[INFOGRAPHIC] Are we really securing our applications?

•

0 gostou•373 visualizações

Eye-opening statistics about the lack of open source governance in the application development process. Based on a 2013 survey of 3500 developers, architects and managers across many industries.

Tecnologia

ARE WE REALLY SECURING
OUR APPLICATIONS?
0
1
0
1
1
0
1
0
0
0
0
1
0
0
1
1
1
1
1
0
1
0
0
0
These days,
of an application is
assembled from open
source components.
80%
Forever changing the
way we develop software...
Open Source
Software Usage Has
Exploded
2012: 8 Billion
2013: 12 Billion!
POLICIES
ARE NOT
OPEN SOURCE
IS POPULAR
Psssst; and of those policies don’t even
address security
29%
Yet only of
organizations have policies
governing component usage.
57%
of all applications contain
a critical ﬂaw in at least one open
source component
71%
Using risky components is now #9 on OWASP’s
Top 10 Application Security Concerns.
In manufacturing
we call this a
“Bill of Materials”
And, nearly of
organizations don’t know
which components are
used in their applications.
2/3
40%
Security is a
top concern
60%
Not focused on it.
Don’t have time.
Someone else is
responsible.
of developers are not
concerned about security
60%
Today’s popular application “scanning” tools don’t assess components
(or their dependencies)
Plus, most application security methods can’t
see components.
We are NOT eﬀectively securing our applications
CONCLUSION:
Continuous monitoring —— new vulnerabilities are always being
discovered, you need to know where you are at risk.
5
Governance across the software lifecycle —— policies that are enforced
across the DevOps toolchain ensure defense-in-depth.
4
Developer control —— provide information within the IDE to make it easy
for developers to pick the best components from the start.
3
Automated OSS governance —— manual processes just don’t work!2
Application “Bill of Materials” —— you need to know what’s in your apps.1
Top 5 Ingredients to secure apps composed with open source:
SOURCE: Sonatype 2013 survey of 3500 developers, architects and managers across all
industries, company sizes and geographic regions – making it the largest, most comprehensive
survey of its kind. www.sonatype.com/survey2013www.sonatype.com
White paper: Learn how to minimize risk in open source-based applications.

Mais conteúdo relacionado

Mais de Sonatype

DevSecOps reference architectures 2018

Sonatype

30+ Nexus Integrations to Accelerate DevOps

Sonatype

2017 DevSecOps Survey

Sonatype

Gary Gruver, Gruver Consulting In my role, I get to meet lots of different companies, and I realized quickly that DevOps means different things to different people. They all want to do “DevOps” because of all the benefits they are hearing about, but they are not sure exactly what DevOps is, where to start, or how to drive improvements over time. They are hearing a lot of different great ideas about DevOps, but they struggle to get every-one to agree on a common definition and what changes they should make. It is like five blind men describing an elephant. In large orga-nizations, this lack of alignment on DevOps improvements impedes progress and leads to a lack of focus. This session is intended to help structure and align those improvements by providing a framework that large organizations and their executives can use to understand the DevOps principles in the context of their current development processes and to gain alignment across the organization for success-ful implem

Starting and Scaling DevOps In the Enterprise

Sonatype

Mandy Whaley, CISCO Microservices create an explosion of internal and external APIs. These APIs need great docs. Many organizations end up with a jungle of wiki pages, swagger docs and api consoles, and maybe just a few secret documents trapped in chat room somewhere… Keeping docs updated and in sync with code can be a challenge. We’ve been working on a project at Cisco DevNet to help solve this problem for engineering teams across Cisco. The goal is to create a forward looking developer and API doc publishing pipeline that: Has a developer friendly editing flow Accepts many API spec formats (Swagger, RAML, etc) Supports long form documentation in markdown Is CI/CD pipeline friendly so that code and docs stay in sync Flexible enough to be used by a wide scope of teams and technologies We have many interesting lessons learned about tooling and how to solve documentation challenges for internal and external facing APIs. We have found that solving this doc publishing flow is a key component of a building modern infrastructure. This is most definitely a culture + tech + ops + dev story, we look forward to sharing with the DevOps Days community.

