Enthusiasm for securing the software supply chain is growing in both conversation and practice. For the past year, Sonatype has called for a new approach to securing the software supply chain that gives organizations an opportunity to protect their business and their applications from hacker exploits -- taking a frictionless approach built into the supply chain and software development lifecycle, as opposed to bolt-on solutions looking for vulnerabilities later in the development process.
The conversation is not Sonatype’s alone. Just this past week, Wendy Nather, Security Research Director at 451 Research covered this growing enthusiasm in an Impact Report entitled, “Is open source the new sexy? Sonatype hits the catwalk”.
Impact Reports are written by the analysts at 451 Research, and usually are produced as a follow-up to recent conversations they have had with technology leaders like Sonatype. This Impact Report was produced independently by 451 Research. Here are some of our favorite quotes. You can download the full report here.
"The company's latest open source and application security survey, released in mid-June, revealed that one out of 10 respondents had an open-source-related breach in the past year. And 63% of those who answered the survey reported that they don't track the vulnerabilities in the components that they are using. This could be a recipe for disaster. But it's also an opportunity to address many of today's widespread security issues, and that's a good opportunity for Sonatype as well: one of its latest announced integrations is with HP Fortify on Demand."
"Sonatype's visibility is increasing with the help of evangelism from the likes of the FS-ISAC, the Open Web Application Security Project and the PCI Council. All three of these organizations have started to warn about the dangers of using third-party components with known security vulnerabilities. Supply chain security has become more important lately, and Sonatype is well positioned to take advantage of it."
"Sonatype is thinking much bigger than just open source. The company is working toward becoming the 'parts warehouse' for every component that goes into an enterprise's software, whether it be open source, proprietary code, automation or even VM images. In order to create a fully controlled and secure supply chain – one that supports devops and agile methodologies - organizations will need to put all their 'building materials' under centralized control, and track them even after they're deployed into production."