<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Talking Turkey in Texas: Open Source Governance Lags

Deep in the heart of Texas, I was leading a panel discussion at the Lone Star Application Security Conference (LASCON) a few weeks ago. The panel was “talking turkey” the importance of application security and open source software development, when the conversation led to a discussion about software supply chains.

One of the panelists remarked that consuming open source components to assemble an application was similar to sourcing individual physical parts to assemble a finished product -- be it a car, a medical device, or a toy. The discussion then led to remarks about manufacturers being able to identify recall at-risk parts in their products -- similar in nature to the Takata air bag recall for millions of vehicles that has recently been in the news.

Then it struck me as to how immature our software supply chains are today when assembling, monitoring, and tracking open source components when compared to other industries. I shared with the attendees (since we happened to be in cattle country), that it was somewhat surprising that beef distributors have more advanced supply chain management capabilities than our software industry, when it comes to managing at-risk open source.

 

 

Think about it. If a beef distributor finds E. coli has contaminated their beef supply, they can track the tainted beef through each distribution point, down to the store in my neighborhood, and down to the bar code of the package on their shelves. They can then remove the tainted packages and replace them with safe alternatives from the same or another supplier.

By comparison, the vast majority of companies we surveyed earlier this year did not have formal open source governance practices in place:

  • 57% had open source governance policies in place (but only 68%) followed them

  • 63% did not track changes in vulnerability data for the components they used

  • 60% did not keep a complete inventory of the open source components, including all dependencies, used in their applications

This means, if a new vulnerability were announced, only 40% of firms might have a chance to track down that component and replace (i.e., recall) it successfully. Today, we cannot image not having the ability to track down contaminated beef, tainted medicines, or faulty cars.

Earlier this month, Gartner VP, Earl Perkins, published a new report discussing predictions for 2015. In the report he remarked that supply chain security failures will force 50% of businesses to negotiate contracts with suppliers to share risk and liabilities. (The Gartner report is only available here, for those with a subscription to their research.)

While Gartner believes this will happen by 2020, I would not be surprised to see this contract requirement much sooner than that. I don’t think we will be able to get through five more years of Heartbleed, Bash, Poodle, and Struts before open source vulnerabilities and liabilities are pulled to the front line. This is especially true for companies that include known vulnerable components in their software today. When known vulnerabilities are published and available to these businesses, any breach that stemmed from that vulnerability should have some level of liability associated with it.

It is time to improve the fundamentals around software supply chain management. If we can’t put faulty airbags in cars, or we need to remove tainted beef from store shelves to protect consumers, I can’t see why we wouldn’t have to monitor, track, and trace vulnerabilities in our software products.

Can you?

A special note to Wishing all of my readers and followers in the United States: please have a very Happy Thanksgiving. Enjoy every bit of the holiday with your friends and family!

.

Image credits: http://bit.ly/1zGteVg, http://bit.ly/1xShLCS

42,000 Nexus Repository Managers, and Growing!

[Editor's Note: An update to this article is now available. As of February 2015, active Nexus instances have reached 50,000. For more information, please see the new blog post at: http://blog.sonatype.com/2015/02/nexus-reaches-50000/#.VPTXZEuf96k]

CIO.com: Helping Developers Reduce Open Source Risk

Last week, CIO.com shared a story of an inflection point in application security. Lucian Constantin discussed how there needs to be a shift from manual open source risk analysis to more automated approaches. His article stated, “The notion of using manual audits, manual approvals and traditional governance to deal with that level of [open source component] consumption is just impossible.” Lucian also described how Sonatype’s new release of CLM helps companies automate open source risk analysis, governance, and reporting.

You can read the full article on CIO.com here.

 

 

Riot Games Shares its Chef Cookbook for Nexus

 

How Big is a Billion? Open Source Growth Skyrockets

How Big is a Billion?

We all remember 1997’s Austin Powers movie with Dr. Evil trying to express a really big number:

Nigel’s Wake-up Call: Scaling Open Source Governance

The Wake-up Call