Assessing risk in Open Source dependency use can make any security lead sweat. Projects which rarely update dependencies will be the slowest to react and remediate so-called “log4j incidents”, which is often referred to as “security debt”. Meanwhile, the risk of malicious code introduction or account takeovers in Open Source packages is not insignificant, so those who live on the cutting edge of the latest versions may also be at increased risk from another angle. This presentation will address the challenge from both angles and asks the following questions:

• How much more at-risk are projects when they fall behind in dependencies?
• How much risk is there from malicious code in Open Source?
• How can companies provide sensible guidance to software teams which optimizes their risk?