<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Is it time for a Nexus Repository Health Check? Come to the Nexus Office Hours to get your Diagnosis.

If your repository contained a jar file with a known vulnerability, how would you know? What would it mean to you to have that sort of visibility into your repository health? This isn’t probably something you consider often since one of the benefits of having a repository manager is enforcing component standards. But as you know, organizations still struggle with the challenge of ensuring developers and build systems only acquire components from the repository manager. Which is why, having the ability to run a Repository Health Check is an added benefit every repository manager should be aware of.

New Webinar: No Way! Security & Compliance Can Speed Development

Date: Tuesday, May 7, 2013 11:00AM-11:45AM EDT (GMT-0400)

Application Security, Not so Black & White

I’m glad to see that Simon Phipps, independent open source consultant and a director of the Open Source Initiative, promote the need to manage components effectively. In his recent InfoWorld article he notes:

"I want to write really insecure code today"

This is the last in my series of blog posts on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.

When asked how organizations can hire good security talent in today's competitive marketplace, Wendy noted:

  • "Some of the best app security people that I have seen are really good developers that picked up the security mindset and learned more about it. If you have really smart architecture people... developers that already know your applications, and they have the right mindset to learn the hacking side of things, they can make really good app sec people."

Ryan went on to explain:

  • "Developers are the front line - but you really need to have both. Since developers understand the development process they make good security people... Having someone that is part of the agile development process, who understands the business requirements. You need the security angle but you need to think about usability and how things might be exploited. Developers can bring a balanced view because they understand how the development organization works."

And Ryan commented on how management has to be committed to security:

  • "I haven't found a developer that says 'I want to write really insecure code today'... half the time they don't have the tools, the training, or the backing of the organization that says security is an important thing and this should be something that is part of your day-to-day responsibility."

"Personally, I have always been a fan of bribery"

Here is another post on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.

"They wait until the software flaw trends on Twitter"

Here is another post on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO. Wendy was talking about how inertia makes it difficult to justify fixing security flaws later in the development lifecycle:

  • "Management will want to wait until there is an actual breech before they bring resources back to fix it."
  • "That big corporation (with the 3 or 4 letter acronym) will wait until their software flaw is trending on Twitter before they are going to do something about it."
  • On the resource commitment: "Fixes through change management... traceability for every fix that you make... getting the builds done... rebuilding it is going to be difficult... testing is going to take time... you may not have a slot in QA... and then there is deployment."

Wendy also noted the need to protect the entire supply chain including assets that are sourced from third parties. Her Twitter reference implied that some suppliers will not address security flaws until negative publicity forces them to act.

"Good luck getting Mike to fix big security flaws."

I'm writing several posts using my favorite quotes from the recent Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO.

OWASP Recognizes Component Security

The tide is turning. OWASP A9 is more recognition that modern applications are constructed primarily of components. In our recent survey of 3500 developers, managers and architects that use open source, 86% of participants noted applications built today are at least 80% open source. OWASP A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.