Speaker Details

Ilkka Turunen


Ilkka Turunen is the Field CTO at Sonatype, working at Sonatype in Europe. His background is in software and systems engineering, acting as an architect for several commercial projects. He’s helped define everything from the software design to webscale infrastructure architectures and regularly works with companies across the world to understandand improve their software supply chain and continuous delivery pipelines.

The State of the software Supply chain - lessons in open source best practice from the stewards of Maven Central

As the economic importance of digital innovation accelerated during the global pandemic, so too did the number of cyber-attacks aimed at exploiting software supply chains.  And yet, much has stayed the same. Top performing development teams have mastered three key skills: knowing how to use open source and third-party innovation at scale, integrating security and risk controls into multiple phases of the software supply chain, and releasing higher quality code faster than their competitors.

This talk collects learnings after a year of research that involved studying 100,000 production applications and 4,000,000 component migrations made by developers and trends associated with the Java (Maven Central), JavaScript (npmjs), Python (PyPI), and .Net (nuget) ecosystems. Did you know that 8.4% of open source Java library releases contain known vulnerabilities? This increases to 23% when you consider only the most popular and most used projects. Navigating this minefield to keep applications secure can be a challenge.

I'll share insights from our latest software supply chain research, which characterises this risk and offers practical guidance based on our experience as stewards of Maven Central on how teams can:

  • Choose components that help minimize their risks
  • Adopt practices that help them quickly discover and remediate security issues
  • Become more efficient and innovative developers
  • Understand trends and legistlation in the industry

Security Best Practices
I Do Not Hate Apache Maven
Best Practices
Apache Maven
Maven On Azure
Dependency Management