Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
23. snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if its developers have any
Security Expertise?
24. snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if it went through any
Security Testing?
25. snyk.io
Do you know, for
EVERY SINGLE DEPENDENCY
if it has
Known Vulnerabilities?
26. snyk.io
~30%
of Docker Hub images carry
Known Vulnerabilities
High Priority known vulnerabilites, to be exact
Source: BanyanOps Analysis
27. snyk.io
~14%
of npm Packages Carry
Known Vulnerabilities
~80% of Snyk users found vulns in their apps
Source: Snyk data, Mar 2016
28. snyk.io
~59% of Reported Vulnerabilities
in Maven Packages
Remain Unfixed
Mean Time to Repair: 390 days
MTTR for CVSS 10: 265 days
Source: Josh Corman & Dan Geer