As an experienced application security professional, there are good reasons why you're constantly engaged in battle with cowboy-coders from the development tribe.
First, you've got an important job to do, and it's your neck on the line when mistakes are made. Second, you're operating in a world that is overwhelmed with components, containers, micro services, and risks. Third, you're witnessing first hand the accelerating pace of development driven by agile, lean, and DevOps born from the tremendous pressure to deliver software faster than ever before.
You do your best to encourage developers to take security concerns seriously. Sometimes they listen, but often they do what comes natural to them -- push forward with minimal regard to risks in an effort to meet aggressive deadlines.
Sometimes, when you encounter severe vulnerabilities, you put the brakes on everything and demand that developers remediate risks before proceeding. Other times, you roll with the punches and lay awake at night wondering about the unknown risks lurking in your production applications.
We’ve been in your shoes, and we know it's tough.
More importantly, we know that agile, DevOps, and continuous delivery are not excuses to neglect security; rather they are an opportunity to strengthen security. This however is only possible when you embrace a supply chain approach to software engineering and equip your teams with the ability to make quality choices early, often, and throughout the development lifecycle.
Security research is a slog
Researching components and containers is a time consuming task that slows developers down. It's a catch 22, because developers view security research as running counter to productivity, efficiency, and speed. And let's be honest, a simple Google search does not come close to revealing the real risks that lurk deep in the uncharted depths of dependencies.
A better way
At Sonatype we have world-class experts that perform research all day, everyday, so you and your developers don't have to do it. The deep intelligence generated by our research is continuously surfaced through our Nexus products and integrated into the tools that your teams use everyday. With Nexus on your side, you literally have the power to partner with your development colleagues and eliminate security mistakes before they even happen.