The OSS movement has brought free, high quality, reusable software to the masses, but much of this code and the way it’s stored and consumed is insecure. Nowhere is this better exemplified than in npm, the world’s largest repository of open-source software. In this talk, learn about the specific challenges faced by the JavaScript community, and the things we’re doing to try and save us from ourselves.
The problem with security is that it’s almost always an afterthought. This is a cultural problem to the extent that developers have been trained to prioritize functionality over all else. However, this is also a tooling problem, because developers shouldn’t spend the majority of their time combing over dependencies in an attempt to find potential security holes. In traditional companies, there’s a separate security team to offload this effort from developers, but this turns out to be an extremely ineffective way to solve the problem. The right solution is to change how developers think about security, while giving them the insight and automation they need to make good decisions as early in the development cycle as possible.
We’ll discuss the ways in which most security tools are outright hostile toward developers, and how we got there from a cultural perspective. We’ll talk about the needs of operations and security teams, and how those needs must be met in order to successfully apply the principles of DevOps to the security realm. Finally, we’ll take a look at the new and emerging tools that are bringing this brave future to us today.
Daniel Sauble is a Product Manager at npm, the company behind the world’s most popular package registry. He spends a lot of time thinking about the security of the open-source ecosystem and how to
...