<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Do You View Your AppSec Tools as an Inhibitor to Innovation or a Safety Measure?

DevOps is all about making better software faster.  It also requires making it more safely while compressing the time between ideation to realisation. I hear IT organisations tell me time and time again of their ambitions to be the innovation power-house for their business - so it’s great news that most of the survey respondents (more than 80% in fact) didn’t see their AppSec tools as an inhibitor to innovation but rather, a safety measure.

DevSecOps: Eat Carrots, Not Cupcakes

You Are What You Eat.  

When it comes to food, we all know what’s considered “good” and what’s “bad”.

DevSecOps: A More Deterministic Approach

Is security an inhibitor to DevOps agility?

To answer this question we would need to take a quick look at differences between DevOps, QA and Security when it comes to automation issues.

DevSecOps: In Time for Security

Changing Mindsets.

Historically developers have prioritized functional requirements over security when building software.  While secure coding practices important, they have often fallen into secondary or tertiary requirements for teams building applications against a deadline.

DevSecOps: Slaying the Myths of Container Security

Containers are clearly appealing for companies and development teams who want to deliver and iterate on their software faster and efficiently. This is achieved through more consistent, simple and repeatable deployments, rapid rollback, and simpler ways of orchestrating and scaling distributed applications.

DevSecOps: Integrating Automated Security Controls

DevSecOps: Embracing Automation While Letting Go of Tradition

While I am all for traditions like Thanksgiving turkey and Sunday afternoon football, holding onto traditions in your professional life can be career limiting. The awesome thing about careers in technology is that you constantly have to be on your front foot.  Because when you’re not, someone, somewhere, will be and when you meet them, they’ll win.

Sonatype on Federal News Radio

Listen to Matt Howard, Executive Vice President and Chief Marketing Officer at Sonatype, on Federal News Radio as he discusses the demand for quality open source components. 

Listen Now

Apache Struts Vulnerability: Live Updates

 

Update: 2:33 pm EST, 16 March 2017 - Struts2 Exploits in Japan

 
More Struts2 breaches in the wild.  This time in Japan (links go to Japanese sites):
 
  • Japan Post breach using Apache Struts2 vulnerability leads to 29,000 account leaks: http://exci.to/2mqMAwU 
  • Struts2 exploit of Okinawa electric power site leads to unauthorized access, email addresses outflow of about 6,500 accounts http://dlvr.it/Ndv4XY
Yesterday, it was the Canadian Revenue Agency and Statistics Canada site:
 
According to several news reports, the government of Canada took multiple sites down on March 9 including Statistics Canada as well as the Canada Revenue Agency (CRA) websites, with service not restored until March 12.
 
 

Update: 11:00am EST, 16 March 2017 - Podcast interview

Listen to Brian Fox and Shannon Lietz talk about the struts 2 vulnerabiy announcement, how you can determine if you're affected, and what you can do about it.

 

Update: 9:00am EST, 13 March 2017 - Video explaining exploits and remediation

 

Update:  3:00pm EST, 10 March 2017 - Speed Matters

When it comes to 0-day vulnerabilitities, speed matters.  Sonatype's research team curates our data and publishes information on the vulnerability, known exploits, and remediation paths as quickly as possible.

As of 3:00pm EST, the National Vulnerability Database indicates a pending CVE, but details have not yet been updated.  

Setting up a Docker Private Registry with Authentication Using Nexus and Nginx

This article shows how you can set up a Docker Private Registry with authentication and SSL using Nexus Repository OSS.

Nexus Repository OSS is a universal repository manager with support for all major package formats and types. It’s a free solution for storing and sharing Docker images and other components like NuGet or NPM packages across the deployment pipeline while keeping your proprietary and third-party images private and secure.

Setting up a Secure, Private Nexus Repository

What an exciting first post, I’m sure. But it’s what I’m working on, I suppose.

A few things, first:

  • We’re using an LDAP server to identify team members.
  • LDAP and Nexus are on different domains (though, possibly, the same machine).
  • I’m not a system admin, so this is likely going to be painful.

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Set up your own Continuous Delivery Stack

Last week I wanted to try new things with ‘pipeline as code’ with Jenkins. The best way to try new things is running it as Docker containers. This way I can keep my MacBook clean and don’t mess up existing stuff I am working on (also see this article about what Docker can offer for a developer). Another big advantage by using Docker is that there is already a complete stack of Dockers available to set up the necessary tools. However, for some unclear reason this stack didn’t work on my MacBook (see this issue) so I took this opportunity to build my own stack with some Dockers of my own choice :-).
The tools in my stack are:

When it Comes to Application Security, “Doing Your Homework”​ Matters

They say software is eating the world, very true, but it has become even more clear that OSS components are eating the software world. This amazing revolution is driving unimagined gains in innovation and efficiency in our ability to deliver software. Think Uber, here is a new leader in the transportation industry without owning a single vehicle. Every major Enterprise and even most medium and small companies are software producers – and free and open software components are driving this dramatic shift in our world.

Improving Build Time of Java Builds on OpenShift

Improving Build Time of Java Builds on OpenShift

Since we released OpenShift 3 back in July 2015, one of the most common questions I get from developers is how to get better build time for Java based builds. In this post, I will guide you through the process of speeding up Java Maven based builds, and will explain other options that can be taken to the ones that I’ll be showing.

DevSecOps is Suddenly Strategic for Everyone in Software:  Here's Why

Software innovation is the core of every company's digital transformation; the strategic weapon by which modern organizations compete and win on a global playing field.  This is why executives and shareholders at every company, in every industry, are placing intense pressure upon IT teams to accelerate innovation.  

This insatiable demand for innovation has created a perfect storm which is wreaking havoc on many IT organizations around the world.   To counter the effects of this storm, forward leaning organizations have embraced DevOps as the preferred methodology for manufacturing quality software at scale and continuously delivering innovation.

Organizations everywhere are now transforming their development from waterfall-native to DevOps-native tools and processes.  Along the way, they are coming to grips with one simple fact:  DevOps is not an excuse to do application security poorly; rather it is an opportunity to do application security better than ever.

This realization is the reason why DevSecOps in suddenly strategic for anyone and everyone in software.

AppSec EU 2017 Belfast – What to Expect

In mid-May I’ll be joining the organizing team of AppSec EU 2017 in Belfast for a week of security and DevOps sessions. Listen in as Gary Robinson, Michelle Simpson and Owen Pendlebury talk about what’s planned for the week.

Using Nexus 3 as Your Repository – Part 3: Docker Images

This is the third and last part of a series of posts on Nexus 3 and how to use it as repository for several technologies. (Part 1. Part 2.)

Culture Hacking at RSAC 2017 with Shannon Lietz

On Monday, February 13, Shannon Lietz gave a quick, 20 minute overview of her investigations and implementation of Culture Hacking at Intuit. Below is the extended version of that presentation, including audio and the slide deck. Shannon will continue this discussion at her keynote presentation during AppSec EU 2017 in Belfast.
 

 

CI/CD with OpenShift

Using Nexus 3 as Your Repository – Part 2: npm Packages

This is the second part of a series of posts on Nexus 3 and how to use it as repository for several technologies. Also available is “Part 1, Maven Artifacts” by Rafael Eyng.