Today’s Security Brief: Application security is widely neglected (by some surprising companies)
Today we published a paper with Aspect Security, and it’s a shocking look at how few people are paying attention to application security. If you consume dependencies from the Central Repository and you don’t want to get hacked, I’d suggest reading the report and understanding some of the challenges, I’d also check out some of these statistics. Here are three that jumped out at me:
- Global 500 organizations downloaded more than 2.8 million insecure components in one year.
- Financial services firms are the most exposed: Global 100 financial services firms alone downloaded more than 567,000 insecure components in one year.
- 48% (a little under half) of organizations don’t have an inventory of Open source software used in production. (If there’s a new vulnerability discovered in something like GWT, who knows if we have that in production.)
To access the executive brief, “Addressing Security Concerns in Open-Source Components,” visit www.sonatype.com/securitybrief. You can follow the conversation on Twitter using the hashtag #OSSsecurity.
NOTE: Now, Developers, I know what you are thinking, you see the word “Executive Brief” and immediately dismiss this as C-level corporate-speak. Sure, there’s a little bit of that, but you’ll also learn how to own any unpatched Struts 2 application with a known vulnerability. If you use Struts, maybe you should read this report before your boss uncovers a vulnerability in your application?
How well do you know your open source licensing?
Choosing components with appropriate licenses is critical to ensuring you realize the benefits and avoid the risks when developing with open source components. But, how well do you know your licenses?
- Can you describe the differences between permissive, weakly protective and copyleft licenses?
- Do you understand the ramifications of including copyleft licensed components in your commercial applications?
- Do you know how component dependencies affect your application’s licensing?
If you want to brush up on your knowledge, please check out our short paper on open source licensing available here.
Tips for Increasing Open Source Benefits– Tips #1 and #2
With our launch of Insight, we’ve been talking to a lot of customers and prospective customers about effective management of open source-based development. At this point, we’ve heard it all. But some trends have emerged. One thing is clear — virtually everyone wants to use more open source in their development processs, but realizes the need to effectively manage its use. With thousands of components in use across their organizations, many people struggle with where to start. With this in mind, we’ve put together a ‘top 10 list” to get things started. You’ll find a summary of the entire list here.
We’ll be exploring each item in more depth through a series of five blog posts. But for now, let’s start at the beginning with understanding your current usage of open source components. (more…)
Avoid Lawyers — Track Your Licenses
As someone who has been through the process of supporting litigation I want to share my experience so that you understand what could happen when your organization incorporates OSS components under the wrong license or deals with code of questionable provenance. I’m writing this blog entry to convey the experience of being a developer who has to support litigation – it isn’t fun or productive, and it usually something that is completely avoidable.
(more…)Publishing Your Artifacts to the Central Repository
Sonatype makes it easy to add your projects to the Central Repository with a free, public hosting service called OSSRH. We first blogged about this back in 2009, but given the growth in the community, we thought some of you may not have seen that post, so we decided to update it. (more…)
