DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Cloud App Security: Top 10 Preventions Developers Must Know
  • DevSecOps - A New Chance for Security
  • Securing the Software Supply Chain: Chainguard Builds on Foundational Innovation
  • How Grafana 10 Makes Observability Easier for Developers

Trending

  • AWS Lambda vs. Fargate: The Battle of Cloud Giants
  • 6 Proven Kubernetes Deployment Best Practices for Your Projects
  • Future Skills in Cybersecurity: Nurturing Talent for the Evolving Threatscape
  • AWS ECS vs. Kubernetes: The Complete Guide
  1. DZone
  2. Coding
  3. Languages
  4. Open Source Components, a Fine Vintage or Sour Milk?

Open Source Components, a Fine Vintage or Sour Milk?

Derek Weeks user avatar by
Derek Weeks
·
Jul. 09, 14 · Interview
Like (0)
Save
Tweet
Share
3.03K Views

Join the DZone community and get the full member experience.

Join For Free

Software and WineThe U.S. recently overtook France as the world’s largest wine market.  And here at Sonatype, we can proudly say we’ve contributed to this achievement. By not only consuming our fair share of wine but by also being involved — outside of work — in crafting our own wines.

Over the 4th of July holiday, I was able to enjoy some of the wine I’ve aged over the years. For the best wines, aging can create spectacular results years down the line. Unfortunately, the same cannot be said for code and components used in today’s applications. Where aging improves a fine wine, code ages more like milk.

New vulnerabilities are frequently discovered in open source components previously thought to be safe, so to keep your applications from going sour, you should rely on automation to alert you when new risks are discovered in existing applications.

The same goes for development. The idea that old = reliable for open source components doesn’t hold true. In fact, one of the greatest benefits of the open source community is collaborative development. Developers are spending a great deal of time updating and fixing old component versions, the challenge resides in having the tools for developers to identify risky component versions from the start. Developers need to be informed of the risk early on and have the right tools in place to chose approved components that meet organizational and departmental security policies.

There is no way developers can spend the time to go off and check for the latest versions or to verify whether their version of that component (and its dependencies) are free from known vulnerabilities.  There are too many sources of information to look through, and too little time. Success within the development process requires automation — the closer to the developer’s integrated development environment (IDE) where the code and components are assembled, the better.

While there is some level of bolt-on application security positioned toward the end of development lifecycles, this often becomes a scan and scold approach leading to costly rework efforts. To no surprise developers often tell me, “rework is death”.  While security practices at all stages of application development are advised, we need to consider introducing automated security practices further left in the application development lifecycle.

The friction of requiring developers to search external vulnerability databases or waiting for manual approvals can be eliminated with security and license information integrated into the tools developers already use today. If developers can benefit from identifying the most current, most popular, lowest risk components earlier in the development lifecycle then maybe just maybe software won’t rot as quickly as milk. For more information on how to empower developers to choose better components from the start, read our latest paper 7 Security Gaps in the Neglected 90% of your Applications.

Open source Application security Milk (programming language) dev

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Cloud App Security: Top 10 Preventions Developers Must Know
  • DevSecOps - A New Chance for Security
  • Securing the Software Supply Chain: Chainguard Builds on Foundational Innovation
  • How Grafana 10 Makes Observability Easier for Developers

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: