Category Archives: Insight

The Cloud is Running toward BSD-style Licenses, are you?


September 24, 2012 By Tim O'Brien

The New York Times had a great article this weekend that explored some of the disconnect in the industry. In “Power, Pollution and the Internet”, James Glanz writes: “[the] foundation of the information industry is sharply at odds with its image of sleek efficiency and environmental friendliness.” This article is interesting in that it calls out the industry for creating an unsustainable power drain that is based on some awful environmental choices. From the article: “Of all the things the Internet was expected to become, it is safe to say that a seed for the proliferation of backup diesel generators was not one of them.”

This piece made me stop and think about trends over the last decade. While the New York Times is focused on the environmental cost, I’m more interested in how this shift to Infrastructure-as-a-Service and deployment on cloud-based infrastructure is affecting open source licenses. The trend might not be readily apparent if you don’t know what to pay attention to. Here’s an attempt of making sense of licensing trends…

Continue reading

Remember when Hackers Ignored Java? Those days are over… FBI Hacked via AtomicReferenceArray


September 4, 2012 By Tim O'Brien

Earlier this year, I wrote a piece about how it was only a matter of time until Java became a popular vector for attacks. The response to that particular article was a lot of fun for me. Let’s just say a number of high-profile, open source Java folks jumped up and down and shouted FUD. My conclusion: just talking about security to developers earns an almost immediate negative reaction. They don’t want to think about it.

I guess this makes sense, developers generally don’t want to have to deal with security, and me bringing up the fact that many of the systems you are working on may be vulnerable to attack isn’t something you want to think about. I understand, you have enough to worry about: looming deadlines, that junior programmer you just hired who isn’t pulling his weight, a continuing fight with operations over who “owns” the deployment process. Work is hard, there are certainly not enough hours in the day, and if you can ignore security, why not? I mean, it’s Java. Who’s going to attack Java?

AntiSec, that’s who. They aren’t just going to compromise your machines because you failed to update Java, they are going to grab your data, parade it around the world for all to see, and then make a few political statements at your expense. And, I’ll bet the FBI wishes that they had installed this February 2012 security patch from Oracle. If they had done so, they’d probably be having a much better day today.

“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.”

This is from the AntiSEC statement regarding this breach (inappropriate language).

So what do you think is happening to the person responsible for security right now? Do you think he’s able to say, “you didn’t tell me that security was a priority?” or “It wasn’t my responsibility to check for JVM updates from Oracle?”. No, he’s likely being replaced, if not immediately then his management team is leading him on until they can identify someone who isn’t going to generate front page security failure.

What’s next? Well, the JVM is now front-and-center as far as security vulnerabilities go these days. Just last week you were all asked to turn off Java 7 until a suitable patch was issued (which is a ridiculous request BTW, that’s like asking us to stop working for a few days). I predict that as Java continues to develop as an attack vector – libraries are the next fun vulnerability. I know many of you don’t want to hear this, but it’s true. Your web frameworks are next, prepare yourself with Sonatype Insight, or start coming up with excuses when your systems are the reason for front page security fail.

Join Us: Sonatype & Chariot Solutions Philadelphia Breakfast Meetup Tuesday, September 25, 2012


August 27, 2012 By Emily Blades

Philadelphia Breakfast Meetup: Tuesday, September 25, 2012

Futures: Extending Your Apache Maven-Based Infrastructure

Jason van Zyl, Sonatype CTO and creator of Maven will be teaming up with Joel Confino, a Senior Consultant at Chariot Solutions to offer actionable advice for setting up best-in-class software development processes that make extensive use of 3rd party components (like the Spring framework).

Join us in Philadelphia on Tuesday, September 25 from 8:30am-10:30am EDT, for the Breakfast Meetup and see first hand how you can dramatically reduce risk and improve software quality using Apache Maven or another build tool, along with Nexus, Hudson or Jenkins.

Space is limited. We’ve booked a space at The Hub Cira Centre (2929 Arch Street), and it can only accommodate 30 guests. If you are in the Philadelphia area and are interested in making your build process rock solid, please register and our events coordinator Emily Blades, will save you a space and send you more details.

Reserve Your Seat

Dogfooding Sonatype Insight: We found Vulnerabilities in Nexus


August 13, 2012 By Tim O'Brien

“Dogfooding” is such a strange word, and I’m using it as a substitute for “Eating your own dog food”. As we do have a global audience, I worry that the term is somewhat provincial (and maybe a bit strange out of context). So here, here’s the explanation of this idiom on Wikipedia.

Sonatype is “recursive”. We’re a group of developers, creating tools for developers, getting feedback from developers. Logically, we tend to use everything we make. We’re the first customer. We deploy early development releases of Nexus Professional to our own Nexus Professional instance, we use repository.sonatype.org as a test case as the release approaches, and every feature we send out to our customers has been audited and tested internally. By the time you download our software, we’ve already been using it often for a few months or weeks, and we also make heavy use of Sonatype Insight to identify licensing and security risks.

Now, this blog post is a bit risky. I’m about to tell you about the security issues that the Engineering team discovered in Nexus when we ran Nexus through our Insight scanner during the Nexus 2.1 release. By doing this, I’m exposing people that haven’t updated Nexus to 2.1 to some risk. At the same time, I’ve given everyone ample notice to upgrade (I even made a video imploring people to upgrade), and I’m a big believer in transparency. If we know something related to security, you should know it as well after we’ve given people enough time to upgrade.

Continue reading

Why Insight App Health Check is so Important: Java Flaws Increasingly Targeted By Attackers


July 25, 2012 By The Vigilant Application Owner

Check out this news story that broke earlier in the week: Java flaws are “increasingly targeted by attackers”. This story was filed by IDG News Service from the Black Hat USA 2012 conference, and it points at a trend we’ve also noticed. The world is waking up to the fact that Java is an attractive target. Java applications run the world’s largest organizations (from banks to governments). Where there is Java, there is usually a system worth hacking into. Security professionals are taking note.

During our initial testing of Insight Application Health Check we found that real-world applications at large enterprise contained an average of 32 publicly known security vulnerabilities. Some of these security vulnerabilities were 3s and 4s on the 10 point CVSS scale, but many were 9s and 10s. These are bugs that are easily exploitable over the network which can be used to take ownership of applications and data.

So, think about it. If you develop Java applications, you’ve been relatively isolated from security concerns for years. Java has never been the top attack vector of hackers, and, because of this, developers have never really had to think about scanning artifacts for security issues. It looks like this is changing, and if you want to do something about it, it’s easy. Just run a free summary scan of your application with Insight App Health Check.

Here’s the IDG story, enjoy:

IDG News Service – (International) Java flaws increasingly targeted by attackers, researchers say. Java vulnerabilities are increasingly exploited by attackers to infect computers, and the problem could become worse if Oracle does not do more to secure the product and keep its installation base up to date, according to security researchers who will talk about Java-based attacks at the Black Hat USA 2012 security conference. Several years ago, the most targeted browser plug-ins were Flash Player and Adobe Reader. However, many current Web exploit toolkits rely heavily on Java exploits, said a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research division.

Source: http://www.computerworld.com/s/article/9229641/Java_flaws_increasingly_targeted_by_attackers_researchers_say