Here is another post on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO. Wendy was talking about how inertia makes it difficult to justify fixing security flaws later in the development lifecycle:
- "Management will want to wait until there is an actual breech before they bring resources back to fix it."
- "That big corporation (with the 3 or 4 letter acronym) will wait until their software flaw is trending on Twitter before they are going to do something about it."
- On the resource commitment: "Fixes through change management... traceability for every fix that you make... getting the builds done... rebuilding it is going to be difficult... testing is going to take time... you may not have a slot in QA... and then there is deployment."
Wendy also noted the need to protect the entire supply chain including assets that are sourced from third parties. Her Twitter reference implied that some suppliers will not address security flaws until negative publicity forces them to act.
There are multiple reasons flaws are not fixed: lack of budget, poor project planning, shifting resources, etc. Another factor is that today's security tools are focused on discovery, they don't help you fix problems. Ryan went on to say:
- "We don't have a problem finding problems, we have a problem managing what we have. And to make sure that when we make a change or a fix that it rolls through the entire development lifecycle into production."
We took this challenge into account when we designed the Sonatype CLM. Not only does the CLM help you identify security, licensing and quality flaws, it helps you prioritize and fix the problems, directly in the IDE.
- The flawed components are prioritized by an aggregate threat level.
- The developer can find a suitable replacement for the component without leaving the IDE.
- The developer can see the components side-by-side to assess change impact.
- The code can be refactored automatically by pushing a button in the IDE.
To see how you can fix flaws with the Sonatype CLM, check out the "Quickly identify your exposure and remediate flaws" section of the product tour.
Make sure you read Wendy's research Mission Impossible: securing the open source software supply chain with Sonatype.