The tide is turning. OWASP A9 is more recognition that modern applications are constructed primarily of components. In our recent survey of 3500 developers, managers and architects that use open source, 86% of participants noted applications built today are at least 80% open source. OWASP A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.
Jeff Williams, CEO of Aspect Security and a long-time member of OWASP puts a fine point on the challenge...
- “The performance, time and cost advantages of agile, open-source development comes at a price – you have to ensure the components you use are up-to-date and secure."
- "Unfortunately, it’s not trivial to figure out what components your applications are using, and even harder to figure out which vulnerabilities apply to those components."
- "The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”
So why should managing and securing components be a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and organizations.
OWASP provides a set of best practice recommendations, including:
- Identify the components and their versions you are using, including all dependencies.
- Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
- Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable license.
Sonatype CLM goes beyond these recommendations and is designed to manage the entire component lifecycle. The CLM integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your production applications.
For more information on recommended best practices, check out the 7 steps to Good Component Practice section (it's at the end) of the 2013 Sonatype Survey results.
You can also check out the press release announcing OWASP A9.