In part one of this series, “Rugged DevOps: Survival is Not Mandatory”, I shared news that 1 in 16 open source and third-party components downloaded last year included a known vulnerability. That may not seem like too many until you realize the average company downloads well over 200,000 components annually. These components are electively downloaded by development teams, often unaware of the vulnerabilities that come with them.
I can’t tell you how excited I am to be a part of the Sonatype team that is literally reinventing how quality software gets made. As the new guy leading marketing, my first test was to explain Sonatype to my mom. She’s a smart cookie — but she’s 82 years old — and doesn’t know very much about software.
Two Perspectives Jack, an accomplished application security pro, tells me, “The developers won’t talk to us. It’s like we speak a different language. They are releasing new builds so fast, how could they check each one for security vulnerabilities? We can’t move as fast as they do.” Then in the next moment, Diane, a DevOps […]
Imagine that you are designing the 2016 Range Rover line of sport utility vehicles. Like all gas powered vehicles, each one needs an exhaust muffler. Range Rover likely has narrowed in on a preferred provider of mufflers. But imagine what would happen if the designers and factory line workers could pick from any one of 27 past versions of that muffler from their preferred provider for the new model year.
Today I want to focus on the huge ecosystem of open source projects (“suppliers”) that feed a steady stream of innovative components into our software supply chains. In the Java ecosystem alone, there are now over 108,000 suppliers of open source components. Across all component types available to developers (e.g., RubyGems, NuGet, npm, Bower, PyPI, etc.), estimates now reach over 650,000 suppliers of open source projects.
In two minutes, we can show you a full software bill of materials for your application. We can also identify any known vulnerabilities in the open source and third-party components within your Java application. Oh, and by the way, it’s free. That’s right, at Sonatype, we could not be more in favor of the code […]
Deep in the heart of Texas, I was leading a panel discussion at the Lone Star Application Security Conference (LASCON) a few weeks ago. The panel was “talking turkey” the importance of application security and open source software development, when the conversation led to a discussion about software supply chains. One of the panelists remarked […]
Last week, CIO.com shared a story of an inflection point in application security. Lucian Constantin discussed how there needs to be a shift from manual open source risk analysis to more automated approaches. His article stated, “The notion of using manual audits, manual approvals and traditional governance to deal with that level of [open source […]
The Wake-up Call They had downloaded over 200,000 open source components in the past year. And their open source policy…the one established to protect against license risks and security vulnerabilities? It covered about 3% of them. This is how Nigel Simpson, Director of Architecture at a major media and entertainment company, described his organization’s “huge” […]
If you are in the midst of creating (or even planning to implement) an Open Source Governance Policy for your organization, then you’ll want to get to know Nigel Simpson. Nigel has been leading an enterprise-wide working group with over 40 members — at a really big entertainment and media company — to define his […]