When we announced Insight for CI a few weeks ago, our message was simple “Get Proactive about Security with Insight”. A few months ago, when we introduced the Repository Health Check in Nexus Professional, we had a similar message about licensing, “Lead or Be Led to OSS Compliance”. For months we’ve been making the case that the time to worry about application security is now.
Another thing we’ve been saying is that it is our responsibility, as developers, to start paying attention to security vulnerabilities, and if we don’t take responsibility for application-level security, someone else will impose this requirement on us…
…and that’s exactly what’s we’re seeing both in the EU’s reform of Data Protection Laws and as the US Congress responds to the latest data breach at LinkedIn. Now, who knows what sort of regulations we’re going to see in the coming months, but one thing is sure, the fact that lawmakers feel compelled to act is proof that we’re not doing enough as an industry to address security.
The best security is a layered approach: multiple levels of network security, security policies for production resources that limit access to individuals that need it, secure password policies, and application security. Sonatype’s focused on that last item, application security, and our approach focuses on the components you assemble to create your applications. If you develop software today, you understand that much of your work is spent creating applications that sit atop frameworks like Spring and Hibernate. It isn’t enough for your own software and infrastructure to be secure. These days, you need to account for vulnerabilities in your dependencies.
And, again, this isn’t operation’s responsibility. Security is a shared responsibility across both development and operations. This is something that developers need to take ownership of. While we’ll probably never know how sites like LinkedIn, eHarmony, and Last.fm were compromised, there’s a good chance that some of these sites were compromised via known vulnerabilities in outdated components. Components like Tomcat or frameworks like Struts are among the list of artifacts that have known problems.
Don’t get hacked because you didn’t upgrade to the latest version of Tomcat or because you happened to be using some ancient version of Spring with a known vulnerability. If you are consuming artifacts from Central (and if you are a Java developer, you probably are), you need to start using Nexus Professional to keep track of your dependencies. If you are using Hudson or Jenkins, take some time to evaluate Insight for CI.