com
 
Elevate Your Enterprise Python and R AI, ML Software Strategy with Anaconda T...
byDevOps.com
 

Recently uploaded

PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
apidays New York 2025 | AI in Application Security
byapidays
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Workflow and decision Automation with Flowable
bychakib ch
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 

The DevOps Challenge: Open Source Security at Scale