Episode Four: Wayne Jackson of Sonatype

• 1. THE SECURITY INFLUENCERS CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype

2. THE SECURITY INFLUENCERS CHANNEL HOSTED BY JEFF WILLIAMS CHIEF TECHNOLOGY OFFICER, CONTRAST SECURITY Episode Four: Wayne Jackson from Sonatype 3. JEFF WILLIAMS 4. WAYNE JACKSON We at Sonatype focus on the supply chain and how open source is really the underpinning of software development supply team, we tend to focus on open source and how people are thinking about their use of open source. 5. JEFF It looks like the vast majority of application security practices are manual in nature. Sohow does that work with software getting faster with Agile and DevOps development, and most organization doing this manual AppSec process? How does that work? 6. WAYNE Well, it doesnt, to be candid, and it cant. 7. WAYNE Youre essentially dooming the organization in one of two ways. Either youre dooming the organization to be slow, or youd be dooming people to use old code. 8. JEFF So is it possible to go fast and be secure? 9. WAYNE Only with automation. 10. WAYNE We encourage folks to find the attributes of acceptability, and let machines make pass/fail decisions. 11. JEFF I think a lot of people see automation as just putting tools in place and then the tools do whatever the tools doYoure actually talking about a policy decision, then you use the tool infrastructure to automate. 12. WAYNE Exactly. 13. JEFF In a lot of organizations that I work with, I see them just basically adopt the tool and run it without configuring it. They just make their policy whatever the tool does out of the box. 14. WAYNE Yes, and thats very sad. 15. PCI COMPLIANCE 16. JEFF Only 56% of the survey participants said their organizations have an open source policy in place. Surprising? 17. WAYNE Its actually relatively consistent with prior years, which is a little disappointing. 18. WAYNE The bigger concern I have is whether they have policies and practices that actually move the needle. 19. WAYNE We were at a major global bank recently, and they were doing an analysis of how effective their policies were, and they found the developers who needed a thing were renaming that thing to match something that was on a white list so that they would be compliant with their policy. 20. JEFF In the survey it says that 63% of companies dont track vulnerabilities over time. So a library that has a vulnerability one day, and then the next day vulnerability gets released, 63% of companies are not going to notice that. What does that say about the process that companies are following? 21. WAYNE I think it reflects a general immaturityand a mistaken assumption that open source is okay and secure. 22. WAYNE There are some things missing in the open source eco-system that we take for granted in commercial relationships. 23. JEFF And you have to do it continuously, right? I mean these vulnerabilities are rolling out every week it seems. 24. WAYNE 25. JEFF Is there a way to tell the difference between the open-source projects that are basically doing good security stuff and open-source projects that arent? 26. WAYNE Were doing a lot of work in that regard [secure open-source projects]. One of the things that we encourage folks in the commercial realm to do is to think about the dependencies and their projects and, if they have security defects, to replace them with something better. 27. JEFF I love the fact that [Sonatype] has access to so much data about the open-source community, open-source usage, and component usage. 28. JEFF What did you find in the survey that was surprising? 29. WAYNE One of the things that I found surprising, especially in the context of Struts, given how many folks are affected by it, that there werent dramatic shifts toward better practices. 30. JEFF I am more and more convinced that the only real approach that works with application security is pushing those activities into the development groups and having the development groups be able to do them themselves. 31. WAYNE There is just a fundamental misalignment with the group thats designed to automate things periodically. 32. WAYNE Part of enabling tools is making the tools simple enough that it can move left [in the SDLC]. 33. JEFF I think that there is a lot of room for experimentation and growth in theis space because its early. 34. WAYNE Agreed. Yeah, I, and again to your point, Im not diminishing the expertise that resides in some of those groups and there need to be strategic and thought leaders around security policy. But concentrating in those groups, expertise required to actually operate a tool, to me, implies that the tools just arent right. 35. JEFF I think thats a fair point. And were both trying to fix that problem. 36. JEFF WILLIAMS WITH WAYNE JACKSON OF SONATYPE