Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

Today's Security Brief: Application security is widely neglected (by some surprising companies)

March 26, 2012 By Tim OBrien

Today we published a paper with Aspect Security, and it's a shocking look at how few people are paying attention to application security. If you consume dependencies from the Central Repository and you don't want to get hacked, I'd suggest reading the report and understanding some of the challenges, I'd also check out some of these statistics. Here are three that jumped out at me:

  • Global 500 organizations downloaded more than 2.8 million insecure components in one year.
  • Financial services firms are the most exposed: Global 100 financial services firms alone downloaded more than 567,000 insecure components in one year.
  • 48% (a little under half) of organizations don't have an inventory of Open source software used in production. (If there's a new vulnerability discovered in something like GWT, who knows if we have that in production.)

To access the executive brief, "Addressing Security Concerns in Open-Source Components," visit www.sonatype.com/securitybrief. You can follow the conversation on Twitter using the hashtag #OSSsecurity.

NOTE: Now, Developers, I know what you are thinking, you see the word "Executive Brief" and immediately dismiss this as C-level corporate-speak. Sure, there's a little bit of that, but you'll also learn how to own any unpatched Struts 2 application with a known vulnerability. If you use Struts, maybe you should read this report before your boss uncovers a vulnerability in your application?

Tags: Nexus Repo Reel, Sonatype Says, security, The Central Repository, Open Source, #OSSsecurity

Written by Tim OBrien

Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to Fortune 100 companies take a more strategic approach to adopting and evaluating technology and managing the risks associated with change.