The benefits of using third-party and open source components are often negated by the inherent risks that come with them. Systematically reducing risk while allowing the benefits to prevail can be challenging. Organizations often rely on methods of identification that provide instant gratification, but fall short on delivering a simple, coherent strategy for long-term risk identification and remediation. This session will cover current best practices, explore how they will evolve over time, and provide concrete examples attendees can put into practice with minimal effort. Demonstrations will cover the creation of software bill-of-material (S-BoM) documents from a polyglot build environment, using OWASP Dependency-Track to automatically identify outdated and vulnerable components, and how organizations can automate their response to specific types of security events. Advanced topics of discussion will include current and emerging standards as well as government initiatives that may shape the view of the status quo.

Steve Springett
Senior Security Architect, ServiceNow
Steve educates teams on the strategy and specifics of developing secure software.He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research.

-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...