<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

How are Federal Agencies Implementing DevOps & System Modernization

As government agencies seek to become more innovative and agile, they’re embracing DevOps practices and open source software to rapidly and efficiently develop higher quality applications. These agencies must ensure the components they are using are reliable and free of vulnerabilities.

Intuit’s DevSecOps: War Games, Gamification, and Culture Hacking

Wow, if you ever wanted to learn about Rugged DevOps (some call in DevSecOps), sit down for a spell with Shannon Lietz, Ian Allison, and Scott Kennedy from Intuit. We discussed a number of important topics including internal war games, culture hacking, gamification of Rugged DevOps, and starting as a small team. There are 100 gold nuggets in this conversation for novices and experts alike. Just yesterday Shannon shared her story on the first stop of the Nexus World in Dallas TX. She'll also be with us in Chicago on April 27th. To catch Shannon as a keynote on the Nexus World Tour, register here

Josh Corman on Keeping up with Hackers [CNBC VIDEO]

Josh Corman had a busy week at BlackHat last week. During the chaos, CNBC news caught up with him to talk about recent cyber attacks and what can be expected in the future.

Bash 2014 - This Is Not a Party

I can honestly say that although referred to by the media as Shellshocked, I am neither shocked nor awed.

I can’t say that I am a fan of the latest glorification of bugs like Heartbleed and Shellshock in a fashion similar to tropical storms, but if it gets more people to pay attention to the exponential growth of our reliance on software I can’t say I am too worked up about it either.

One thing that is unarguable is that this just happens to be the latest (and if you are reading this before you have patched stop right now, patch, and then come back to finish).

I think both Heartbleed and Shellshock are just two issues that masked an even bigger problem:

  • our ability to rapidly create the next newest and greatest thing is increasingly outpacing our ability to understand what is really in our software, and

  • our ability to understand where we have deployed our software.

You see, it is these two things that point to the bigger issue. We all know there will be new problems, the next biggest security threat, but we have no hope of “fixing” this problem if we don’t know both what is in our software and where that software is deployed.

I wonder how many IT administrators are rapidly trying to answer the two critical crisis questions (a blog from July)to figure out how many systems where bash is installed, and then rapidly apply the patch? We are still seeing updates to software that's vulnerable from Heartbleed.

This is truly indicative of our inability to have even the most basic understanding of our software supply chain (a failing of many of even the most mature SDLCs). In the case of Heartbleed and Shellshock, those that do are much more secure than those that do not, and this doesn’t take an army of security professionals to figure out. I would be willing to bet a majority of companies spend more money being able to manage physical assets (sometimes to every pen) than software assets, even though the amount of software related asset growth is through the roof.

You can read all about Shellshock and how big of a deal it is elsewhere, I don’t think I need to add another voice to this chorus, but I do want to highlight there is a bigger issue. You can’t patch what you don’t know you have. And if you have it, you need to know where it is.

If you spend a little more time understanding your software supply chain (and yes it is a supply chain), you might not be scrambling as much to fix your systems the next time (and yes there will be a next time).

(image credit: http://bit.ly/1wMOvet)

TED Talks Security: 3 Provoking Discussions

I love watching TED Talks. To me, they are 15 well-spent minutes watching experts around the world provide great insights into things I thought I knew well. Some I had never imagined or topics on which I want to gain a deeper perspective.

Move Left and Be More Secure

Author Attribution: This post was written by a guest blogger: Mark Miller, Founder and Curator of Trusted Software Alliance.

A Brief and Incomplete History of DevOps

The use of DevOps methodology and a structured process for integrating security into the development process is becoming more prevalent as large enterprises are seeing the benefits of a strategic alliance between development teams and operations. Instead of throwing the pig over the fence and hoping it turns into bacon by the time it touches the ground in operations, the relationship between the two warring factions is changing.