Resources Blog DevSecOps and GDPR:  Why Open Source Risk Management Has ...

DevSecOps and GDPR:  Why Open Source Risk Management Has Never Been More Important

We live in an application economy.

Like it or not -- this economy is underpinned by a sharp double edge sword.

On one side of the sword -- innovation is king, speed is critical, and CEOs are challenging software development teams to release faster, improve quality, and accelerate innovation.

On the other side of the sword -- risk management is king, governance is critical, and CEOs (and auditors) are challenging IT organizations to create controls to minimize risk and automate compliance with a myriad of regulatory requirements, including GDPR which is set to take affect in May 2018.  GDPR mandates that organizations must know where and how the private data of EU citizens is stored and accessed and prove that such data is appropriately protected “by design and by default” with appropriate safeguards across the entire software lifecycle -- from development, to security, to operations.

Stuck in the middle are the teams of people who do the work and run the modern software factory.  I am referring to software architects, developers, security professionals, and IT operations managers.  For them, the intense pressure to innovate faster is not an excuse to cut corners.  Trade-offs are not an option.  They must dig deep, eliminate silos, collaborate more effectively, and find ways to serve both sides of the sword.

In this hyper competitive world, open source is the stimulant of choice among software developers.   Simply stated, investing time and money to build software from scratch is plain silly when developers can readily borrow it from someone else who has already done the work and agreed to share it for free.  Understandably, these dynamics create an insatiable appetite among developers for open source.  Last year alone developers downloaded 52 billion Java components and 59 billion JavaScript components from public repositories

While open source provides tremendous energy for modern development teams -- it also creates a unique and difficult challenge for modern IT risk managers and governance professionals.  The reasons are simple: open source components are not created equal and they can go stale quickly and expose organizations like Equifax to massive risk.

So, in order to serve both sides of the sword and thrive in the application economy, modern IT teams must: (1) continue to accelerate innovation by harnessing all of the good that open source has to offer, and (2) minimize risk by continuous governing open source quality, automating enforcement of defined application security policies, and ensuring compliance with regulations like GDPR.

Picture of Matt Howard

Written by Matt Howard

Matt is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies, at Sonatype, he leads corporate marketing, strategic partnering, and demand generation initiatives.