AppSec California 2019

The benefits of using third-party and open source components are often negated by the inherent risks that come with them. Systematically reducing risk while allowing the benefits to prevail can be challenging. Organizations often rely on methods of identification that provide instant gratification, but fall short on delivering a simple, coherent strategy for long-term risk identification and remediation. This session will cover current best practices, explore how they will evolve over time, and provide concrete examples attendees can put into practice with minimal effort. Demonstrations will cover the creation of software bill-of-material (S-BoM) documents from a polyglot build environment, using OWASP Dependency-Track to automatically identify outdated and vulnerable components, and how organizations can automate their response to specific types of security events. Advanced topics of discussion will include current and emerging standards as well as government initiatives that may shape the view of the status quo.