Bryan Batty is the Director of Product and Infrastructure Security at Bloomberg Industry Group, a subsidiary of Bloomberg L.P., the news organization and the Bloomberg terminal. Bloomberg’s focus is on legal, tax, and accounting news, and tax and accounting software.
Batty runs the product security and infrastructure security teams, working closely with developers and the infrastructure teams to make sure that what is being put into production, and into operations, is done in a secure manner, including looking for existing vulnerabilities within their existing infrastructure.
We caught up with Batty to talk about the process of software development at Bloomberg, and specifically, the management of their software supply chain, in this four part conversation.
"If you start out with a tool like Sonatype’s Nexus Lifecycle, it's going to work out well. You’ll know immediately the version of a component, whether it has a license that you want to use, or if it has known vulnerabilities."
"Over the last couple of years the phrase has become “Software Composition Analysis” [SCA] for scanning third party libraries, open source libraries for license violations, and for known security vulnerabilities. Among other things SCA needs to review is code quality and age of the library that you're using...”
"Start with the source control system. If you had nothing else, at least know that you can version your software, and that two different people working on it at the same time aren’t going to step on each other's toes."
"If we are able to get those numbers down, then eventually there will be less time we actually spend remediating security and more time building security into the application."
"If you are faced with an emergency where you have to upgrade, you don't want to try to upgrade 15 years worth of versions. You should be right at the current version when building new applications or updating existing applications."