OSSA NSA Open Source Industry Day 2013
Event date: September 04, 2013 00:00
Supply Chain Risk Management for Modern Software Development
Like automobile manufacturers, today's software developers assemble applications using existing, often open source, components rather than writing applications from scratch. Unlike the automobile industry, however, very few organizations employ any form of supply chain management discipline in their use of components in their software development practices. This shortcoming significantly increases the exposures in deployed applications and constrains an organization's ability to respond to new information, such as vulnerability disclosures, over time. In fact, recent research indicates that more than 70% of deployed applications contain components with known security flaws classified as severe or critical. Using rarely disclosed data from the Central Repository - the software ecosystem's canonical source for open source components (more than 13 billion download requests annually) - this presentation will examine how the advantages of leveraged innovation in modern, component based software development also introduce complexities that demand the adoption of principles long ago embraced in other ecosystems with complex supplier relationships. This presentation will also demonstrate how the adoption of supply chain management principles can actually increase productivity while producing significantly higher quality, more secure software.
Panel Members: Wayne Jackson, Sonatype CEO Dr. Ron Ross, Fellow, NIST