SlideShare a Scribd company logo

Episode Four: Wayne Jackson of Sonatype

Download as PPTX, PDF
Contrast Security
Contrast Security

In this episode, Jeff Williams interviews Wayne Jackson of Sonatype. They discuss the results from The 2014 Open Source Development Survey, where 3,300 surveyed developers gave their honest opinions on everything from third-party code to internal policies and procedures. Topics included the implications on continuous application security, compliance measures, and application security automation.

Technology
1 of 42
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
JEFF WILLIAMS
WAYNE JACKSON “We at Sonatype focus on the supply chain and how open source is really the underpinning of software development supply team, we tend to focus on open source and how people are thinking about their use of open source.”
JEFF “It looks like the vast majority of application security practices are manual in nature. So…how does that work with software getting faster with Agile and DevOps development, and most organization doing this manual AppSec process? How does that work?”
WAYNE “Well, it doesn’t, to be candid, and it can’t.”
WAYNE “You’re essentially dooming the organization in one of two ways. Either you’re dooming the organization to be slow, or you’d be dooming people to use old code.”
JEFF “So is it possible to go fast and be secure?”
WAYNE “Only with automation.”
WAYNE “We encourage folks to find the attributes of acceptability, and let machines make pass/fail decisions.”
JEFF “I think a lot of people see automation as just putting tools in place and then the tools do whatever the tools do…You’re actually talking about a policy decision, then you use the tool infrastructure to automate.”
WAYNE “Exactly.”
JEFF “In a lot of organizations that I work with, I see them just basically adopt the tool and run it without configuring it. They just make their policy whatever the tool does out of the box.”
WAYNE “Yes, and that’s very sad.”
PCI COMPLIANCE
JEFF “Only 56% of the survey participants said their organizations have an open source policy in place. Surprising?”
WAYNE “It’s actually relatively consistent with prior years, which is a little disappointing.”
WAYNE “The bigger concern I have is whether they have policies and practices that actually move the needle.”
WAYNE “We were at a major global bank recently, and they were doing an analysis of how effective their policies were, and they found the developers who needed a thing were renaming that thing to match something that was on a white list so that they would be compliant with their policy.”
JEFF “In the survey it says that 63% of companies don’t track vulnerabilities over time. So a library that has a vulnerability one day, and then the next day vulnerability gets released, 63% of companies are not going to notice that. What does that say about the process that companies are following?”
WAYNE “I think it reflects a general immaturity…and a mistaken assumption that open source is okay and secure.”
WAYNE “There are some things missing in the open source eco-system that we take for granted in commercial relationships.”
JEFF “And you have to do it continuously, right? I mean these vulnerabilities are rolling out every week it seems.”
WAYNE
JEFF “Is there a way to tell the difference between the open-source projects that are basically doing good security stuff and open-source projects that aren’t?”
WAYNE “We’re doing a lot of work in that regard [secure open-source projects]. One of the things that we encourage folks in the commercial realm to do is to think about the dependencies and their projects and, if they have security defects, to replace them with something better.”
JEFF “I love the fact that [Sonatype] has access to so much data about the open-source community, open-source usage, and component usage.”
JEFF “What did you find in the survey that was surprising?”
WAYNE “One of the things that I found surprising, especially in the context of Struts, given how many folks are affected by it, that there weren’t dramatic shifts toward better practices.”
JEFF “I am more and more convinced that the only real approach that works with application security is pushing those activities into the development groups and having the development groups be able to do them themselves.”
WAYNE “There is just a fundamental misalignment with the group that’s designed to automate things periodically.”
WAYNE “Part of enabling tools is making the tools simple enough that it can move left [in the SDLC].”
JEFF “I think that there is a lot of room for experimentation and growth in theis space because it’s early.”
WAYNE “Agreed. Yeah, I, and again to your point, I’m not diminishing the expertise that resides in some of those groups and there need to be strategic and thought leaders around security policy. But concentrating in those groups, expertise required to actually operate a tool, to me, implies that the tools just aren’t right.
JEFF “I think that’s a fair point. And we’re both trying to fix that problem.”
JEFF WILLIAMS WITH WAYNE JACKSON OF SONATYPE

Recommended

Guide theory
Guide theoryGuide theory
Guide theoryKerry Richardson
 
Shaping Tomorrow - Theory
Shaping Tomorrow - TheoryShaping Tomorrow - Theory
Shaping Tomorrow - TheoryKerry Richardson
 
P4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsP4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsDan Rockwell
 
3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory 3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory Kerry Richardson
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
 
Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Nathan Gerber
 
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
 

Recommended

Guide theory
Guide theoryGuide theory
Guide theoryKerry Richardson
 
Shaping Tomorrow - Theory
Shaping Tomorrow - TheoryShaping Tomorrow - Theory
Shaping Tomorrow - TheoryKerry Richardson
 
P4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsP4 Trends, Hacks and Apps
P4 Trends, Hacks and AppsDan Rockwell
 
3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory 3 - Shaping Tomorrow Guide - Theory
3 - Shaping Tomorrow Guide - Theory Kerry Richardson
 
