After flying to 40 countries and racing through a half-Ironman competition, Derek woke up one morning on the top of Kilimanjaro and saw the world in a new light. Soon after, Derek become a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies and sustain long-lasting competitive advantages. From 2015 - 2016, Derek led the largest and most comprehensive analysis of software supply chain practices to date across 3,000 development organizations.

As the VP and DevOps Advocate for Sonatype, Derek is passionate about changing the way people think about software supply chains and improving public safety through improved software integrity. Derek is also the founder and core-organizers of the All Day DevOps Conference.

What I Know About Your Code: Security Secrets I Learned from 25,000 Applications

“Build quality in” is a core mantra of DevOps practices, yet many development practices (DevOps or not) are electively building defects into their applications on a massive scale.

Every software development organization on the planet has a software supply chain that is consuming a massive volume of open source and third-party components. Last year, 11 million developers consumed over 30 billion components. The use of these components is accelerating innovation while at the same time introducing elective risks and costly rework DevOps practices.

I was the primary researcher behind the 2016 State of the Software Supply Chain Report. It is a deep analysis of development practices across 3,000 development organizations. In the study, I examined development practices across 25,000 applications. While the average organization in the study consumed 229,000 open source and third party software components, the study revealed:

  • 6.8% of components consumed included known security flaws, impacting the integrity of operations
  • Costs to remediate 10% of vulnerabilities across a large application portfolio can exceed $7,000,000
  • Older components have a 3x higher defect density

Join me to discuss the reasons and remedies behind these practices. I’ll aim to bring greater awareness toward easing the integration between development and security practices that so many organizations find challenging. I’ll also shed light on industry best practices being applied to improve high velocity development to build quality in.

During the discussion, I’ll also share evidence from the FDA, Underwriters Laboratories, the Department of Energy, Capital One and Intuit where development practices with security built in are gaining traction. Attendees will gain new visibility as to what’s happening in their own software supply chains and receive industry benchmarks of those enhancing quality and security practices to take back home.