DevOps Friendly Doc Publishing for APIs & Microservices

Sonatype

In today’s world, a company must be a “Learning Organization” in order to be successful and innovative. Learning from both failure and success, in order to implement small incremental improvements is critical. But until you implement and apply new information, you haven’t truly “learned” anything and you certainly haven’t improved. According to the 2015 Monitoring Survey, most companies leverage metrics from monitoring and logging purely for performance analytics and trending. If high availability and reliability are important, they also leverage metrics to alert on fault and anomaly detection. Despite these “best practices”, the metrics are primarily only used as context to keep things “running” or return them back to “normal” if there’s a problem. Rarely is that data used as a method to identify areas of improvement once services have been restored. When an outage occurs to your system, you will absolutely repair and restore services as best you know how, but are you paying attention to the data from the recovery efforts? What were operators seeing during diagnosis and remediation? What were their actions? What was going on with everyone, including conversations? A step-by-step replay of exactly what took place during that outage. This “old-view” perspective on the purpose of monitoring, logging, and alerting leaves the full value of metrics unrealized. It fails to address what’s important to the overall business objective and it lacks any hope of seeking out innovation or disruption of the status quo. This talk will illustrate how to identify if your company is making the best use of metrics and ways to not only learn from failure, but to become a “Learning Company”.

The Unrealized Role of Monitoring & Alerting w/ Jason Hand

Sonatype

DevOps promises to make better software faster and more safely and many organizations begin by practicing Continuous Integration and moving on to Continuous Delivery and sometimes even extending as far as Continuous Deployment - but this is only the tip of the iceberg. DevOps demands a fundamental shift in the way we work and requires all participants in an organization to live its principles. It’s much more than a tool chain. When you are delivering software in an Agile manner in fortnightly sprints, are you still funding in an annual manner? Are you adhering to The Third Way? I.e. are you practicing Continuous Experimentation? Continuous Learning? How are you doing Continuous Testing? Are you including security in that? Have you have Continuous Improvement in your organization for years? When does Continuous Everything turn into Continuous Apathy?

DevOps and All the Continuouses w/ Helen Beal

Sonatype

Serverless and the Way Forward

Sonatype

Small and medium-size businesses are under the same pressure to innovate-at-speed as large corporations. They face these challenges with shoestring IT budgets and limited staff who are stretched thin and forced to wear multiple hats. These limits are particularly acute in the world of nonprofit associations. But with the right vision and culture, even small teams can successfully implement a DevOps philosophy and bust the barriers to high-speed IT innovation. In this presentation, I will recount our small membership association’s transformative journey to DevOps and share the lessons we learned along the way. I will offer first-hand experiences and practical ideas on how to cultivate a collaborative team culture to realize faster deployment cycles while improving build quality and delighting customers with great software.

A Small Association's Journey to DevOps w/ Edward Ruiz

Sonatype

What's My Security Policy Doing to My Help Desk w/ Chris Swan

Sonatype

Lee Calcote, Solar Winds Running a few containers? No problem. Running hundreds or thousands? Enter the container orchestrator. Let’s take a look at the characteristics of the four most popular container orchestrators and what makes them alike, yet unique. Swarm Nomad Kubernetes Mesos+Marathon We’ll take a structured looked at these container orchestrators, contrasting them across these categories: Genesis & Purpose Support & Momentum Host & Service Discovery Scheduling Modularity & Extensibility Updates & Maintenance Health Monitoring Networking & Load-Balancing High Availability & Scale

Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors

Sonatype

Justin Collins, Brakeman Security It is not enough to have fast, automated code deployment. We also need some level of assurance the code being deployed is stable and secure. Static analysis tools that operate on source code can be an efficient and reliable method for ensuring properties about the code - such as meeting basic security requirements. Automated static analysis security tools help prevent vulnerabilities from ever reaching production, while avoiding slow, fallible manual code reviews. This talk will cover the benefits of static analysis and strategies for integrating tools with the development workflow.

