When asked about how the security team can effectively collaborate with the development organization, Wendy (with tongue in cheek) responded:

• “Personally I have always been a fan of bribery. Buying food, lots of drinks.”

Wendy went on to provide the following advice:

• “Helping the developers achieve their goals, not your goals, is what is going to lead you to working better together. If they feel that you are on their side, that they see you as assistance not as an obstacle. You really need to spend time with them, learn about what they are trying to do, see if there is any way you can help even if it has nothing to do with security.”

We took this approach and extended it in the design of the Sonatype CLM. We realize that if the security, licensing, development, and IT Ops teams are not on the same page, that application risk will not be managed effectively. We account for today’s modern development approach that uses short sprint cycles as part of an agile methodology.

• The CLM provides guidance throughout the development lifecycle. The CLM prevents problems by providing information early in the lifecycle vs. a phonebook of potential issues that the developer has to address just before production.
• Policies can be implemented that provide flexibility to the developer early in the development lifecycle while locking down production deployment. The CLM doesn’t force the developer through a laborious approval process before they can use a component.
• The CLM allows the security team to assess overall enterprise risk and policy compliance. This information makes it easy for the security team to communicate with development management and executives. 

To see how policies can actually speed development & improve collaboration, check out the “Implement flexible policies that speed agile development with guidance for each lifecycle stage” section of the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

• “Management will want to wait until there is an actual breech before they bring resources back to fix it.”

• “That big corporation (with the 3 or 4 letter acronym) will wait until their software flaw is trending on Twitter before they are going to do something about it.”

• On the resource commitment: “Fixes through change management… traceability for every fix that you make… getting the builds done… rebuilding it is going to be difficult… testing is going to take time… you may not have a slot in QA… and then there is deployment.”

Wendy also noted the need to protect the entire supply chain including assets that are sourced from third parties. Her Twitter reference implied that some suppliers will not address security flaws until negative publicity forces them to act.

There are multiple reasons flaws are not fixed: lack of budget, poor project planning, shifting resources, etc. Another factor is that today’s security tools are focused on discovery, they don’t help you fix problems. Ryan went on to say:

• “We don’t have a problem finding problems, we have a problem managing what we have. And to make sure that when we make a change or a fix that it rolls through the entire development lifecycle into production.”

We took this challenge into account when we designed the Sonatype CLM. Not only does the CLM help you identify security, licensing and quality flaws, it helps you prioritize and fix the problems, directly in the IDE.

• The flawed components are prioritized by an aggregate threat level.
• The developer can find a suitable replacement for the component without leaving the IDE.
• The developer can see the components side-by-side to assess change impact.
• The code can be refactored  automatically by pushing a button in the IDE.

To see how you can fix flaws with the Sonatype CLM, check out the “Quickly identify your exposure and remediate flaws” section of the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

In this first post, Wendy was talking about the need to integrate security in from the beginning…

• “The best place to set security standards is across the board before any projects get started. If you have the same requirements for everyone right out of the gate you’ll have less to change for each individual project.”

• “In QA, it’s almost too late, all the time and resources that were budgeted for the project will have been used up. It’s extremely hard to sell the concept of going back and changing the design. The inertia here to get management to slow the release or to fix problems is really big.”

• “In production you have the greatest inertia. It has already been rolled out, it’s running just fine and the developers have been reallocated to other projects. There is one poor guy named Mike left to support it along with 2 or 3 other applications. Good luck getting Mike to fix big security flaws.“

The interesting thing about Wendy’s recommendation is that it represents a key design principle of the Sonatype CLM. Integrating security throughout the entire lifecycle – from design, development, on through production deployment.

With the CLM, it starts by providing security, licensing and quality information in the IDE so the developer can make informed decisions about the best components to use. This prevents problems from occurring downstream, problems that become more expensive to fix.

To learn more about Sonatype CLM, check out the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

We have a problem. Application development has become agile, component-based, and open source dependent. But security approaches haven’t kept up. Every day we’re forced to make the dangerous choice between speed and security, putting Development and Security at odds. There has to be a better way.

