Abstract: Don’t be Afraid to Upgrade: lessons of speed and security from high performance open source development
For the past six years, I’ve studied behaviors of 15,000 commercial development teams, 24,000 open source projects, and the community of adversaries attacking open source software supply chains. One thing is certain: when it comes to security, speed is king.
In this keynote session, Derek Weeks will share the practices and outcomes discovered that differentiate the low performers from the peak performers. You’ll understand how open source projects with 1.5x more frequent releases and 530x faster open source dependencies upgrades harness this speed to dramatically improve security within their code. You will also learn how high performance enterprise software development teams simultaneously boost productivity and security - achieving 15x faster deployments and 26x faster remediation of application security vulnerabilities.
Derek will show how you can apply these exemplary practices to stay a step (or more) ahead of your adversaries. Don’t be afraid to upgrade your perspectives on application security and be sure to join this keynote session.
Research Details: In 2017, it took three days for adversaires to exploit new vulnerabilities discovered in open source components resulting in breaches at Equifax, Canada Revenue, Okinawa Power, and AADHAAR. Since then, companies and governments have made significant investments to not become the “next Equifax”. Eager to identify their next attack vector, adversary strategies have shifted ‘upstream’ to next generation software supply chain attacks where they can infect a single component that can be quickly distributed ‘downstream’ to hundreds or millions of unsuspecting developers. Their exploits are now achieved in seconds.
For this reason, I’ve partnered with Gene Kim and Dr. Stephen Magill to better understand how speed might lead to better security outcomes for open source projects and enterprise development teams. For two years, we objectively examined and empirically documented software release and upgrade patterns as well as cybersecurity hygiene practices across 24,000 commercial development teams and open source projects. At the heart of our endeavor, we wanted to know what practices would produce the best security and productivity outcomes.
Bio: Derek E. Weeks is the world's foremost researcher on the topic of DevSecOps and securing software supply chains. For the past seven years, he has championed the research of the annual State of the Software Supply Chain Report and the DevSecOps Community Survey. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is also the co-founder of All Day DevOps, an online community of 95,000 IT professionals. In 2018, Derek was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community.