Static Analysis For Security and DevOps Happiness w/ Justin Collins

Sonatype

Madhu Akula, Automation Ninja We can see attacks happening in real time using a dashboard. By collecting logs from various sources we will monitor & analyse. Using data gleaned from the logs, we can apply defensive rules against the attackers. We will use AWS for managing and securing the infrastructure discussed in our talk. For most network engineers who monitor the perimeter for malicious content, it is very important to respond to an imminent threat originating from outside the boundaries of their network. Having to crunch through all the logs that the various devices (firewalls, routers, security appliances etc.) spit out, correlating that data and in real time making the right choices can prove to be a nightmare. Even with the solutions already available in the market. As I have experienced this myself, as part of the Internal DevOps and Incident Response Teams, in several cases, I would want to create a space for interested folks to design, build, customise and deploy their very own FOSS based centralised visual attack monitoring dashboard. This setup would be able to perform real time analysis using the trusted ELK stack and visually denote what popular attack hotspots exist on a network.

Automated Infrastructure Security: Monitoring using FOSS

Sonatype

Akash Mahajan, Appsecco Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible. Who is this talk for? This talks and demo is relevant and useful for any practitioner of DevSecOps. It introduces the concepts of declarative security Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’ Gives a clear roadmap on how to find the best practices for security hardening Covers how continuous monitoring can be applied for security Technical Requirements While 30 minutes short for letting attendees do hands-on, the following will be required - A modern Linux distribution with Python and Ansible installed - Basic idea of running commands on the Linux command line

System Hardening Using Ansible

Sonatype

Erlend Oftedal, Blank Immutable infrastructure and serverless architectures have very interesting security properties. This talk will give an introduction to immutable infrastructure and serverless architecture and try to highlight some of the properties of such architectures. Next we will look at the positive effects this can have on the security of our systems, but also highlight some of the negative aspects and potential problems. At the conclusion of this sessions, we hope to have shed some light on the positive and negative security effects of such architectures.

There is No Server: Immutable Infrastructure and Serverless Architecture

Sonatype

Damien Corabouef, Multipharma, Clear2Pay Implementing a CI/CD solution based on Jenkins has become very easy. Dealing with multiple feature, staging and release branches? Not so much. Having to handle that for multiple teams and multiple projects becomes a real challenge. This presentation shows a solution to scale to several thousands of jobs, used by dozens of different development and test teams, 24 hours a day, 7 days a week, on a worldwide schedule. I will talk about the challenges that we’ve met, and how we’ve put in place a scalable and on-demand solution, secure and simple to use. This is a real-life, real-scale story of making CI/CD a day-to-day reality by allowing development and test teams to consider automation as a simple and customisable service.

Getting out of the Job Jungle with Jenkins

Sonatype

Nathen Harvey, Chef Automation at scale is the foundation of every successful high velocity organization. Automation requires dynamic infrastructure that is managed as code. Modern infrastructure code means bringing the lessons from software development to your infrastructure. Automation is managed in version control systems, tests drive code development, code moves through a continuous pipeline from the workstation to the production environment. What will this look like in five years? We will see a continued improvement in the way teams work together toward common goals, build more operable applications, and embrace complexity while improving ease-of-use.

Modern Infrastructure Automation

Sonatype

Jayne Groll, DevOps Institute Culture is undoubtedly one of the most critical aspects of any DevOps initiative. While much emphasis is placed on the automation of the deployment pipeline, there is also a need for a “Continuous People Pipeline”. Continuous People Pipelines help individuals and teams recognize their contribution to the value stream, provide realistic approaches and milestones for ongoing communication and collaboration and can be the basis for shared accountabilities and meaningful metrics. Most importantly, people pipelines help increase trust, flow, feedback and connection across IT silos. This session will provide insight on the value, creation and support of Continuous People Pipelines. It will help attendees understand some of the human dynamics of change that must be considered – cultural debt, adoption models, acceptance curves, collaboration, immersion and conflict management. At the end of this session, leaders will take away some innovative strategic and tactical ideas for overcoming silo constraints and creating a collaborative culture that excites, engages and unifies people towards common business goals.

Continuous Everyone: Engaging People Across the Continuous Pipeline

Sonatype

Michiel Rook, make.io It's a situation many of us are familiar with: a large legacy, monolithic application, limited or no tests, slow & manual release process, low velocity, no confidence... A lot of refactoring is required, but management keeps pushing for new features. How to proceed? Using examples and lessons learned from a real-world case, I'll show you how to replace a legacy application with a modern service-oriented architecture and build a continuous integration and deployment pipeline to deliver value from the first sprint. On the way, we’ll take a look at the process, automated testing, monitoring, master/trunk based development and various (possibly controversial!) tips and best practices.

