An Introduction to the Newest Addition to the OWASP Top 10. Experts Break-Down the New Guideline and Offer Provide Guidance on Good Component Practice presented at AppSec USA 2013

by Ryan Berg,

Summary : Experts in the field of application security and open source software development discuss the new OWASP A9 guidelines, offering session attendees unique intelligence on component vulnerabilities and how to deploy new approaches to application security and risk management that address security at the component level, while simultaneously eliminating risk in the modern software supply chain. Panelists to include: Sonatype, Aspect Security, Two Senior Security Executives from Fortune 500 Companies
Most development teams don’t focus on security. The 2013 Open Source Software Development Survey, the largest survey of OSS users with more than 3,500 participants, found that more than half of the developers, architects and managers surveyed don’t focus on security at all. Nearly 20% of this group shared they know application security is important but they don’t have the time to spend on it, while almost one-third deferred responsibility to the security and risk management group entirely. As open source component use continues to skyrocket with applications now more than 80% component-based, organizations continue to struggle with establishing policy to secure and govern component use. According to the survey, an alarming 65% of organizations have no component management policies in-place.
This lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to unnecessary risk. Open source component vulnerabilities are exceedingly common, with more than 70% of applications containing components with vulnerabilities classified as severe or critical. Virtually every application has these issues because most development teams don’t focus on ensuring their components stay up to date. In many cases, developers don’t even know all the components they are using let alone the versions. In fact, the Open Source Software Development Survey shows only 35% of organizations maintain inventories of the components in their production applications.
This panel of industry experts will dissect the new OWASP A9 guidelines that look at the widespread use of insecure open source libraries in today’s modern application development. Executives from Sonatype, will offer exclusive component usage data from the Central Repository – the industry’s largest source of open-source components receiving 8 billion requests annually. With its deep history as leaders in open source development, Sonatype can also share with attendees its unmatched knowledge of open source development practices. Jeff Williams, CEO of Aspect Security and founding member of OWASP, will offer best practices and advice to organizations looking to revamp their software assurance policies. Lastly Jim Routh, the head of application and mobile security at Citibank will share with attendees the real-world challenges and resolutions faced by the financial institution in mitigating risk in agile, component-based development.
Together, the panel will address the following key points and offer attendees important takeaways to jumpstart A9 compliance, including: • How software assurance is now largely incompatible with modern development and why new approaches to security must provide developers with immediate feedback on security context to act as the new frontline of defense;
• How to inform component choice throughout the development lifecycle, including how to pinpoint flaws early and how to deploy flexible remediation options for flawed components
• How to build-in component security and risk mitigation into the development process that can also be used by non-security experts; and
• How new security and risk mitigation approaches must be continuous to address ongoing threats in real-time and to ensure sustaining trust between development, risk management and the application end-user.