Nearly every organization in the world uses open source, in some form or another, as part of its software environment. The state-of-the-art in mitigating open source risk, today, is tracking and patching publicly reported vulnerabilities in high-profile open source projects, but that only tells part of the story. Increasingly, organizations are also analyzing source code for unreported and undisclosed vulnerabilities. The final piece that businesses must identify, is who is developing the software and how they will respond to future security issues when they occur.
The speaker will describe her experience aggregating known security vulnerabilities in open source and identifying new vulnerabilities using automated static analysis, and will discuss important attributes of an open source security strategy. She will propose metrics to gauge the consolidated technical risk introduced by open source software, and conclude by showing how these metrics can enable organizations to include open source in their governance efforts.
- How insecure development practices create risks for open source users
- How failure to prioritize security issues creates open source risk
- How to identify unreported and undisclosed risks
About Joy Marie Forsythe
Joy Forsythe co-manages HP’s Software Security Research team. She has spent the past five years helping customers identify and understand issues in their code. She has also focused on issues related to voting, healthcare governance and communicating security information to developers.
Prior to joining Fortify, Ms. Forsythe worked for Oracle, where she designed and implemented the encryption and storage optimization features for SecureFiles. She holds a Masters of Engineering degree and a Bachelor of Science degree from MIT in Computer Science, where she completed her thesis on voting and cryptography.