We have a problem. Application development has become agile, component-based, and open source dependent. But security approaches haven’t kept up. Every day we’re forced to make the dangerous choice between speed and security, putting Development and Security at odds. There has to be a better way.

Join Wendy Nather, Research Director, Security, at 451 Research tomorrow, Tuesday, April 30 from 11:00AM-11:45AM EDT (GMT-0400) to understand:

•     The changes in application development that have left security behind.
•     Limitations of existing security approaches that could leave your organization exposed.
•     The new requirements that are driving security to align with application development.

In addition, Sonatype CSO Ryan Berg will provide a brief overview of Sonatype CLM, a new application security platform designed specifically for today’s applications and for managing the modern software supply chain.

Reserve Your Seat

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Please feel free to share this with your colleagues who are interested in learning how to get the most out of Nexus.

Have a great weekend everyone!

Watch the replay.

Sonatype is going to be at InfoSecurity Europe next week from Tuesday, April 23 to Thursday, April 25 in London. We’d love to show you what we’ve been working on. Be sure to swing by our booth (L94) and Nick, Wai Man and Savinder will be on-hand to help answer any of your questions. We’ll also be demoing CLM and would love to get your feedback.

We’re looking forward to it and hope to see you there!

Tuesday, April 30, 2013 – 11:00AM-11:45AM EDT (GMT-0400)

We have a problem. Application development has become agile, component-based, and open-source-dependent. We’re delivering more software faster than ever before, but security approaches haven’t kept up. Every day we’re forced to make the dangerous choice between speed and security, putting Development and Security at odds. There has to be a better way.

Join Wendy Nather, Research Director, Security, at 451 Research and Sonatype CSO, Ryan Berg on Tuesday, April 30 at 11:00AM EDT (GMT-0400) to understand the challenges that are driving new approaches to application security. You’ll also hear how how some leading application security organizations have partnered with application development to achieve both speed and security using component lifecycle management.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Reserve Your Seat

We want to give you a sneak preview. On Thursday, April 18, 2013 from 11:00AM-11:30AM EDT (GMT-0400), Brian Fox will demo Sonatype CLM, and show you how it will help you develop faster, and still meet your company’s requirements for security and licensing. Plus, we’ll provide some tips on how you can take advantage of Nexus-only features like procurement and staging.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Reserve Your Seat

But what about the components that developers use to build applications? Many organizations that we talk to assemble their applications from open source components. They no longer write a lot of custom code, they stitch together components from various sources – in many cases 80-90% of modern applications are made up of components. This may seem surprising until you think of the various types of components that are used to develop  applications: utility classes, logging, caching, database access, testing frameworks, web frameworks, collection handling, etc. Why develop those feature from scratch when you can reuse components freely available on the Web?

So why compare Linux, Apache HTTP Server, and MySQL with open source components like junit, commons-collections, log4j? I think it helps illustrate the need for a dramatically different management approach.

When it comes to major decisions like operating systems, web/application servers & databases, many organizations…

• Architecture Review -  conduct a comprehensive technology selection process driven by the architecture team… .vs. OSS components that are often selected by individual developers.
• Vendor Selection - go through a deliberate vendor selection process, including RFI/RFP, POCs, etc… vs. OSS components where the project team is not vetted.
• License Indemnification – protected from potential license issues via vendor indemnification… vs. OSS components with transitive dependencies on components with problematic licenses.
• Contractual Procurement - officially contract and procure software through purchasing departments… vs. OSS components that are “free”.
• Production Monitoring - monitor as part of an overall enterprise level BAM strategy… vs. OSS components that are often hidden in plain site (organizations don’t even know what they have).
• Financial Budget - built into the regular IT budgeting cycle… vs. OSS components – again, aren’t they “free”.
• Updates/Patches - update periodically via a pre-planned patch / update process… vs. OSS components where regular updates are not even considered.

Although organizations probably don’t think risk management per se when making major open source infrastructure decisions, that really drives their decision process – minimize risk by selecting infrastructure software that is reliable, easily maintained and cost effective.

Shouldn’t you be doing the same at the application level? With components making up the bulk of your applications, it makes sense to manage the components in a systematic fashion. But you can’t use the same process for OSS components as you do for operating systems, databases, etc.

How to start? We call it Component Lifecycle Management. Stay tuned as we introduce this concept over the coming weeks and months.

Sonatype has teamed up with SANS institute to bring you this informative webcast: Best Practices for Managing Software Development Risks

Eighty percent of a typical application is assembled from open source and proprietary components. Development teams turn to components to gain efficiencies and speed innovation. While the promise of components is significant, organizations must mitigate risk by properly managing components.

How do you accomplish this given the volume, complexity and diversity of today’s components?

Join us on Wednesday, February 6th from 1:00PM-2:00PM EST (GMT-0500) as Ryan Berg, Sonatype CSO, discusses how you can realize the benefits of component-based software development while mitigating security, licensing and quality risks.