While Repository Health Checks are valuable, we just released something even better: the CLM 1.11 Dashboard. First of all, it helps you answer the first two critical open source vulnerability questions: did we ever use that and where is it? And, you can find out the answers to those questions in about three seconds.
Paul Roberts (@paulfroberts) at InfoWorld recently shared his perspective on “5 big security mistakes coders make”. First on his list was trusting third-party code that can’t be trusted. Paul shares: “If you program for a living, you rarely — if ever — build an app from scratch. It’s much more likely that you’re developing an application from a pastiche of proprietary code that you or your colleagues created, partnered with open source or commercial, third-party software or services that you rely on to perform critical functions.
I can still recall (it actually pains me to count the years, so I refuse to) with perfect clarity the sound of my 1200 baud modem handshaking with my neighborhood’s local BBS. It’s a sound that so consistently produces a smile for me, I liken it to the crisp smell of air just before rain begins to fall; it’s something instantly recognizable.
The U.S. recently overtook France as the world’s largest wine market. And here at Sonatype, we can proudly say we’ve contributed to this achievement. By not only consuming our fair share of wine but by also being involved — outside of work — in crafting our own wines. Over the 4th of July holiday, I was able to enjoy some of the wine I’ve aged over the years. For the best wines, aging can create spectacular results years down the line. Unfortunately, the same cannot be said for code and components used in today’s applications. Where aging improves a fine wine, code ages more like milk.
Enthusiasm for securing the software supply chain is growing in both conversation and practice. For the past year, Sonatype has called for a new approach to securing the software supply chain that gives organizations an opportunity to protect their business and their applications from hacker exploits — taking a frictionless approach built into the supply chain and software development lifecycle, as opposed to bolt-on solutions looking for vulnerabilities later in the development process.
Once upon a time, there was a great battle between speed and security. Development wanted to go fast. But, security wanted to slow down and be safe. For years, they endured the pain of testing late in the lifecycle, sorting through reams of false positive reports, and dealing with the added cost of pushing bad software out the door. They knew there had to be a better way…
Today Sonatype and HP announced Sonatype’s Component Lifecycle Management (CLM) analysis technology has been integrated into HP’s cloud-based software security solution – HP Fortify on Demand.
Let me open your eyes to a tidal wave of change that has already flooded the development organizations across Financial Services and other industries: “Software applications are no longer coded from scratch. They are assembled from building blocks — commonly known as open source components.” This is not a prediction about a tidal wave to […]
Applications are becoming the primary security threat vector. Since applications are constructed from 3rd party components, there continues to be a tremendous amount of industry effort and impetus behind managing open source components effectively. And now we can add the Financial Services / Information Sharing and Analysis Center (FS-ISAC) to the list.
It’s fair to say we were excited back in May when the OWASP community proposed A9 “ Using Components with Known Vulnerabilities” as a top 10 open source security risk – so now it’s official, component vulnerabilities are considered a critical web security flaw. But why has this addition warranted its own category, formerly classified […]