I'm writing several posts using my favorite quotes from the recent Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.
In this first post, Wendy was talking about the need to integrate security in from the beginning...
- "The best place to set security standards is across the board before any projects get started. If you have the same requirements for everyone right out of the gate you'll have less to change for each individual project."
- "In QA, it's almost too late, all the time and resources that were budgeted for the project will have been used up. It's extremely hard to sell the concept of going back and changing the design. The inertia here to get management to slow the release or to fix problems is really big."
- "In production you have the greatest inertia. It has already been rolled out, it's running just fine and the developers have been reallocated to other projects. There is one poor guy named Mike left to support it along with 2 or 3 other applications. Good luck getting Mike to fix big security flaws."
The interesting thing about Wendy's recommendation is that it represents a key design principle of the Sonatype CLM. Integrating security throughout the entire lifecycle - from design, development, on through production deployment.
With the CLM, it starts by providing security, licensing and quality information in the IDE so the developer can make informed decisions about the best components to use. This prevents problems from occurring downstream, problems that become more expensive to fix.
To learn more about Sonatype CLM, check out the product tour.
Make sure you read Wendy's research Mission Impossible: securing the open source software supply chain with Sonatype.