Paul is not part of our development team, he doesn’t want to be, and he certainly does not slow them down. But with that said, Paul knows how to work at DevOps speed. He knows legal reviews need to happen at the speed of development on every component, every build, and every release. How much time does Paul spend reviewing open source and third-party software components in the software we are building? Almost none. Yup. That is because we have automated him.
[Editor’s Note: An update to this article is now available. As of February 2015, active Nexus instances have reached 50,000. For more information, please see the new blog post at: http://blog.sonatype.com/2015/02/nexus-reaches-50000/#.VPTXZEuf96k] Over the past 15 months, active Nexus instances have grown from 21,000 to 42,000. Wowza. That is news worth sharing, because you made it […]
If you are in the midst of creating (or even planning to implement) an Open Source Governance Policy for your organization, then you’ll want to get to know Nigel Simpson. Nigel has been leading an enterprise-wide working group with over 40 members — at a really big entertainment and media company — to define his […]
In Part 1, ‘[ ________ ] is the Best Policy, we looked at some of the common aspects of an open source policy and discussed how our recent survey discovered that 41% of people think that policies are not enforced. Now in Part 2, we will look at how effective policies are when considering security concerns.
Open source has been around for donkey’s years but until recently the persuasive argument of “many eyeballs” was the guiding policy when using open source. In comes the recent industry shock wave we all know as Heartbleed and now many of us are re-evaluating the cost of free software.
While Repository Health Checks are valuable, we just released something even better: the CLM 1.11 Dashboard. First of all, it helps you answer the first two critical open source vulnerability questions: did we ever use that and where is it? And, you can find out the answers to those questions in about three seconds.
Want to win a programmable LEGO robot? Share your voice in this year’s survey. The real intent of the Open Source Development Survey is to SPARK DISCUSSION. Remember, it’s not the stats that count…it’s the value of the discussions that follow that make this survey so important. So take 5 minutes and take the survey. (it takes less than 5 minutes, we promise)
The recent FS-ISAC whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers”, reveals the majority of internal software applications created by financial services involve acquiring open source components and libraries to augment custom developed software. While open source code is freely available and reviewed by many independent developers, that review effort does not translate into all software components and libraries being free from risk.
In short, open source security can’t be an after thought. Security isn’t only the responsibility of ‘security professionals’ but instead a shared responsibility for all parties involved in developing or managing an organization’s software supply chain. Better put in the FS-ISAC guidelines…