Category Archives: Sonatype Says

How Your Software Is Like a Car: It’s Just the Way Software is Made


April 17, 2014 By
Wayne Jackson
Automobile Supply Chain

Just like automobile manufacturers, software “manufacturers” need to apply supply chain management principles for both efficiency and quality. They need to be prepared to conduct a rapid and comprehensive “recall” when a defect is found. And today’s modern development practices make this, well, challenging to say the least.

Continue reading...

Are we doing enough to prevent future “bleeding hearts”?


April 11, 2014 By
Wayne Jackson
Heartbleed Bug

As the HeartBleed bug wreaked havoc on the internet over the past few days, we at Sonatype began thinking about the lessons learned from this recent scare and how, collectively, we can develop a process for mitigating the next major exposure.

Continue reading...

DevOps: The Last Great Hope for Application Security?


April 8, 2014 By
Derek Weeks
DevOps: The Last Great Hope of Application Security?

Once upon a time, there was a great battle between speed and security. Development wanted to go fast. But, security wanted to slow down and be safe. For years, they endured the pain of testing late in the lifecycle, sorting through reams of false positive reports, and dealing with the added cost of pushing bad software out the door. They knew there had to be a better way…

Continue reading...

Code Snippet Scanning: Is it Really Needed Anymore?


April 4, 2014 By
Brian Fox
Code Snippet

Code snippet scanning is a common question we get from prospects. We typically try to dig at why the prospect actually thinks they need snippet matching. We think this comes from mis-informed demand. To create conversation with the masses on this topic, I’ve shared my perspective so you have a complete picture of the risk and cost of code snippet scanning.

Continue reading...

2014 Open Source Development Survey: Making Results Matter


April 1, 2014 By
Derek Weeks
mindstorm

Want to win a programmable LEGO robot? Share your voice in this year’s survey. The real intent of the Open Source Development Survey is to SPARK DISCUSSION. Remember, it’s not the stats that count…it’s the value of the discussions that follow that make this survey so important. So take 5 minutes and take the survey. (it takes less than 5 minutes, we promise)

Continue reading...

An Open Discussion on Open Source Review Boards


March 17, 2014 By
Derek Weeks
Bruce Mayhew on Open Source Review Boards

The recent FS-ISAC whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers”, reveals the majority of internal software applications created by financial services involve acquiring open source components and libraries to augment custom developed software. While open source code is freely available and reviewed by many independent developers, that review effort does not translate into all software components and libraries being free from risk.

Continue reading...

The Tipping Point: Human Speed vs. Machine Speed


March 5, 2014 By
Derek Weeks
Component Downloads

What can the financial services industry learn from the U.S. Department of Homeland Security? In this third segment of my blog series on open source component security as it relates to the recently updated Financial Services Information Sharing and Analysis Center (FS-ISAC) guidelines, I explore the need for speed: humans vs. machines.

Continue reading...

Secure From the Start: Combining Open Source Policies, Practice & Tools


February 26, 2014 By
Derek Weeks
Securing from the Start

In short, open source security can’t be an after thought. Security isn’t only the responsibility of ‘security professionals’ but instead a shared responsibility for all parties involved in developing or managing an organization’s software supply chain. Better put in the FS-ISAC guidelines…

Continue reading...