Explore lessons from integrating third-party library scanning in DevOps workflows in this AppSecUSA 2018 conference talk. Discover the challenges of securing open-source dependencies in rapid development environments and learn practical strategies for implementing effective security measures. Gain insights into technical and architectural choices for library scanning at scale, automation techniques, and methods to maintain a consistent developer experience. Understand how to leverage DevOps tooling to build security that empowers developers, and receive tips on implementing third-party library security automation in developer workflows. Learn to make security the path of least resistance and measure success empirically over time. Benefit from the speakers' experiences, including dos and don'ts, to successfully integrate security practices without compromising development speed or credibility.
Lessons from Integrating Third Party Library Scanning in DevOps Workflow
Overview
Syllabus
Intro
Open Source Libraries 100%
Observations
Security Use Case Need to Know Vulnerability Exposure
Legal Use Case Need to Know Liability
Principles Automation & Integration in DevOps
Principles Guard Rails, Strategic Toll-Booths
Principles Developer Inclusion, Not Just Awareness
When to Trigger What factors did we consider?
New vs Legacy
Legacy Security Debt
Where We Are Today What did we decide on?
By The Numbers How did the initial approach work out?
By The Numbers How about the current implementation? Complete coverage of runtime Ibraries
Key Takeaways
Taught by
OWASP Foundation
