DevOpsSec: Being Outnumbered by Open Source & Third-party Components

By Derek E. Weeks

Last week, I visited a company very well known in the U.S. financial services and insurance (FSI) industry. Their teams have been on the front lines of security and legal compliance for about six years, assessing all of the open source and third-party components their developers are freely bringing into their business. They consume over 1 million components annually across four major development languages.

The demand for open source components has been driven by development teams with shorter time to market objectives for a portfolio of over 500 applications. Why build from scratch what you can source in seconds?

This business saw the writing on the wall. Their development processes had changed, while their compliance processes had not kept up. When they performed a simple calculation on the number of people required to keep up with the compliance checks at their new development velocity, they reached an ugly conclusion. Over 100 compliance analysts would be required to keep pace. Ugh.

I can hear you now. “That’s not us.”

Think again.

The average development organization consumes 240,000 open source and third-party components annually. This is you.

Developers have long been addicted to the velocity offered by these open source and third-party components.

For compliance, audit, security, and legal professionals — there is a simple truth: automation is your only answer. When you are outnumbered and outgunned, there is no other option.

Last week, I was also invited by the Open Web Applications Security Project’s (OWASP) New York City chapter to share the research I have done in this area. I simply delivered the facts to help improve awareness of today’s development practices. My aim – to open a conversation that has been needed for years.

You can enjoy the OWASP discussion in the video below.