Session: Don’t be Afraid to Upgrade: Lessons of speed and security from high performance open source development
With 20 million developers, 300,000 of open source projects, 1.5 trillion open source package downloads annually — what could go wrong? Or better yet, what could we get more right?
For the past seven years, I’ve studied behaviors of commercial development teams, open source projects, and the community of adversaries attacking open source software supply chains. One thing is certain: when it comes to security, speed is king.
In 2017, it took three days for adversaires to exploit new vulnerabilities discovered in open source components resulting in breaches at Equifax, Canada Revenue, Okinawa Power, and AADHAAR. Since then, companies and governments have made significant investments to not become the “next Equifax”. Eager to identify their next attack vector, adversary strategies have shifted ‘upstream’ to next generation software supply chain attacks where they can infect a single component that can be quickly distributed ‘downstream’ to hundreds or millions of unsuspecting developers. Their exploits are now achieved in seconds.
For this reason, I’ve partnered with Gene Kim and Dr. Stephen Magill to better understand how speed might lead to better security outcomes for open source projects and enterprise development teams. For two years, we objectively examined and empirically documented software release and upgrade patterns as well as cybersecurity hygiene practices across 24,000 commercial development teams and open source projects. At the heart of our endeavor, we wanted to know what practices would produce the best security and productivity outcomes.
In this session, I’ll share the practices and outcomes we discovered that differentiate the low performers from the peak performers. You’ll understand how open source projects with 1.5x more frequent releases and 530x faster open source dependencies upgrades harness this speed to dramatically improve security within their code. You will also learn how high performance enterprise software development teams simultaneously boost productivity and security – achieving 15x faster deployments and 26x faster remediation of application security vulnerabilities.
Finally, I’ll shed light on how we can all apply these exemplary practices to stay a step (or more) ahead of our adversaries. Don’t be afraid to upgrade your perspectives on application security and be sure to join this session.
