Conan 2: security features for enterprise-grade C++ projects

Memory safety issues have long been a common cause of security vulnerabilities, to the point where government agencies are recommending moving away from languages like C and C++ for new product development. However, while “memory safe” languages exist - the same agencies acknowledge that software will have to interface with components written in C and C++ for a long time, and recommend that software vendors have a memory safety roadmap. Key items of a memory safety roadmap include keeping proper track of external dependencies, a transparency plan (vendors and customers should know which dependencies are included in each product), and a plan to react to disclosed CVEs (Common Vulnerabilities and Exposures). The recent ISO C++ developer survey highlights how dependencies are still integrated as part of projects and not properly traced. This talk will cover how C++ developers can leverage Conan to properly track dependencies, and how it integrates with JFrog’s Security offerings to help developers in fulfilling their contractual and regulatory obligations. Features covered: Software Bill of Materials, Audit dependencies (report CVE vulnerabilities, powered by JFrog Advanced Security), package signing and JFrog Xray integration via Artifactory.