Helping ensure that Mike Pittenger’s Flight16 Security Track went smoothly at our inaugural user conference was one of the most meaningful opportunities Black Duck has given me. Representing a sales function, I don’t get to spend as much time as I’d like getting down to the nitty-gritty technical details. Mike, one of the founders of Veracode, is our VP of Security Strategy and one of best resources I have here at Black Duck; I can safely say we’ve all learned a great deal from him. Here are a few takeaways from the sessions that taught me even more.
Daniel Riek, Sr Director of Systems Design and Engineering at RedHat, echoed a statement that most in the tech world have heard recently: “Every company is a software company.” Daniel went on to discuss how Black Duck and Red Hat work together to reengineer security strategy to be both proactive and reactive.
In another session, Scott Martin at Science Logic said something similar during his case study presentation, indicating that Black Duck allows companies to be thoughtful and reflective about their open source use, not simply impulsive. This is how we contribute to the open source community, by creating better ways to use open source securely by providing visibility and control into source code.
Who Considers Software Security?
In my short tenure at Black Duck (just 9 months), I’ve seen a huge shift from mainly technology companies investing in the security of their software to less obvious industries, such as hospitality, consumer goods, finserv, and more — all making efforts to secure their code. The recent growth in the Internet of Things (IoT) makes risk management more relevant to every company, as well as every consumer. We can control our homes, cars and more with this new technology, but is it secure? IoT risk was a hot topic on the panel Mike Pittenger moderated with Paula Long, CEO of Data Gravity, Bill Ledingham, Black Duck CTO, and Gary McGraw, CTO of Cigital.
Changes like the explosion of IoT devices and the shift to more open source use are part of why we've shifted our focus in recent years. One recent initiative at Black Duck is the formation and opening of our Open Source Security Research Group in Belfast. This group, led by Chris Fearon, Director of Security Research, will be an integral part of our Center for Open Source Research and Innovation Group (COSRI). Chris presented some of their findings at Flight16 and showed us how easy it is to exploit a vulnerability. Very cool. And terrifying.
Important AppSec Takeaways
Some of my most powerful takeaways were from Constantine Grancharov of IBM. He posed series of questions about what we need to think about in terms of AppSec and open source:
- What are your current application security activities?
- What kinds of security gates do you enforce to ensure nothing gets through?
- What tools are you using as part of the development and application security lifecycle?
- Are containers like Docker part of your deployment model?
- How are you tracking for new vulnerabilities over time?”
All of these questions are important, and I learned something new in every session. Application security, connected devices and use of software across industries aren't going to go away, which is one reason I'm glad to be on board with Black Duck. Buckle up — it might be a wild ride, but Black Duck is your wingman as we fly into the future with open source.