Continuously Monitor Production Applications: Open Source Development Tip #9


November 27, 2011 By Terry Bernstein

We’ve been publishing a series of tips on managing your use of open source to maximize benefits and minimize the risks.  You can find earlier other posts in the series here and a summary of the entire set of tips hereIn today’s post, we continue with a tip on continuously monitoring production applications to learn of newly discovered issues.

9. Continuously monitor your production applications to learn of newly discovered defects

What happens during development if you learned of a critical flaw in an open source component you’re using?   Most likely, you would update to the latest version, regression test, and move on.

But what happens once the application has shipped or been put into production?  No one on the development team is likely to give a second thought to the application you just deployed. That’s typically how it works at most organizations. Unfortunately, this may leave you exposed to known security flaws or quality issues.

It’s not like component bugs stop coming up after you ship, right?  The open source community doesn’t stand still.  Projects are constantly being evaluated and improved. Bugs are discovered and fixed.  The majority of improvements won’t affect you at all, but every so often a critical vulnerability is found.  Updates will typically be released quickly.  Applications that include the updates will be safe.  Those that don’t will be vulnerable to exploit.

This is more than just a theoretical possibility. In March 2009, the United States Computer Emergency Readiness Team and the National Institute of Standards and Technology (US-CERT/NIST) issued a warning that the Legion of the Bouncy Castle Cryptography API was vulnerable to remote attacks.   A new version, free of known vulnerabilities was issued.  Despite this, almost two years later over 1,600 organizations downloaded the flawed version of the component – in a single month.

One way to approach this problem is to create a complete bill of materials for each application prior to release.  A team could regularly review the aggregated component list to identify newly discovered issues.  Unfortunately, there really isn’t a good way to monitor the steady stream of open source updates as the list grows to thousands of components across tens or hundreds of applications.  This manual approach just doesn’t scale reliably.

That’s why we created Sonatype Insight.  Insight analyzes and continuously monitors each of your applications, alerting you when critical updates are available.  You can learn more about Insight here.  To hear more about the Bouncy Castle vulnerability and how Insight could have helped, click here.