It was a pleasure to sit down and talk about Security, OpenSouce and DevOps with Sonatype's VP of Solutions Architecture, Maury Cupitt. We are happy to share a guest blog post about our discussion.
Recently we partnered with Orasi Software and Saltworks Security to explore how organizations are using open source software. Saltworks’ Founder and CEO, Dennis Hurst and Sonatype’s, Maury Cupitt, VP, Solutions Architecture, sat down to share their thoughts on why it is crucial for organizations to shift security practice left and provide developers with high quality open source components to build their applications. If you missed the discussion, you can view the on-demand here.
Open Source is everywhere. Today's modern enterprise applications are made up of 85% Open Source components. Between the root components and transitive dependencies, organizations are easily using hundreds of thousands of open source components with different versions proliferating their environment.
While open source provides immense value, it also exposes organization to a dangerous world filled with risky licences and bad actors, constantly leveraging their ability to exploit and sometimes plant security vulnerabilities in the software supply chain. In fact, 1 in 10 open source components contains a known vulnerability and 1 in 4 organizations have experienced an open source breach in the last 12 months. Yet still, shockingly, 38% of organizations using open source have zero governance policy in place. Of the organizations that do have some level of enforcement in place, the majority of their process is very manual and unreliable with lagged lead time. What used to be a 45-day window for an exploit fix, is now just 3-days, meaning we absolutely must automate faster than evil. If you can’t patch, remediate, ship and deploy a fix within three days, you are vulnerable.
Post-Equifax breach, developers continue to download the vulnerable Struts 2 component at a higher rate
So what do we do? It starts with purposeful digital transformations that deliver value to your organization, your customers, and your end-users. Organizations need automated supply chain practices to ensure the sourcing of fewer and better open source component parts, selecting the highest quality open source components and continuously tracking and tracing defects downstream. With the Sonatype, Orasi and Saltworks partnership, organizations can:
Shift Security Left! Which starts with delivering intelligence within existing developer workflows to block vulnerabilities and remediate risk at the start of your supply chain.
Integrate Security Everywhere - Automate governance policies across the DevOps pipeline. Benefit from out-of-the-box integrations to the most widely used DevOps tools at every stage, with the ability to “warn” or “fail” a build at each control point.
Automate Security at Scale - There is no point in providing value early and everywhere in the SDLC if you can’t automate your governance process and scale your operations to go faster. Automate policies based on real-time vulnerability, license, and version intelligence with confidence.
Open source is helping organizations innovate and deliver at an unprecedented rate. It’s here to stay, but so are the risks. View the full recording to learn how your organization can deliver higher quality software faster with Sonatype and Saltworks.