2019 Nexus User Conference


Free and Online



Declare war on your vendors


When we develop software in our DevSecOps pipelines we integrate tools that help identify software vulnerabilities in the applications we create, and tools that move our software down the assembly line. Traditionally we’ve trusted that our vendors are delivering software without vulnerabilities. We can’t do that anymore.

When developing greenfield applications no critical, high, medium, or low vulnerabilities should exist in the software we deliver to our customers. With brownfield applications containing known vulnerabilities the stakes are different. Brownfield applications which have critical vulnerabilities should have them addressed as soon as possible so security risk doesn’t flow downstream to our customers. With such a policy we need to ask ourselves that if our organization is producing secure software, then why aren't the tools we are using from our vendors delivering the same quality to us.

When observing the state of images today - either open source or closed source commercial products - we need to identify what the impact of using these applications will be. If we are introducing critical vulnerabilities by introducing products which enable our deployment process we are putting our organization at risk. It's like opening the gates to your castle and letting a trojan horse walk inside.

This session will discuss how to implement a vendor image scanning program and how to enforce that vendors adhere to the same quality standards our own organizations do. We will take a look at what conversations we need to have, how to track remediation guidelines and timelines, and how to work with our vendors to produce safer software for not just ourselves, but for the organizations around us that will rely on utilizing their software in the future.

It’s time to use silent weapons for a quiet war.