No one builds software completely from scratch anymore. The use of open source software is at an all-time high. The benefits in terms of time to market are too great to ignore. Open source isn’t a panacea though and in my experience too often the incorporated library is orphaned and left to fend for itself. As long as it functions properly, why would I ever revisit it?
Research conducted by Veracode shows that as much as 90% of an application is made up of third-party code including open source components and libraries. Also, 97% of Java applications assessed by Veracode contained at least one component with a known vulnerability. Using data from the recently released State of Software Security Report I will outline how components can be both the panacea and the poison to a development team. However, knowing the problem is only half the battle” what can be done? It is unlikely that any development team” even the most security conscience, will stop using components. So, how can development teams continue using components without putting their companies at risk? During this presentation, I will answer these questions while also examining some of the challenges development teams face when trying to make sure they are using secure components, make updates when a component vulnerability is disclosed and overall how the idea of secure component usage can impact a development team both negatively and positively.