Vitaly Davidoff
Application Security Lead
Company: JFrog
Stream: С
Time: 11:00 - 11:45
Country: Israel
Language: English
Talk: Open Source Components security scan as part of CI/CD process - examples and best practices
About the Speaker
I have about 15 + years’ experience as a developer and more than 8 years in the application security field. Applications Products Security Lead at JFrog Israel. In this position I am responsible to provide Application Security solutions for many products, including analyzing security risks in multidisciplinary systems according to the customer system characterization, defining required security controls to handle identified security threats, perform code and design reviews, threat modeling and many other activities.
Certificates: CISSP, CSSLP
Talk: Open Source Components security scan as part of CI/CD process - examples and best practices
“We all love open source for all the obvious reasons. But it can also become a complicated beast when it comes to ownership, trust, and security. As you operate your mission critical systems with the help of open source libraries, it is critical to understand and manage the easily exploitable vulnerabilities they introduce.”
Software composition analysis (SCA) solutions scan open source software to identify license risk and vulnerabilities.
Considering that 5,145 new open source component vulnerabilities were reported in 2020 alone and represented a 15% increase over 2019, SCA tool adoption will grow along with the increasing knowledge of these risk factors.
During our session, we will try to answer the following questions: why we need to scan open source components for vulnerabilities as part of CI/CD process, when and how. We’ll demonstrate real examples based on the JFrog XRAY tool.