Data breaches, online banking security and the overall growing threat of cyber attacks concern all organizations, but perhaps none more than the financial services industry. To address these concerns, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) has released guidelines regarding security risk from "third party service and product providers."
FS-ISAC recommends Sonatype for "Policy management and enforcement of open source
libraries and components." With Nexus Lifecycle (formerly Component Lifecycle Management), you can:
Find and remediate
security problems early in development using the tools that your developers use everyday. No extra work or delays.
for open source security, license & quality with integration throughout your software development lifecycle.
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.
Components are like LEGO building blocks that enable developers to build innovative new financial applications quickly. However, most application security methods focus on the source code that is written and compiled, not components that are downloaded and assembled.
Components comprise 90% of a typical application and 71% of these applications have at least one critical or severe vulnerability. Identifying and avoiding components with known vulnerabilities is an easily avoidable risk.
"The good news is that reusable code has clearly arrived...the not so good news is that it has vulnerabilities in many of the most commonly used components. Estimates indicate that 46 million downloads in 2012 included insecure components or code with high-risk security vulnerabilities. Once the code is assembled by developers they often will not scan or test the security of the open source libraries, instead assuming that because it is commonly used it must be secure."
As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."