Join Wendy Nather, Research Director, Security, at 451 Research tomorrow, Tuesday, April 30 from 11:00AM-11:45AM EDT (GMT-0400) to understand:

•     The changes in application development that have left security behind.
•     Limitations of existing security approaches that could leave your organization exposed.
•     The new requirements that are driving security to align with application development.

In addition, Sonatype CSO Ryan Berg will provide a brief overview of Sonatype CLM, a new application security platform designed specifically for today’s applications and for managing the modern software supply chain.

Reserve Your Seat

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Please feel free to share this with your colleagues who are interested in learning how to get the most out of Nexus.

Have a great weekend everyone!

Watch the replay.

Tuesday, April 30, 2013 – 11:00AM-11:45AM EDT (GMT-0400)

We have a problem. Application development has become agile, component-based, and open-source-dependent. We’re delivering more software faster than ever before, but security approaches haven’t kept up. Every day we’re forced to make the dangerous choice between speed and security, putting Development and Security at odds. There has to be a better way.

Join Wendy Nather, Research Director, Security, at 451 Research and Sonatype CSO, Ryan Berg on Tuesday, April 30 at 11:00AM EDT (GMT-0400) to understand the challenges that are driving new approaches to application security. You’ll also hear how how some leading application security organizations have partnered with application development to achieve both speed and security using component lifecycle management.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Reserve Your Seat

If you missed the live broadcast, the recording is now available here.

Interested in checking out our next session? Moving forward, Nexus Office Hours will be held the last Friday of every month. Join us and be sure to bring any general repository management or specific Nexus questions you may have, since we’ll be dedicating most of the hour to your live Q&A.

Join us for our April Nexus Office Hours on Friday, April 26 from 1PM-2PM EDT (GMT-0400). RSVP here.

We want to give you a sneak preview. On Thursday, April 18, 2013 from 11:00AM-11:30AM EDT (GMT-0400), Brian Fox will demo Sonatype CLM, and show you how it will help you develop faster, and still meet your company’s requirements for security and licensing. Plus, we’ll provide some tips on how you can take advantage of Nexus-only features like procurement and staging.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Reserve Your Seat

We’re pleased to announce that Sonatype will be hosting Nexus Office Hours each month starting in March! Our Nexus experts Brian Fox, Manfred Moser and Rich Seddon will demo the latest Nexus tips & tricks and will take real-time questions from you!

When: Friday, March 22, 2013 – 1:00-2:00PM EDT (GMT-0400)

Where: In a Google+ Hangout On Air! Once we begin, our hangout will broadcast live to the Nexus Office Hours event page on Google+, as well as our Sonatype YouTube channel.

How: Be sure to RSVP ‘Yes’ on the Nexus Office Hours event page, and this event will be automatically saved to your Gmail calendar and you will receive a reminder just before we start the hangout. Not on Google+? No worries, you can still view the broadcast on the event page or the Sonatype YouTube channel when the hangout begins.

We will be taking real-time questions submitted on the Nexus Office Hours event page, Twitter (please use hashtag #nexusofficehours) and on our YouTube page in the comments section of the broadcast.

**If you’d like to join our panel that day in the hangout, please leave us a comment on this page and the first 6 people will be invited in as the session starts. This event will be recorded and saved to Google+ as well as our YouTube channel.

RSVP Now

Sonatype has teamed up with SANS institute to bring you this informative webcast: Best Practices for Managing Software Development Risks

Eighty percent of a typical application is assembled from open source and proprietary components. Development teams turn to components to gain efficiencies and speed innovation. While the promise of components is significant, organizations must mitigate risk by properly managing components.

How do you accomplish this given the volume, complexity and diversity of today’s components?

Join us on Wednesday, February 6th from 1:00PM-2:00PM EST (GMT-0500) as Ryan Berg, Sonatype CSO, discusses how you can realize the benefits of component-based software development while mitigating security, licensing and quality risks.