The necessity of securing third-party libraries and packages is not a new concept, however, not many organizations understand its importance in a world where open source is mainstream. There is an exponential growth in the usage of third party libraries and reusing code is the norm for developers. Adding a library can end up adding several other dependencies without the developer even being explicitly aware of them. Now combine this with the rapid pace of shipping new code on a daily basis, and the security challenge all of a sudden seems insurmountable.
In this talk, we will share our story of how we tackled this challenge head-on and leveraged DevOps tooling to build security that enables the developers. You should attend this talk if you want to learn about the technical and architectural choices of library scanning that worked for us at scale, and the ones that didn’t. You will learn how to drive automation while maintaining the consistency of overall developer experience.
And while you may have heard great talks about how DevOps (or DevSecOps) enables security, it also sets you up for losing credibility at DevOps speed if you’re not careful. We will give you tips and tricks, the Do’s and Don'ts that will enable you to implement third-party library security automation in your developer workflow, make it the path of least resistance and empirically measure success over time.
Harshil Parikh leads the security team at Medallia, Inc. He is currently helping democratize security within Medallia for functions like Secure Product Development Lifecycle, DevSecOps, Monitoring & IR.
Thursday October 11, 2018 1:30pm - 2:05pm PDT
Regency 2
