<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Ryan Berg

Recent Posts by Ryan Berg:

Stewing Over Software Ingredients

I love developing new software, and I also love security. But I also love cooking for my family. Both are full of reward, but occasionally come with challenges along the way.

Are OpenId and OAuth ‘Bleeding’?

The Short Answer is ‘No’

Like a Good Holiday, the Verizon Breach Report is Here

Like a good holiday the Verizon 2014 Data Breach Investigation Report (DBIR) is something I look forward to every year. Now that I’ve had some office time to digest this, I figured no better time to share my thoughts.

Sonatype & HP Partnership Offering a New Breed of Application Security










For details on the announcement, watch the full video http://youtu.be/jQWdBwUbW-I.

Today Sonatype and HP announced Sonatype’s Component Lifecycle Management (CLM) analysis technology has been integrated into HP’s cloud-based software security solution – HP Fortify on Demand. HP Fortify on Demand customers will have access to an Open Source Application Scan using the Sonatype CLM analysis technology from directly within the Fortify on Demand user experience.

HP Fortify on Demand delivers comprehensive, accurate and affordable security assessments that identify vulnerabilities in any application —web, mobile, infrastructure or cloud. Sonatype provides analysis and identification of third party and open source components commonly used as building blocks in modern applications – with a focus on security, license, quality, and policy issues. Together, these capabilities deliver a new level of visibility and analysis into overall application security and risk.

For more detailed information about this new breed of application security from HP and Sonatype, please visit http://www.sonatype.com/fortify.

Another Security Breach ... Just in time for the holidays.

It just wouldn't be the holiday season without a report of another major security breach.

This time
Target is the victim and, true to form, the shame and blame game follows. At this point it shouldn't come to anybody's suprise that compliance doesn't equal secure. Even though the full details of the attack are unknown, you can bet that Target was PCI Compliant and was doing alot of things right. I think the more interesting story is how it was first reported by Brian Krebs on December 18th.

What I find interesting is that the breach was first reported after the cards started showing up on the black market. This seems to indicate that a large data exfiltration occurred and went largely unnoticed by the security practices at Target. I often say that security requires 3 P’s, People, Process, and Product, I would wager a guess then in this case there was a failure in all three and unfortunately this is a major difference between being compliant and being secure. Having a process is not the same as having the ability to verify the process is actually working.
As I mentioned at the beginning of this post, this is not about assigning blame, I do hope the details become more public and we collectively resist the urge to focus on everything that could have been done, but instead be able to collectively learn from this event so another organization doesn’t suffer a breach in the same way. Target’s was not the first and will certainly not be the last …

Have a happy holiday season and check your card statements, I know I will.

Flaws vs Bugs

DevOps is certainly the buzzword of the year. Everywhere you turn, people are referring to DevOps and Continuous Delivery. It seems as though the final frontier to developer productivity has arrived. The reality, which is what large organizations deal with on a day to day basis, is like all development methodologies in the past; the devil is in the detail. There is no such thing as a one size fits all model. Development practices vary for organizations developing SaaS vs. embedded systems vs. an industrial SCADA system manufacturer. From a security perspective, the way we introduce security into the development process must accommodate how applications or services are being developed. It's a "different strokes for different folks" approach; there is no such thing as a one size fits all security model. Not every organization is like Microsoft - just because their SDL program works for them, doesn't mean that it will work for you.

Hack Takes a Bite of the Apple

The latest news hitting the wire, the internet, the blogosphere and the social media circuit is the hack of the Apple developer site that was acknowledged by Apple. To no one's surprise, this was followed by the typical shame and blame game. I don't know about you but I am getting a little tired of the sensationalist reporting of the latest hack (ok, please forgive my tongue in cheek title), and the "security professionals" playing Monday morning quarterback on how they would have done things differently. The reality is that everybody and every system is flawed in one way or another, whether it's substandard people, processes or technology. Every system can and is likely to fail - Edward Snowden is a good example of how trust in people can blow up. Apple has really great security folks but guess what? They got hacked, and this won't be the last time. So instead of playing the shame and blame game from our glass house, let's take each new report as the motivation to increase our own vigilance.