Tag Archives: application security

Securosis Dives Deep into our 2014 Survey


July 2, 2014 By
Derek Weeks
True State of Open Source Security

There are two ways to motivate others to action: emotional appeal and fact based analysis. Our 2014 Open Source and Application Security survey results touched on both. We’ve run this survey for the past four years, but this time we decided to reveal the results in a new way. Rather than let our marketing team “spin” the results, we wanted to provide you a completely independent perspective focus on both open source development and application security. Adrian Lane, CTO and Security Analyst, at Securosis jumped at the chance. We provided him the raw survey results data and he agreed to write the analysis. We did not ask or direct him on what to write; in fact, Securosis’ Totally Transparent Research methodology does not allow companies like Sonatype to influence their research.

Continue reading...

The 2014 Survey: Marked by an Industry Shock Wave


June 20, 2014 By
Wayne Jackson
2014 Open Source Survey

Wow! What an amazing turnout we had for our 4th annual survey: 3,353 participants this year brings us to over 11,000 participants in the four years we’ve run this survey. I would like to extend a BIG THANK YOU to all who participated! The survey started with a bang and was quickly followed by a shock wave. Just a week after our 2014 survey kicked off this year, the tech world was thrown off by the announcement of the Open SSL bug dubbed Heartbleed.

Continue reading...

Walking in the Open Source Component Garden


June 17, 2014 By
Derek Weeks
Parallels of OSS and Gardens

Its not everyday I can stop to enjoy my afternoon tea outside on my deck, overlooking my garden. But today I did and while admiring my beautiful blooming flowers, I started to draw some parallels between my garden and software development. Full disclosure, I wouldn’t consider myself a true gardener. I buy plants that have already been cultivated to a mature stage on someone else’s farm or in someone else’s greenhouse.

Continue reading...

Cheeseburger Risk: Not for the Faint of Heart


May 20, 2014 By
Derek Weeks
Cheeseburger Risk

If you had a heart attack, would you stop eating cheeseburgers? For most people, the answer is “No”. A recent survey of 1,000 survivors found that 60 percent of heart attack victims weren’t sticking to a healthy diet and about 30 percent still had high cholesterol and blood pressure. Hey, old habits (especially the tasty ones) die hard. Funny thing is, the same behavior for those who have suffered a heart attack is found in application security. If you have been breached, chances are you have not changed your security diet.

Continue reading...

Are OpenId and OAuth ‘Bleeding’?


May 7, 2014 By
Ryan Berg
OpenId and OAuth

Now that Heartbleed has become the new measuring stick for vulnerability disclosures, I have had several people ask me, “Is this OpenId/Oauth thing the next Heartbleed?” The long answer, as Run DMC once said, is “It’s Tricky, Tricky, Tricky, Tricky”. The TL/DR (too long/didn’t read) answer is “No”.

Continue reading...

Like a Good Holiday, the Verizon Breach Report is Here


May 2, 2014 By
Ryan Berg
Verizon Data Breach Report

Like a good holiday the Verizon 2014 Data Breach Investigation Report (DBIR) is something I look forward to every year. Now that I’ve had some office time to digest this, I figured no better time to share my thoughts. I am not going to cover all sections, but do want to highlight a few things that stuck out to me

Continue reading...

Are we doing enough to prevent future “bleeding hearts”?


April 11, 2014 By
Wayne Jackson
Heartbleed Bug

As the HeartBleed bug wreaked havoc on the internet over the past few days, we at Sonatype began thinking about the lessons learned from this recent scare and how, collectively, we can develop a process for mitigating the next major exposure.

Continue reading...

DevOps: The Last Great Hope for Application Security?


April 8, 2014 By
Derek Weeks
DevOps: The Last Great Hope of Application Security?

Once upon a time, there was a great battle between speed and security. Development wanted to go fast. But, security wanted to slow down and be safe. For years, they endured the pain of testing late in the lifecycle, sorting through reams of false positive reports, and dealing with the added cost of pushing bad software out the door. They knew there had to be a better way…

Continue reading...

Code Snippet Scanning: Is it Really Needed Anymore?


April 4, 2014 By
Brian Fox
Code Snippet

Code snippet scanning is a common question we get from prospects. We typically try to dig at why the prospect actually thinks they need snippet matching. We think this comes from mis-informed demand. To create conversation with the masses on this topic, I’ve shared my perspective so you have a complete picture of the risk and cost of code snippet scanning.

Continue reading...

2014 Open Source Development Survey: Making Results Matter


April 1, 2014 By
Derek Weeks
mindstorm

Want to win a programmable LEGO robot? Share your voice in this year’s survey. The real intent of the Open Source Development Survey is to SPARK DISCUSSION. Remember, it’s not the stats that count…it’s the value of the discussions that follow that make this survey so important. So take 5 minutes and take the survey. (it takes less than 5 minutes, we promise)

Continue reading...