The Road to Continuous Deployment

Sonatype

Daniël van Gils, Cloud 66 So you’ve already containerized the shit out of your code, broken down monoliths, microserviced the hell out of your app and have run some awesome workloads in your local, dev and test environments. It’s all looking good, but now what? Running Docker commands is one thing, but maintaining containers in production is a whole other ballgame. So during this talk I’ll show you the REAL wild world of Docker in production. With the added benefit of talking to and observing how over 900 of our customers have been using Docker in production, I’ll be presenting some of these data points and sharing our observations on how to get it right. My aim? I want to turn the conversation on its head and dispel some of the ‘silver bullet’ assumptions flying around by taking an inside-out approach to building with Docker. The idea is to provide you with a framework for how to get your code into containers, streamline the Docker build flow and avoid common pitfalls when moving from dev to live environments. Because remember, Docker will NOT, and I repeat, will not solve your bad dev and ops behaviours. So don’t end up with a ‘hot mess’ (more on that later), and attend my talk to get container smart

Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...

Sonatype

Mais de Sonatype (20)

DevSecOps reference architectures 2018

30+ Nexus Integrations to Accelerate DevOps

2017 DevSecOps Survey

Starting and Scaling DevOps In the Enterprise

DevOps Friendly Doc Publishing for APIs & Microservices

The Unrealized Role of Monitoring & Alerting w/ Jason Hand

DevOps and All the Continuouses w/ Helen Beal

Serverless and the Way Forward

A Small Association's Journey to DevOps w/ Edward Ruiz

What's My Security Policy Doing to My Help Desk w/ Chris Swan

Characterizing and Contrasting Kuhn-tey-ner Awr-kuh-streyt-ors

Static Analysis For Security and DevOps Happiness w/ Justin Collins

Automated Infrastructure Security: Monitoring using FOSS

System Hardening Using Ansible

There is No Server: Immutable Infrastructure and Serverless Architecture

Getting out of the Job Jungle with Jenkins

Modern Infrastructure Automation

Continuous Everyone: Engaging People Across the Continuous Pipeline

The Road to Continuous Deployment

Docker Inside/Out: The 'Real' Real- World World of Stacking Containers in pro...

Último

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

[INFOGRAPHIC] Are we really securing our applications?

1. ARE WE REALLY SECURING OUR APPLICATIONS? 0 1 0 1 1 0 1 0 0 0 0 1 0 0 1 1 1 1 1 0 1 0 0 0 These days, of an application is assembled from open source components. 80% Forever changing the way we develop software... Open Source Software Usage Has Exploded 2012: 8 Billion 2013: 12 Billion! POLICIES ARE NOT OPEN SOURCE IS POPULAR Psssst; and of those policies don’t even address security 29% Yet only of organizations have policies governing component usage. 57% of all applications contain a critical ﬂaw in at least one open source component 71% Using risky components is now #9 on OWASP’s Top 10 Application Security Concerns. In manufacturing we call this a “Bill of Materials” And, nearly of organizations don’t know which components are used in their applications. 2/3 40% Security is a top concern 60% Not focused on it. Don’t have time. Someone else is responsible. of developers are not concerned about security 60% Today’s popular application “scanning” tools don’t assess components (or their dependencies) Plus, most application security methods can’t see components. We are NOT eﬀectively securing our applications CONCLUSION: Continuous monitoring —— new vulnerabilities are always being discovered, you need to know where you are at risk. 5 Governance across the software lifecycle —— policies that are enforced across the DevOps toolchain ensure defense-in-depth. 4 Developer control —— provide information within the IDE to make it easy for developers to pick the best components from the start. 3 Automated OSS governance —— manual processes just don’t work!2 Application “Bill of Materials” —— you need to know what’s in your apps.1 Top 5 Ingredients to secure apps composed with open source: SOURCE: Sonatype 2013 survey of 3500 developers, architects and managers across all industries, company sizes and geographic regions – making it the largest, most comprehensive survey of its kind. www.sonatype.com/survey2013www.sonatype.com White paper: Learn how to minimize risk in open source-based applications.

[INFOGRAPHIC] Are we really securing our applications?

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Sonatype

Mais de Sonatype (20)

Último

Último (20)

[INFOGRAPHIC] Are we really securing our applications?