Enthusiasm for securing the software supply chain is growing in both conversation and practice. For the past year, Sonatype has called for a new approach to securing the software supply chain, which gives organizations the opportunity to protect their business and applications from hacker exploits. It takes a frictionless approach built into the supply chain and SDLC, as opposed to bolt-on solutions looking for vulnerabilities later in the development process.
The conversation is not Sonatype's alone. Just this past week, Wendy Nather, Security Research Director at 451 Research, covered this growing enthusiasm in an Impact Report entitled, "Is open source the new sexy? Sonatype hits the catwalk."
The analysts write Impact Reports at 451 Research, and are usually produced as a follow-up to recent conversations they have had with technology leaders like Sonatype. 451 Research independently produced this Impact Report. Here are some of our favorite quotes. You can download the full report here.
"The company's latest open source and application security survey, released in mid-June, revealed that one out of 10 respondents had an open-source-related breach in the past year. And 63% of those who answered the survey reported that they don't track the vulnerabilities in the components that they are using. This could be a recipe for disaster. But it's also an opportunity to address many of today's widespread security issues, and that's a good opportunity for Sonatype as well: one of its latest announced integrations is with HP Fortify on Demand."
"Sonatype's visibility is increasing with the help of evangelism from the likes of the FS-ISAC, the Open Web Application Security Project and the PCI Council. All three of these organizations have started to warn about the dangers of using third-party components with known security vulnerabilities. Supply chain security has become more important lately, and Sonatype is well positioned to take advantage of it."
"Sonatype is thinking much bigger than just open source. The company is working toward becoming the 'parts warehouse' for every component that goes into an enterprise's software, whether it be open source, proprietary code, automation or even VM images. In order to create a fully controlled and secure supply chain – one that supports DevOps and agile methodologies - organizations will need to put all their 'building materials' under centralized control, and track them even after they're deployed into production."
Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.
Explore All Posts by Derek WeeksTags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.