Is deploying secure code to production an unnatural act or second nature? Have we built the right muscles to react and update our applications quickly? Most of the code in modern applications is made up of open-source components. This allows devs to focus on value-generating features and not on scaffolding and foundations. That doesn’t mean you should ignore it though. The challenge is that Open Source is not free like a lunch. It’s free like a puppy. To compound this problem, the rise of the malicious coder has made cyber attacks easier to perpetrate and harder to detect. Attacks to the OSS ecosystem and supply chain have exploded in recent years. CVEs, while still important, have become table stakes. The need for strong risk telemetry related to our open-source usage is now a critical control in Application Security. This talk will walk through our current mismanagement of open source and how our hygiene habits impact our ability to manage and react to problems in the supply chain. What you will learn: • What the vulnerability landscape looks like currently • The factors from both security and development the are contributing to the problem • Concrete steps to take to get better