<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

ProstgreSQUL Updates to Close Denial-of-Service Hole

The H – (International) PostgreSQL updates to close denial-of-service hole. The developers of PostgreSQL released updates to several versions of their products to address a misdeclared function that could allow a SQL command to crash PostgreSQL, among other issues.

Whitehole Exploit Kit in the Spotlight

Help Net Security – (International) Whitehole exploit kit in the spotlight. A new exploit kit dubbed Whitehole has been seen for sale and in ‘test-release’ mode, and found to use five Java Runtime Environment vulnerabilities along with security evasion methods.

Join Us: Sonatype Speakeasy, San Francisco - Wed, February 27, 2013

Are you planning to go to the RSA conference in San Francisco at the end of February? We'll be in town and it would be great to catch up! We're hosting a party on Wednesday, February 27 between 6PM-9PM PST, you should come.

Barracuda Moves to Shutter Backdoor Access to its Network Gear

IDG News Service – (International) Barracuda moves to shutter backdoor access to its network gear. Barracuda Networks issued an update to close a vulnerability in its network security appliances that allowed unauthorized access through remote support backdoors.

Which would you choose? Secure Apps or Productive Developers

 

We just finished a webinar with SANS that was presented by our CSO, Ryan Berg, focused on the hidden risk of components. Ryan engaged us with practical advice based on his years in the security business. Here are the key points that I gathered from his discussion.

  • Components are pervasive - organizations have moved from manual coding to assembling applications with components. Components make up 80-90% of most applications. 8 billion components were downloaded from Central last year.
  • Components introduce risk - although components can provide a huge productivity increase, if you fail to manage them they will introduce security risk (not to mention licensing and quality risk). Attackers are focused on components since they have become pervasive.
  • Most organizations aren't aware of component usage, let alone risk - many organizations have trouble tracking all of their applications, let alone the components used to build those applications. Since they don't know what they have, they have limited visibility into their risk profile.
  • You can't NOT use open source - some organizations naively overreact by attempting to eliminate the use of open source. That is simply not possible given how applications are built today.
  • Security must be designed for agile development - cumbersome security policies that were challenged in a waterfall development process will simply fail in an agile environment. Developers will simply work around the policy if it hinders their progress.
  • Security must be woven into the development process - security must be built into the entire development process - including smart policies that drive appropriate action at different development stages. Integration directly in the development tools is key - including Repository Managers, IDEs, Build and CI environments.
  • The security team must speak the language of the developer - the security team should approach the development team as an equal partner - they can't mandate behavior or simply provide a list of potential vulnerabilities that need to be fixed.
Ryan concluded the presentation by talking about placing a hungry and thirsty donkey equidistant from a source of water and food - the donkey, not being able to make a decision, both starves and dies of thirst. Ryan used it to illustrate the dilemma between patching and replacing flawed software components. I think it also illustrates the fact that you don't have to pick between secure applications & developer productivity. It doesn't have to either or - if you take a best practices approach that aligns all of the constituents you can manage components and application security effectively.
Join the conversation on Twitter using the #CSORisk.
View the webcast recording here.

Open Source - It's not just about Linux, Apache HTTP & MySQL

Although the hype of open source has been eclipsed by the cloud, mobile and big data, you could argue that open source remains the biggest productivity driver for IT. If you ask most people what technologies they think about when it comes to open source, they'll probably mention Linux, or the Apache HTTP Server. Or if they are thinking data, they'll mention MySQL, or big data technologies like Hadoop. There are entire stacks of open source infrastructure technologies like LAMP and vendors like RedHat, Cloudera, and Zend have stepped into help organizations manage open source infrastructure.

Hacker Gains Access to Foxconn Databases, Just Wants to Prove Lack of Security

Softpedia – (International) Hacker gains access to Foxconn databases, just wants to prove lack of security. The hacker known as D35m0nd142 exploited and blind SQL injection vulnerability on a site belonging to manufacturer Foxconn, and brought the vulnerability to the company’s attention.

"Lucky Thirteen" Attacks Snarfs Cookies Protected by SSL Encryption

Ars Technica – (International) “Lucky Thirteen” attacks snarfs cookies protected by SSL encryption. Researchers have come up with a method to compromise secure socket layer (SSL), transport layer security (TLS), and other common encryption protocols.

Android Malware Carries Windows Snooping App

The H – (International) Android malware carries Windows snooping app. Kaspersky has found malware being distributed through the Google Play store that loads malware onto PCs once an infected Android device is plugged in to a PC running Windows.

Google Blocks High Profile Sites After Advertising Provider NetSeer is Hacked

Threatpost – (International) Google blocks high profile sites after advertising provider NetSeer is hacked. Advertising network NetSeer’s corporate Web site was injected with malware, causing Google Chrome users to see malware warnings while trying to visit sites with ads served by NetSeer.

Oracle Releases Java Patch Update

ComputerWorld – (International) Oracle releases Java patch update. Oracle released an ahead-of-schedule patch for Java SE to close 50 vulnerabilities, some of them critical.