Category Archives: AppSec Spotlight

Are OpenId and OAuth ‘Bleeding’?


May 7, 2014 By
Ryan Berg
OpenId and OAuth

Now that Heartbleed has become the new measuring stick for vulnerability disclosures, I have had several people ask me, “Is this OpenId/Oauth thing the next Heartbleed?” The long answer, as Run DMC once said, is “It’s Tricky, Tricky, Tricky, Tricky”. The TL/DR (too long/didn’t read) answer is “No”.

Continue reading...

Like a Good Holiday, the Verizon Breach Report is Here


May 2, 2014 By
Ryan Berg
Verizon Data Breach Report

Like a good holiday the Verizon 2014 Data Breach Investigation Report (DBIR) is something I look forward to every year. Now that I’ve had some office time to digest this, I figured no better time to share my thoughts. I am not going to cover all sections, but do want to highlight a few things that stuck out to me

Continue reading...

Part 2: How Your Software Is Like a Car – A Closer Look at Today’s Software Supply Chain


April 30, 2014 By
Wayne Jackson
Bill of Materials

In part one of my blog, It’s Just the Way Software is Made, I discussed the realities of how software is made, the birth of agile development, and the advent of component-based software development. Today, we will drive down the software supply chain to understand where your software has really coming from. I’ll also discuss why it’s important for us to instill high quality standards and governance policies in our “parts” ecosystem.

Continue reading...

Part 1: How Your Software Is Like a Car – It’s Just the Way Software is Made


April 17, 2014 By
Wayne Jackson
Automobile Supply Chain

Just like automobile manufacturers, software “manufacturers” need to apply supply chain management principles for both efficiency and quality. They need to be prepared to conduct a rapid and comprehensive “recall” when a defect is found. And today’s modern development practices make this, well, challenging to say the least.

Continue reading...

Are we doing enough to prevent future “bleeding hearts”?


April 11, 2014 By
Wayne Jackson
Heartbleed Bug

As the HeartBleed bug wreaked havoc on the internet over the past few days, we at Sonatype began thinking about the lessons learned from this recent scare and how, collectively, we can develop a process for mitigating the next major exposure.

Continue reading...

DevOps: The Last Great Hope for Application Security?


April 8, 2014 By
Derek Weeks
DevOps: The Last Great Hope of Application Security?

Once upon a time, there was a great battle between speed and security. Development wanted to go fast. But, security wanted to slow down and be safe. For years, they endured the pain of testing late in the lifecycle, sorting through reams of false positive reports, and dealing with the added cost of pushing bad software out the door. They knew there had to be a better way…

Continue reading...

Code Snippet Scanning: Is it Really Needed Anymore?


April 4, 2014 By
Brian Fox
Code Snippet

Code snippet scanning is a common question we get from prospects. We typically try to dig at why the prospect actually thinks they need snippet matching. We think this comes from mis-informed demand. To create conversation with the masses on this topic, I’ve shared my perspective so you have a complete picture of the risk and cost of code snippet scanning.

Continue reading...

2014 Open Source Development Survey: Making Results Matter


April 1, 2014 By
Derek Weeks
mindstorm

Want to win a programmable LEGO robot? Share your voice in this year’s survey. The real intent of the Open Source Development Survey is to SPARK DISCUSSION. Remember, it’s not the stats that count…it’s the value of the discussions that follow that make this survey so important. So take 5 minutes and take the survey. (it takes less than 5 minutes, we promise)

Continue reading...

Open Source Observations from RSA


March 19, 2014 By
Karen Gardner
Open Source Review Boards

Wow – have 2 weeks already passed since RSA? Before we get too far out from the event, I thought I’d share a few observations … At an event covering Security of all types, where Application Security as a very small subset and Open Source Security is an even smaller subset – I was impressed […]

Continue reading...