How to Better Navigate the World of DevSecOps with Sonatype and Saltworks Security

Recently we partnered with Orasi Software and Saltworks Security to discuss how organizations are using open source software. Saltworks’ Founder and CEO, Dennis Hurst and Sonatype’s, Maury Cupitt, VP, Solutions Architecture, sat down to share their thoughts on why it is crucial for organizations to shift security practices left and provide developers with high quality open source components to build their applications. If you missed the discussion, you can view the on-demand here

Open Source is everywhere. Today’s modern enterprise applications are made up of 85% open source components. Between the root components and transitive dependencies, organizations are easily using hundreds of thousands of open source components with different versions proliferating their environment. 

While open source provides immense value, it also exposes organization to a dangerous world filled with risky licences and bad actors, constantly leveraging their ability to exploit and sometimes plant security vulnerabilities in the software supply chain. In fact, 1 in 10 open source components contains a known vulnerability and 1 in 4 organizations have experienced an open source breach in the last 12 months. Yet still, shockingly, 38% of organizations using open source have zero governance policy in place. Of the organizations that do have some level of enforcement in place, the majority of their process is very manual and unreliable with lagged lead time.

What used to be a 45-day window for an exploit fix, is now just 3-days, meaning we absolutely must automate faster than evil. If you can’t patch, remediate, ship and deploy a fix within three days, you are vulnerable. 

Vulnerable versions of Struts

Post-Equifax breach, developers continue to download the vulnerable Struts 2 component at a higher rate

So what do we do? It starts with purposeful digital transformations that deliver value to your organization, your customers, and your end-users. Organizations need (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Tanya Feghali. Read the original post at: