Tanya Janca, also known as SheHacksPurple, sat down with me on this episode of DevSecOps: The Good, The Bad, and The Ugly. Her new company teaches application security, DevSecOps, and cloud security. We talked about how she’s building her courses and her thoughts on managing open source software. I highly recommend you check out her resources.
Along the way she says she is a “big fan of SCA.” We couldn’t agree more.
The video of the interview, and excerpt of our discussion, follows.
Please watch the interview above for the full context of the except below.
Tanya Janca: Definitely, because a secret being published is basically the end of the world, I would start with that. Then I would start with software composition analysis, just because it’s such a quick win and the results are generally extremely, extremely accurate compared to, for instance, something like static code analysis where the results … I just wouldn’t put that in the main pipeline personally.
Zack Conord: Right. What percentage of the code would you say is open source, Tanya, in a typical application today?
Tanya Janca: Wait, open source or in libraries and third party components?
Zack Conord: Libraries, your dependencies, how much of that is your actual code base?
Tanya Janca: Some people say it’s as low as 60 and some people say it’s as high as 90. I would say it’s probably 80%, 90% in most apps. The actual code that you write every time you call a function, unless you wrote that function …
Zack Conord: Right.
Tanya Janca: Every single thing you do, and usually if you’re following my advice, if you’re doing any sort of security functionality, you’re calling the functionality in your framework. And everything in your framework counts as third party. (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Zack Conord. Read the original post at: https://blog.sonatype.com/tanya-janca-is-big-fan-of-sca