Category Archives: News

Application Security, Not so Black & White


May 8, 2013 By Ryan Berg

I’m glad to see that Simon Phipps, independent open source consultant and a director of the Open Source Initiative, promote the need to manage components effectively. In his recent InfoWorld article he notes:

“Cyber security is on the national political agenda, but do we really understand what it takes to be secure? Now that enterprise development has become component based, rather than using custom code running off-the-shelf platforms, it’s time for enterprise development to wake up and smell the black hats. They’re targeting your components, not just your servers.” 

Simon references our recent survey of 3500 developers, managers and architects that use open source software and our findings about the prevalence of OSS components. Things like:

  • Applications are made up of at least 80% components
  • Vast majority of organizations have not control over the components they use
  • Developers don’t focus much on security

His quote sums up the fact that applications are the predominant threat vector, and with the recent data that today’s applications primarily consist of components it should be no surprise that components can be a significant threat. Why? Well it comes down to economy of scale. If the hacker can exploit a single component, and that component is used in hundreds or thousands of independent applications, hmmm check and mate.

In another article on InfoWorld, Simon addresses Oracle’s approach to Java stating “Oracle’s closed approach keeps Java at risk”. I’m drawn to his comments comparing whether proprietary or open source software (in this case Java) poses a greater risk. This type of editorial has been going on for years – debating the merits of the “many eyes” theory. He also discusses how technical debt in proprietary systems is a more significant issue than can be found in open source. While I understand (though I don’t agree with his thoughts), I think there is a bigger problem here. Since applications are constructed from components sourced from many locations, organizations need to treat software security using supply chain principles. Components of all types need to be managed: internally developed components, open source components, shrink-wrap (COTS), cloud services, you name it.

The issues that are coming to light with Java may vary in technical detail, but their impact is similar to the pervasiveness of Windows ActiveX controls, Adobe PDF files, or other technologies. For those of you old enough to remember, think about the rampant issues found in UNIX’s open source Sendmail program. The point being, this is not an open source vs. closed source debate, this is an application security problem that is rampant across all communities.

Personally I am glad that Oracle is starting to step up to the plate and address these issues head on, but let’s not fault the fact that not all Java is open source. And let’s not lead people to believe that by making a project open source, that security is automatically improved. While there are lots of security stars in the open source community, there are plenty of black holes. As a security community, we need to promote better security practices across all development efforts and avoid generalizations that marginalize any one approach.

OWASP Recognizes Component Security


May 1, 2013 By Mark Troester

The tide is turning. OWASP A9 is more recognition that modern applications are constructed primarily of components. In our recent survey of 3500 developers, managers and architects that use open source, 86% of participants noted applications built today are at least 80% open source. OWASP A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.

Jeff Williams, CEO of Aspect Security and founding member of OWASP puts a fine point on the challenge…

  • “The performance, time and cost advantages of agile, open-source development comes at a price – you have to ensure the components you use are up-to-date and secure.”
  • “Unfortunately, it’s not trivial to figure out what components your applications are using, and even harder to figure out which vulnerabilities apply to those components.”
  • “The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”

So why should managing and securing components be a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and organizations.

OWASP provides a set of best practice recommendations, including:

  1. Identify the components and their versions you are using, including all dependencies.
  2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
  3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable license.

Sonatype CLM goes beyond these recommendations and is designed to manage the entire component lifecycle. The CLM integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your production applications.

For more information on recommended best practices, check out the 7 steps to Good Component Practice section (it’s at the end) of the 2013 Sonatype Survey results.

You can also check out the press release announcing OWASP A9.  

Sonatype announces results from OSS Survey


April 29, 2013 By Mark Troester

Once again, you’ve helped us make this year’s annual survey the largest of it’s kind. 3500 of you participated in the latest survey of developers using open source. Your enthusiasm accurately represents the use of open source software in the survey findings:

  • An overwhelming 86 percent of you stated that your applications are at least 80 percent open source with the remaining 20 percent custom components and code.

Organizations are reacting to this trend by providing development infrastructure that is designed to leverage open source components and frameworks (e.g., Maven, Hudson/Jenkins, Eclipse, Git, Nexus, etc.):

  • 53% noted that they are standardizing on an open source development infrastructure stack.

But given the explosive growth in component usage – 8 billion downloads from the Sonatype Central Repository in 2012 represents an 800% increase in activity since its inception – it comes as no surprise that organizations are struggling to keep up:

  • 76% of large organizations have no control over what components are being used in software development projects
  • 65% don’t maintain an inventory of components used in production applications.

And since development is under extreme pressure to deliver applications fast while budgets are being cut, it’s also not surprising to see security taking a back seat:

  • More than half of large organizations shared that developers don’t focus on security at all.

The good news is that Nexus users have a natural path to address these shortcomings – a strategy that we call Component Lifecycle Management. And we will soon launch a community relating to Good Component Practice.

But, lets’ get back to the survey.

 

The survey results are also available in pdf format here.

Let us know what you think about the results. What did you find surprising? What actions will you take?

And check back with us to continue the dialogue and to learn more about best practice approaches for managing your components.

Now Available: SSL Connectivity to Central


October 25, 2012 By Brian Fox

We know how components from the Central Repository have become critical to your development efforts. We also know that you need to trust those components. Part of that trust is knowing that hackers don’t have visibility into the components you download or that they compromise components using a man-in-the middle or Cross Build Injection (XBI) attack.

We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager. Given the tremendous growth of Central, and the fact that modern applications are largely built from OSS components, this capability is likely to be leveraged by many organizations. SSL has become the standard mechanism for protecting web traffic – across the spectrum of Ecommerce, banking, health care, and so on. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.

As of Nexus Pro 2.2 (available now), SSL is now the default connectivity option for Nexus Pro users. Because we take security of the ecosystem seriously, we aren’t stopping there, we’re making SSL connectivity to Central available to you even if you aren’t using Nexus Pro.

In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes. For the first 60 days all donations will go to the Apache Software Foundation. After that, the donations will go to other open source foundations such as Eclipse. Sonatype will provide a donation on behalf of Nexus Pro customers since we’ve included SSL access to all Pro customers automatically.

If you happen to be using Nexus OSS (any version), support for the SSL token is included already. I’ve already reached out to the Artifactory and Archiva teams and they are working on the changes necessary to enable SSL to Central – we’ll let you know when that support is enabled. If you’re not using a repository manager at all, what are you waiting for?

If you are an existing Nexus Pro customer, you can download the latest release from the support page.

If you would like to make a donation to the open source community and get SSL access, you may do so here.

Is your phone possessed? Or is it Android Malware?


April 18, 2012 By Tim O'Brien

Hackers aren’t content enough to infect your laptop, they want your phone. There’s an article over on SecurityNewsDaily that talks about some new Android malware that can take over your phone. Here’s the fun quote:

“The new Android malware disguises itself in fully functional copies of apps, including ―Angry Birds Space,∥ and hides its malicious payload in the string of code at the end of an otherwise genuine JPEG file, Lookout said. This rogue code exploits the GingerBreak vulnerability, a flaw that enables it to gain control of the phone and trick the victim into purchasing apps from illegitimate app stores.”

It looks like Android developers need to start paying more attention to security in general now that Android has exceeded 50% market share in the US market. While this vulnerability isn’t something that is directly addressable with Insight at the moment, but it reminds us that we need to start focusing more on mobile. Since Android development is Java-based, you can immediately benefit from downloading Nexus Professional 2.0 today and making sure that all of your application dependencies are free of known vulnerabilities.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.