“They wait until the software flaw trends on Twitter”
Here is another post on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO. Wendy was...
View Article“Personally, I have always been a fan of bribery”
Here is another post on my favorite quotes from the Security at the Speed of Development webinar with Wendy Nather, Research Director, Security for 451 Research and Ryan Berg, Sonatype CSO. When asked...
View ArticleApplication Security, Not so Black & White
I’m glad to see that Simon Phipps, independent open source consultant and a director of the Open Source Initiative, promote the need to manage components effectively. In his recent InfoWorld article he...
View ArticleIs it time for a Nexus Repository Health Check? Come to the Nexus Office...
If your repository contained a jar file with a known vulnerability, how would you know? What would it mean to you to have that sort of visibility into your repository health? This isn’t probably...
View ArticleSee the Great Battle of Security and Speed at the Gartner Security & Risk...
Once upon a time…there was a great battle between Speed and Security. Development wanted to go fast, but security wanted to slow down and be safe. Sound familiar? Modern applications are no longer...
View ArticleHow Will you Manage the New Addition of A9 to the OWASP Top 10 List?
It’s fair to say we were excited back in May when the OWASP community proposed A9 “ Using Components with Known Vulnerabilities” as a top 10 open source security risk – so now it’s official, component...
View ArticleGood Hygiene Should be a Foundation of Application Security
Over the past week, there have been several articles, blog posts and security institutes about the latest release of the OWASP Top 10. Now is the right time to join the discussion. All this chatter...
View ArticleDo Vulnerability Counts Really Matter?
Do vulnerability counts from sources like the National Vulnerability Database (CVE data) and Open Source Vulnerability Database (OSVDB) really matter? A recent article by Robert Lamos at darkREADING,...
View Article12 Takeaways from Gartner Security & Risk Management Summit
I recently attended a Gartner event on security and risk management. There were many high-level sessions that talked about risk management and security strategy – good guidance when you are focused at...
View ArticleSoup Anyone?
I recently attended and gave a brief talk at the Sofware Assurance Working Group. I spoke about the need for security folks to speak with developers – not at them. This is a frequent topic in the...
View ArticleAnnouncing CLM 1.5: New release simplifies policy management
At its core, Sonatype CLM uses policies to manage component usage. Policies provide automated guidance and enforcement throughout the software lifecycle, allowing for direct, stage-appropriate actions....
View ArticleSonatype applauds GitHub’s approach to encourage OSS license selection
GitHub’s move to encourage developers to select an open source license for source code published to GitHub highlights the need for organizations to properly manage license concerns. The Central...
View ArticleHack Takes a Bite of the Apple
The latest news hitting the wire, the internet, the blogosphere and the social media circuit is the hack of the Apple developer site that was acknowledged by Apple. To no one’s surprise, this was...
View ArticleDo you trust your software supplier? Questions to ask yourself – and them!
Ever since I attended the recent Gartner Security & Risk Management Summit, I’ve found myself thinking a lot about if “you can trust your software supplier”. My colleague wrote about this a bit in...
View ArticleApplication security needs to be redefined to stay relevant
Ok, so maybe it’s not the definition that’s the problem. Maybe it’s the fact that most people think of DAST and SAST when it comes to application security. And when most developers are faced with DAST...
View ArticleSonatype Nexus Open Source Community Projects
Sonatype Nexus can easily be integrated with external systems due to the fact that all functionality is available via various REST API calls. On the other hand Nexus can be expanded by writing plugins...
View ArticlePCI 3.0 – Secure Payment Requires Secure Components
Well there is nothing like an updated specification that drives action or interest in a topic. We’re seeing that with the introduction of PCI 3.0. While there are several key updates to the...
View ArticleTaking Advantage of the New and Improved Nexus 2.7
One of the approaches to software that I strongly believe is in taking advantage of the latest product innovations in all new releases. I think it’s important to upgrade to the latest versions of build...
View ArticleComponent-Capable Release Management is Key to DevOps
Part 3 — Part 4 Component-Capable Release Management is Key to DevOps – Part 5 Up Next DevOps conversations are dominated by release management and production deployment. These are the primary...
View ArticleWhat’s Happening in the Land of Open Source Components
It’s certainly a busy time for open source component usage. Many of you are familiar with research that we have done that shows the average application now consists of 90% open source components. And...
View Article
More Pages to Explore .....