There's a shift in the way organizations are thinking about security, and This article in Infoworld "IBM: Security execs move more toward active risk management" is exactly what we've been talking about. Here's the quote that stood out:
"Nearly two-thirds of security leaders say their senior executives are paying more attention to security today than they were two years ago, due in large part to media attention." and "60 percent of the advanced organizations named security as a regular boardroom topic, compared to only 22 percent of the least advanced organizations"
Instead of simple three-tiered applications following a standard Apache -> Tomcat -> RDBMS pattern, today's scaleable applications involve a portfolio of technologies: Redis, Hadoop, real-time BI systems, integration with 3rd party APIs, Node.js, with more and more companies adopting a portfolio of technologies. It is becoming increasingly difficult to draw a line around a particular application and evaluate security vulnerabilities in isolation.
Today, you need to have your security group sitting next to you evaluating a complex application as it evolves.... but, back to the article, it isn't just the evolution of technology that is making security a focus for business, it is a series of high-profile, embarrassing data breaches. A CEO that wouldn't have thought very much about security technology a few years ago, sees what happens to a Stratfor or Global Payments and they understand the risks. Data security is front and center in the news, and a data breach can be a business-ending event.
So get out in front the problem. Start tracking your application dependencies and identify known vulnerabilities with Insight.
When we launched Nexus Professional and integrated Sonatype Insight information we gave you the ability to keep track of your overall exposure to security vulnerabilities. Your IT organization gained a window into the intersection of known vulnerabilities with the artifacts you download from Central. That was a good start, but the real benefit is Insight for CI. We launched Insight for CI this week, and it's the tool you'll want to use to address security vulnerabilities in specific products. If it is your responsibility to keep up with security, one of the easiest ways to take a more proactive approach is to start using Insight for CI to track your application's dependencies.