Category Archives: AppSec Spotlight

[Part 3] Code, Cars, and Congress: A Time for Cyber Supply Chain Management


December 16, 2014 By
Wayne Jackson
royce

  On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third […]

Continue reading...

[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management


December 8, 2014 By
Wayne Jackson
code2

On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party and open source components […]

Continue reading...

Code, Cars, and Congress: A Time for Cyber Supply Chain Management


December 5, 2014 By
Wayne Jackson
Cyber Supply Chain Management and Transparency Act of 2014

On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The legislation will ensure all contractors of software, firmware or products to the federal government provide the procuring agency with a bill of materials of all third party […]

Continue reading...

Talking Turkey in Texas: Open Source Governance Lags


November 25, 2014 By
Derek Weeks
tt

Deep in the heart of Texas, I was leading a panel discussion at the Lone Star Application Security Conference (LASCON) a few weeks ago.  The panel was “talking turkey” the importance of application security and open source software development, when the conversation led to a discussion about software supply chains. One of the panelists remarked […]

Continue reading...

CIO.com: Helping Developers Reduce Open Source Risk


November 17, 2014 By
Derek Weeks
CIO-dot-com-logo

Last week, CIO.com shared a story of an inflection point in application security.  Lucian Constantin discussed how there needs to be a shift from manual open source risk analysis to more automated approaches.  His article stated, “The notion of using manual audits, manual approvals and traditional governance to deal with that level of [open source […]

Continue reading...

Nigel’s Wake-up Call: Scaling Open Source Governance


November 3, 2014 By
Derek Weeks
shock

The Wake-up Call They had downloaded over 200,000 open source components in the past year.  And their open source policy…the one established to protect against license risks and security vulnerabilities?  It covered about 3% of them. This is how Nigel Simpson, Director of Architecture at a major media and entertainment company, described his organization’s “huge” […]

Continue reading...

Who is Nigel Simpson? (Lessons of Open Source Governance)


October 28, 2014 By
Derek Weeks
Who is Nigel Simpson?

If you are in the midst of creating (or even planning to implement) an Open Source Governance Policy for your organization, then you’ll want to get to know Nigel Simpson. Nigel has been leading an enterprise-wide working group with over 40 members — at a really big entertainment and media company — to define his […]

Continue reading...

The Two-Minute Open Source Risk Assessment


October 21, 2014 By
Derek Weeks
time 3

In two minutes, we can show you if there are any open source risks within your Java application.  And it’s free. That’s right, at Sonatype, we could not be more in favor of the code reuse that occurs millions of times a day thanks to the availability of open source and third-party components.  At the […]

Continue reading...

Why Attend the DevOps Enterprise Summit?


October 2, 2014 By
Mark Miller
Author, Gene Kim

Major enterprises are embracing DevOps. The DevOps Enterprise Summit is bringing together top practitioners who are leading DevOps transformations in large, complex organizations. It is a three-day conference on October 21-23, where leaders share their lessons learned, spanning culture, technology and leadership.Speakers include leaders from Disney, Macy’s, Blackboard, Barclays, Nordstrom, Target, Microsoft, Ticketmaster, Salesforce.com, UK.gov, U.S. Department of Homeland Security, and more.

Continue reading...

Bash 2014 – This Is Not a Party


September 25, 2014 By
Derek Weeks
bash

I can honestly say that although referred to by the media as Shellshocked, I am neither shocked nor awed. I can’t say that I am a fan of the latest glorification of bugs like Heartbleed and Shellshock in a fashion similar to tropical storms, but if it gets more people to pay attention to the exponential growth of our reliance on software I can’t say I am too worked up about it either. One thing that is unarguable is that this just happens to be the latest (and if you are reading this before you have patched stop right now, patch, and then come back to finish).

Continue reading...