A More Secure Web Needs Developers, Defenders, Advocates, and OSS

How’s that deodorant of yours working? If you wanted to hear yesterday’s presentation you had to crowd in, close — it was standing room only.

Sonatype’s Derek Weeks (@weekstweets) presented at Global AppSec DC. The conference, sponsored by the OWASP Foundation, is one of the largest gatherings in the open security community. In attendance were private and public sector infosec professionals with the shared goal of building a more secure web.

Derek’s presentation, Securing Modern Applications: The Data Behind DevSecOps, discussed the research presented in this year’s State of the Software Supply Chain report. The report, written in conjunction with Gene Kim of IT Revolution and Dr. Stephen Magill of Galois, proved a few working hypotheses about today’s open source software use, and how that impacts web security.

Surprisingly, the findings blew up some assumptions, too.

Hypothesis 1: Projects that release frequently have better outcomes

TRUE. Projects that release frequently do have better outcomes. They’re five times more popular. They have 79% more developers than peers within the open source community. And, they have 12% more foundational support within these projects.

Hypothesis 2: Projects that update their dependencies more frequently are more secure

TRUE. We validated this hypothesis by examining the data: 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases. “If you see projects updating more frequently, pick those. Rely upon those components as your suppliers of the code into your enterprise and organizations,” Derek recommended.

Hypothesis 3: Projects with fewer dependencies stay up-to-date better

FALSE. “What we actually found was that components with more dependencies actually had better median times to update than their peers,” said Derek. The larger teams are usually the stronger suppliers. The study shows that larger development teams have a 50% faster (Read more...)