Assessing risk in Open Source dependency use can make any security lead sweat. Projects which rarely update dependencies will be the slowest to react and remediate so-called “log4j incidents”, which is often referred to as “security debt”. Meanwhile, the risk of malicious code introduction or account takeovers in Open Source packages is not insignificant, so those who live on the cutting edge of latest versions may also be at increased risk from another angle. How can companies – especially those in highly-regulated industries like Finance – provide sensible guidance to software teams which optimizes their risk?
This presentation will address the challenge from both angles – how much more at risk are projects when they fall behind in dependencies, plus how much risk is there from malicious code in Open Source? Justin Clareburt will deliver this perspective as someone responsible within Mend.io for both dependency automation solutions as well assupply chain security – scanning for malicious releases in near real-time.