As the HeartBleed bug wreaked havoc on the internet over the past few days, we at Sonatype began thinking about the lessons learned from this recent scare and how, collectively, we can develop a process for mitigating the next major exposure.
Once upon a time, there was a great battle between speed and security. Development wanted to go fast. But, security wanted to slow down and be safe. For years, they endured the pain of testing late in the lifecycle, sorting through reams of false positive reports, and dealing with the added cost of pushing bad software out the door. They knew there had to be a better way…
Code snippet scanning is a common question we get from prospects. We typically try to dig at why the prospect actually thinks they need snippet matching. We think this comes from mis-informed demand. To create conversation with the masses on this topic, I’ve shared my perspective so you have a complete picture of the risk and cost of code snippet scanning.
Want to win a programmable LEGO robot? Share your voice in this year’s survey. The real intent of the Open Source Development Survey is to SPARK DISCUSSION. Remember, it’s not the stats that count…it’s the value of the discussions that follow that make this survey so important. So take 5 minutes and take the survey. (it takes less than 5 minutes, we promise)
I love watching TED Talks. To me, they are 15 well-spent minutes watching experts around the world provide great insights into things I thought I knew well. Some I had never imagined or topics on which I want to gain a deeper perspective.
Since its inception in 2002, the Central Repository has grown to be the largest component repository of Java and other JVM, Android, related components and beyond. It is the default repository for Apache Maven, sbt and Leiningen, and it can easily be used from Gradle, Apache Ivy and others. The Central Repository has become the […]
Wow – have 2 weeks already passed since RSA? Before we get too far out from the event, I thought I’d share a few observations … At an event covering Security of all types, where Application Security as a very small subset and Open Source Security is an even smaller subset – I was impressed […]
The recent FS-ISAC whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers”, reveals the majority of internal software applications created by financial services involve acquiring open source components and libraries to augment custom developed software. While open source code is freely available and reviewed by many independent developers, that review effort does not translate into all software components and libraries being free from risk.
For those that don’t know me, I am the new Nexus community advocate and now moderator of Nexus Live. I’ve kicked off my first session of the year with fellow community advocate, Manfred Moser and Manager QA & Support, Rich Seddon.
What can the financial services industry learn from the U.S. Department of Homeland Security? In this third segment of my blog series on open source component security as it relates to the recently updated Financial Services Information Sharing and Analysis Center (FS-ISAC) guidelines, I explore the need for speed: humans vs. machines.