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...
Social Cybersecurity , or, A Computer Scientist's View of HCI and Theory, at ...Jason Hong
 
Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Going Mobile - JBoye - 2011
Going Mobile - JBoye - 2011Nathan Gerber
 
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...
Leveraging Human Factors for Effective Security Training, for ISSA 2013 CISO ...Jason Hong
 
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016
Privacy, Ethics, and Big (Smartphone) Data, Keynote talk at ICISSP 2016Jason Hong
 
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Jason Hong
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentContrast Security
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationDavid Neville
 
Winning Websites
Winning WebsitesWinning Websites
Winning WebsitesCeci Dadisman
 
Research process funding local_services_general
Research process funding local_services_generalResearch process funding local_services_general
Research process funding local_services_generalRanjan sahoo
 
State of on call report 2014
State of on call report 2014State of on call report 2014
State of on call report 2014Todd Vernon
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsContrast Security
 
Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comContrast Security
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceGlobeSync Technologies
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsInnovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsIdealware
 
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Sauvik Das
 
The Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsThe Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsJavier Canovas
 
Data Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsData Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsChristy Hunt
 
AaE Final Findings And Decisions
AaE Final Findings And DecisionsAaE Final Findings And Decisions
AaE Final Findings And DecisionsKevin Gamble
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
Democratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comDemocratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comLukas Vermeer
 
Understanding Search
Understanding SearchUnderstanding Search
Understanding SearchChristina Wodtke
 
KM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)Deloitte Australia
 
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyStakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyEero Laukkanen
 

More Related Content

What's hot

Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Jason Hong
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentContrast Security
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationDavid Neville
 
Research process funding local_services_general
Research process funding local_services_generalResearch process funding local_services_general
Research process funding local_services_generalRanjan sahoo
 
State of on call report 2014
State of on call report 2014State of on call report 2014
State of on call report 2014Todd Vernon
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsContrast Security
 

What's hot (7)

Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
Social Cybersecurity: Applying Social Psychology to Cybersecurity, at SecHuma...
 
Security Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation EntertainmentSecurity Influencer's Channel Episode One: Live Nation Entertainment
Security Influencer's Channel Episode One: Live Nation Entertainment
 
Contrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nationContrast security’s influencers channel 1 live nation
Contrast security’s influencers channel 1 live nation
 
Winning Websites
Winning WebsitesWinning Websites
Winning Websites
 
Research process funding local_services_general
Research process funding local_services_generalResearch process funding local_services_general
Research process funding local_services_general
 
State of on call report 2014
State of on call report 2014State of on call report 2014
State of on call report 2014
 
Episode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber SolutionsEpisode 2 Bruce Brody of Cubic Cyber Solutions
Episode 2 Bruce Brody of Cubic Cyber Solutions
 

Similar to Episode Four: Wayne Jackson of Sonatype

Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comContrast Security
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Sonatype
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software SurveySonatype
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceGlobeSync Technologies
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsInnovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsIdealware
 
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Sauvik Das
 
The Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsThe Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsJavier Canovas
 
Data Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsData Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsChristy Hunt
 
AaE Final Findings And Decisions
AaE Final Findings And DecisionsAaE Final Findings And Decisions
AaE Final Findings And DecisionsKevin Gamble
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
Democratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comDemocratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comLukas Vermeer
 
KM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)Deloitte Australia
 
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyStakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyEero Laukkanen
 
An Introduction to Usability
An Introduction to UsabilityAn Introduction to Usability
An Introduction to Usabilitydirk.swart
 
ARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group ReportARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group ReportFederated Sample
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations CenterAmanda Garrett
 
Gen Y Hacks and Workarounds
Gen Y Hacks and WorkaroundsGen Y Hacks and Workarounds
Gen Y Hacks and WorkaroundsBill Jensen
 
Avcomparatives Survey 2011
Avcomparatives Survey 2011Avcomparatives Survey 2011
Avcomparatives Survey 2011Anatoliy Tkachev
 

Similar to Episode Four: Wayne Jackson of Sonatype (20)

Episode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.comEpisode 5 Justin Somaini of Box.com
Episode 5 Justin Somaini of Box.com
 
Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...Live 2014 Survey Results: Open Source Development and Application Security Su...
Live 2014 Survey Results: Open Source Development and Application Security Su...
 
Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey Sonatype's 2013 OSS Software Survey
Sonatype's 2013 OSS Software Survey
 
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glanceRenish Dadhaniya - GlobeSync Technologies | Work at a glance
Renish Dadhaniya - GlobeSync Technologies | Work at a glance
 
Innovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for NonprofitsInnovation in Service Delivery - Idealware and MAP for Nonprofits
Innovation in Service Delivery - Idealware and MAP for Nonprofits
 
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
Social Cybersecurity: Reshaping Security Through An Empirical Understanding o...
 
