DJ Schleen, on March 21, 2017
Tyler Shields, on March 21, 2017
While I am all for traditions like Thanksgiving turkey and Sunday afternoon football, holding onto traditions in your professional life can be career limiting. The awesome thing about careers in technology is that you constantly have to be on your front foot. Because when you’re not, someone, somewhere, will be and when you meet them, they’ll win.
Listen to Matt Howard, Executive Vice President and Chief Marketing Officer at Sonatype, on Federal News Radio as he discusses the demand for quality open source components.
Update: 2:33 pm EST, 16 March 2017 - Struts2 Exploits in Japan
Update: 11:00am EST, 16 March 2017 - Podcast interview
Listen to Brian Fox and Shannon Lietz talk about the struts 2 vulnerabiy announcement, how you can determine if you're affected, and what you can do about it.
Update: 9:00am EST, 13 March 2017 - Video explaining exploits and remediation
Update: 3:00pm EST, 10 March 2017 - Speed Matters
When it comes to 0-day vulnerabilitities, speed matters. Sonatype's research team curates our data and publishes information on the vulnerability, known exploits, and remediation paths as quickly as possible.
As of 3:00pm EST, the National Vulnerability Database indicates a pending CVE, but details have not yet been updated.
Stefan Prodan, on March 15, 2017
This article shows how you can set up a Docker Private Registry with authentication and SSL using Nexus Repository OSS.
Nexus Repository OSS is a universal repository manager with support for all major package formats and types. It’s a free solution for storing and sharing Docker images and other components like NuGet or NPM packages across the deployment pipeline while keeping your proprietary and third-party images private and secure.
What an exciting first post, I’m sure. But it’s what I’m working on, I suppose.
A few things, first:
Brian Fox, on March 10, 2017
This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure. As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.
Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.
In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle. Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days. Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.
It's now been 3 days since the Struts2 fix and disclosure. Here's the official description available from the Mitre database as of Friday, March 10th: