How’s that deodorant of yours working? If you wanted to hear yesterday’s presentation you had to crowd in, close — it was standing room only.
Sonatype’s Derek Weeks (@weekstweets) presented at Global AppSec DC. The conference, sponsored by the OWASP Foundation, is one of the largest gatherings in the open security community. In attendance were private and public sector infosec professionals with the shared goal of building a more secure web.
Derek’s presentation, Securing Modern Applications: The Data Behind DevSecOps, discussed the research presented in this year’s State of the Software Supply Chain report. The report, written in conjunction with Gene Kim of IT Revolution and Dr. Stephen Magill of Galois, proved a few working hypotheses about today’s open source software use, and how that impacts web security.
Surprisingly, the findings blew up some assumptions, too.
Hypothesis 1: Projects that release frequently have better outcomes
TRUE. Projects that release frequently do have better outcomes. They’re five times more popular. They have 79% more developers than peers within the open source community. And, they have 12% more foundational support within these projects.
Hypothesis 2: Projects that update their dependencies more frequently are more secure
TRUE. We validated this hypothesis by examining the data: 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases. “If you see projects updating more frequently, pick those. Rely upon those components as your suppliers of the code into your enterprise and organizations,” Derek recommended.
Hypothesis 3: Projects with fewer dependencies stay up-to-date better
FALSE. “What we actually found was that components with more dependencies actually had better median times to update than their peers,” said Derek. The larger teams are usually the stronger suppliers. The study shows that larger development teams have a 50% faster (Read more...)