09/04/2018
in Quality
DevSecOps and GDPR – Why Open-Source Governance is so important
In an economy that is shaped by applications, software development teams face the challenge to release new versions faster, improve the quality and to expedite innovation.
However, speed has its limits. IT organizations need checks to minimize risks, improve security and ensure the compliance with guidelines.
According to GDPR, companies need to know where and how private data of EU citizens is stored and accessed. They have to proof that such data is protected “planned and standardly” with appropriate safety precautions throughout the whole software life cycle.
These requirements towards speed and control confront everyone operating modern software factories: software architects, developers, security experts and IT managers. But this high pressure of innovation may not lead to lower expectations. Instead, it is necessary to work thought-out, to reduce organizational and cultural silos and to find ways to introduce checks that work with the high speed of the development.
Against this background, open-source components are the weapon of choice amongst software developers. In fact, the adoption of Open-Source components is so common, that, according to latest research, aprox. 80% of software applications consist of these components.
Note: The originally linked "State of the Software Supply Chain Report 2017" by Sonatype is no longer available.
Even though opens source leads to speed, efficiency and enormous energy amongst modern software development teams, it makes modern IT risk managers and governance experts face difficult challenges. Some components contain known security issues and developers are often allowed to use them without the evaluation of potential risks. Given that more than 200,000 components are being used and manual research takes 3 to 4 hours, the necessary review can not keep up with the usage.
Based on known security vulnerabilities it is possible to manipulate opens source components to illegally gain access to applications and their data. According to reports by Forrester Research, security vulnerabilities in applications are the main attack vector for hackers.
Better alternatives
Sonatype Lifecycle by Sonatype allows you to identify and analyze opens source components very precisely. This way, it allows software development teams to always be up to date and their applications to be secure. Sonatype Lifecycle grants instant access to security related information and other details about components to simplify the selection of components. By creating a software component parts list, Sonatype Lifecycle tracks the usage of components throughout the whole development lifecycle. If new vulnerabilities for components are detected, the teams are instantly informed and the possible adjustments are presented.
Leading companies that use Sonatype Lifecycle to automate their opens source governance and to secure applications are way out in front of GDPR compliance.
This is a guest post by out partner Sonatype, who works on interesting and important topics like DevSecOps and efficiency with their Nexus products.
