Application Security: Why Open Source Components MatterSonatype's Derek Weeks on What's Changed Since the Equifax Breach
As part of a multi-city tour, ISMG and Sonatype visited Atlanta recently for an engaging discussion on how to mitigate risks introduced by open source code. Derek Weeks, vice president and DevOps advocate with Sonatype, discusses what's changed since the Equifax data breach of 2017, when an unpatched vulnerability in Apache Struts opened the door to an attack, and how CISOs and security leaders need to do more to ensure open source components developers download to build applications don't lead to a similar incident.
"[CISOs] really don't spend enough time investigating things like how much other open source are we using within our environment? How much open source are we using that might be vulnerable?" Weeks says.
In an interview following the Atlanta event, Weeks discusses:
- What's changed in the two years since the Equifax breach was first announced;
- The speed at which attackers take advantage of known vulnerabilities;
- And how new privacy and government regulations should make CISOs think harder about the type of open source components a business uses when building applications.
Weeks is the world's foremost researcher on the topic of DevSecOps and securing software supply chains. For the past five years, he has championed the research of the annual State of the Software Supply Chain Report and the DevSecOps Community Survey. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. He is also the co-founder of All Day DevOps, an online community of 65,000 IT professionals. In 2018, he was recognized by DevOps.com as the "Best DevOps Evangelist" for his work in the community and in 2019 he was added to TechBeacon's "DevOps 100" list.