Sonatype Delivers Premium Open Source Controls to GitHub | Press Release

blog-logo Sonatype Blog

Tanya Janca is "Big Fan of SCA" [VIDEO]

May 15, 2020 By Zack Conord

Tanya Janca, also known as SheHacksPurple, sat down with me on this episode of DevSecOps: The Good, The Bad, and The Ugly.  Her new company teaches application security, DevSecOps, and cloud security. We talked about how she's building her courses and her thoughts on managing open source software. I highly recommend you check out her resources.

Along the way she says she is a "big fan of SCA." We couldn't agree more.

The video of the interview, and excerpt of our discussion, follows.

Please watch the interview above for the full context of the except below.

Tanya Janca: Definitely, because a secret being published is basically the end of the world, I would start with that. Then I would start with software composition analysis, just because it's such a quick win and the results are generally extremely, extremely accurate compared to, for instance, something like static code analysis where the results ... I just wouldn't put that in the main pipeline personally.

Zack Conord: Right. What percentage of the code would you say is open source, Tanya, in a typical application today?

Tanya Janca: Wait, open source or in libraries and third party components?

Zack Conord: Libraries, your dependencies, how much of that is your actual code base?

Tanya Janca: Some people say it's as low as 60 and some people say it's as high as 90. I would say it's probably 80%, 90% in most apps. The actual code that you write every time you call a function, unless you wrote that function ...

Zack Conord: Right.

Tanya Janca: Every single thing you do, and usually if you're following my advice, if you're doing any sort of security functionality, you're calling the functionality in your framework. And everything in your framework counts as third party. You didn't write your framework, I hope not, unless you work at Microsoft or you work for the actual place that makes a framework. I hope you're not writing your own frameworks. I think people underestimate or forget just how much of their code is code that they didn't write, and it all needs to be secure.

Zack Conord: Yeah. I do see a lot of organizations think that they don't have open source until they find out they have a lot of open source. Sometimes that can be eyeopening, especially for the security team who thinks, "Oh, we have a rule, no open source." But the developers are using it rampantly for all these frameworks and everything else.

Tanya Janca: That is so true.

Zack Conord: That's great.

Tanya Janca: And, and even if it's proprietary, like the .net framework is proprietary, but you still didn't write it.

Zack Conord: Correct. Right. And so how are you managing that?

Tanya Janca: Exactly. And I have worked with that team and they're amazing human beings, but human beings still make mistakes. And that's why we issue patches.

Zack Conord: Yep. What version are you on, right? The second version?

Tanya Janca: Exactly.

Zack Conord: This version, so forth. Well, this is great, Tanya. Very enlightening. I might have to sneak you back on here for a specific topic on one of the things that I watch in your website. I'm looking forward to that. So anybody that's watching, if you could maybe post some of those resources for people to be able to go check out or sign up for a class. Tanya is one of the best, so I highly recommend it. Thanks so much Tanya, for joining me.

Tanya Janca: Thank you so much for having me, Zack.

Tags: devsecops, featured, SCA,, Good Bad Ugly

Written by Zack Conord

Zach is Regional Account Manager at Sonatype and host of "DevSecOps: The Good, The Bad, and the Ugly" series on YouTube.