Software supply chains and the illusion of control
Derek Weeks shares the results of a three-year study of open source development practices across 3,000 organizations, exploring the vast software supply chains these organizations employ that are simultaneously improving development productivity and undermining quality and security practices. Derek then outlines DevOps practices that support building in quality and security from the beginning.
Talk Title | Software supply chains and the illusion of control |
Speakers | Derek Weeks (Sonatype) |
Conference | O’Reilly Open Source Convention |
Conf Tag | Making Open Work |
Location | Austin, Texas |
Date | May 8-11, 2017 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
Modern software development practices are now consuming billions of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems, and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings with it ownership and responsibility—a fact largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. Derek Weeks shares the results of a three-year study of open source development practices across 3,000 organizations, exploring the vast software supply chains these organizations employ that are simultaneously improving development productivity and undermining quality and security practices. Derek then outlines DevOps practices that support building in quality and security from the beginning. Topics include: