General

• If couldn’t use OSS, you’d have no app or tools. It’s in many components. hhe question isn’t whether you are using it but whether you know.
• Takes a long time to fix because need to wait for each person down the tree to fix/pull the fixed version.

Struts 2 vulnerabiity

• FBI alert
• “Really important” but to who?
• At time of disclosure and shortly thereafter, not muh change. Not many downloads of new version right after announcement
• Roughly 5% upgrade as soon as new version comes out

Stats from research

• 90% of downloaded components from Maven Central in local repos
• 71% of apps have have been deployed have critical to severe vulnerabilities

Lego
Every block has a # on it. If find manufacturing issue, can go back to machine that is causing problem so can fi it. Toyota works the same way. If there is a problem, want to know who is affeced. Supply chain management.

The right questions

• How do you select components for your application. It shouldn’t be google. It shouldn’t be what your friends are using.
• Is project still in active development?
• How do developers know when they should upgrade

Need to ensure that is deployed is same jar as locally and in the build.

We are used to looking the other way

My take
My only gripe is that the talk started early. I could have been there early. But I wasn’t because over the first day and a half of conference, everything started on time. The actual talk was good. Ryan covered the importance of component selection and upgrading. And he was funny. Adding him to my mental list of great speakers. As with his earlier session with Jeff Williams, it wasn’t a Sonatype CLM ad.