The Role of Foundations in Open Source Projects
The Role of Foundations in Open Source ProjectsThe Role of Foundations in Open Source Projects
The Role of Foundations in Open Source Projects
 
Data Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About IndividualsData Collection Tool Used For Information About Individuals
Data Collection Tool Used For Information About Individuals
 
AaE Final Findings And Decisions
AaE Final Findings And DecisionsAaE Final Findings And Decisions
AaE Final Findings And Decisions
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
Democratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.comDemocratizing Online Controlled Experiments at Booking.com
Democratizing Online Controlled Experiments at Booking.com
 
Understanding Search
Understanding SearchUnderstanding Search
Understanding Search
 
KM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network AnalysisKM Chicago: Organisational Network Analysis
KM Chicago: Organisational Network Analysis
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)
 
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case StudyStakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
Stakeholder Perceptions of the Adoption of Continuous Integration – A Case Study
 
An Introduction to Usability
An Introduction to UsabilityAn Introduction to Usability
An Introduction to Usability
 
ARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group ReportARF foq2 Router Focus Group Report
ARF foq2 Router Focus Group Report
 
Security Operations Center
Security Operations CenterSecurity Operations Center
Security Operations Center
 
Gen Y Hacks and Workarounds
Gen Y Hacks and WorkaroundsGen Y Hacks and Workarounds
Gen Y Hacks and Workarounds
 
Avcomparatives Survey 2011
Avcomparatives Survey 2011Avcomparatives Survey 2011
Avcomparatives Survey 2011
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Episode Four: Wayne Jackson of Sonatype

  • 1. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
  • 2. THE SECURITY INFLUENCER’S CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype
  • 3.
  • 4.
  • 6. WAYNE JACKSON “We at Sonatype focus on the supply chain and how open source is really the underpinning of software development supply team, we tend to focus on open source and how people are thinking about their use of open source.”
  • 7. JEFF “It looks like the vast majority of application security practices are manual in nature. So…how does that work with software getting faster with Agile and DevOps development, and most organization doing this manual AppSec process? How does that work?”
  • 8. WAYNE “Well, it doesn’t, to be candid, and it can’t.”
  • 9. WAYNE “You’re essentially dooming the organization in one of two ways. Either you’re dooming the organization to be slow, or you’d be dooming people to use old code.”
  • 10. JEFF “So is it possible to go fast and be secure?”
  • 12.
  • 13. WAYNE “We encourage folks to find the attributes of acceptability, and let machines make pass/fail decisions.”
  • 14. JEFF “I think a lot of people see automation as just putting tools in place and then the tools do whatever the tools do…You’re actually talking about a policy decision, then you use the tool infrastructure to automate.”
  • 16. JEFF “In a lot of organizations that I work with, I see them just basically adopt the tool and run it without configuring it. They just make their policy whatever the tool does out of the box.”
  • 19. JEFF “Only 56% of the survey participants said their organizations have an open source policy in place. Surprising?”
  • 20. WAYNE “It’s actually relatively consistent with prior years, which is a little disappointing.”
  • 21. WAYNE “The bigger concern I have is whether they have policies and practices that actually move the needle.”
  • 22. WAYNE “We were at a major global bank recently, and they were doing an analysis of how effective their policies were, and they found the developers who needed a thing were renaming that thing to match something that was on a white list so that they would be compliant with their policy.”
  • 23. JEFF “In the survey it says that 63% of companies don’t track vulnerabilities over time. So a library that has a vulnerability one day, and then the next day vulnerability gets released, 63% of companies are not going to notice that. What does that say about the process that companies are following?”
  • 24. WAYNE “I think it reflects a general immaturity…and a mistaken assumption that open source is okay and secure.”
  • 25.
  • 26. WAYNE “There are some things missing in the open source eco-system that we take for granted in commercial relationships.”
  • 27.
  • 28. JEFF “And you have to do it continuously, right? I mean these vulnerabilities are rolling out every week it seems.”
  • 29. WAYNE
  • 30. JEFF “Is there a way to tell the difference between the open-source projects that are basically doing good security stuff and open-source projects that aren’t?”
  • 31. WAYNE “We’re doing a lot of work in that regard [secure open-source projects]. One of the things that we encourage folks in the commercial realm to do is to think about the dependencies and their projects and, if they have security defects, to replace them with something better.”
  • 32. JEFF “I love the fact that [Sonatype] has access to so much data about the open-source community, open-source usage, and component usage.”
  • 33. JEFF “What did you find in the survey that was surprising?”
  • 34. WAYNE “One of the things that I found surprising, especially in the context of Struts, given how many folks are affected by it, that there weren’t dramatic shifts toward better practices.”
  • 35. JEFF “I am more and more convinced that the only real approach that works with application security is pushing those activities into the development groups and having the development groups be able to do them themselves.”
  • 36. WAYNE “There is just a fundamental misalignment with the group that’s designed to automate things periodically.”
  • 37.
  • 38. WAYNE “Part of enabling tools is making the tools simple enough that it can move left [in the SDLC].”
  • 39. JEFF “I think that there is a lot of room for experimentation and growth in theis space because it’s early.”
  • 40. WAYNE “Agreed. Yeah, I, and again to your point, I’m not diminishing the expertise that resides in some of those groups and there need to be strategic and thought leaders around security policy. But concentrating in those groups, expertise required to actually operate a tool, to me, implies that the tools just aren’t right.
  • 41. JEFF “I think that’s a fair point. And we’re both trying to fix that problem.”