Know Your Dependencies: A Guide to Automating Dependency Assurance - Steve Judd, Jetstack

less than 1 minute read

Abstract

It is a truth universally acknowledged that almost every modern software component contains a selection of external dependencies whose provenance is unknown. Another truth is that no dependency should be trusted until proven trustworthy. This second truth, though, is often ignored by organisations and their engineering teams, who argue that assuring the trustworthiness of dependencies is too complex, too time-consuming and has a detrimental impact on development velocity. This talk will describe how Jetstack has worked with several clients in the financial services and defence sectors to help them develop dependency assurance mechanisms and processes that allow greater visibility and insight into the dependencies used and their impact on the clients’ risk and security postures. The audience will learn how modern tooling and practices can be used to create efficient, automated pipelines that audit dependencies for vulnerabilities and licence obligations, assess them against the organisation’s security policies and ultimately provide the ability to control which dependencies can be used and deployed within the organisation.

Sched URL

Video