Category Archives: News

Know the enemy: Havij Automated SQL Injection

April 17, 2012 By Tim O'Brien

SQL injection really bugs me. It is almost always the application developer’s fault. Once you notice that a site’s registration form breaks on apostrophes (maybe your last name is Irish) it’s often a sign that you’ll be able to throw in some SQL with that last name.

Penetration testing experts use a tool like Havij: An Advanced SQL Injection Tool. It’s a nice friendly GUI designed to make it easy to “own” an application. Point, click, and compromise. Well, even though the project itself has nothing to do with evil, Cybercriminals are having a love affair with Havij.

My advice: download this tool and get to know it. Start your own love affair with Havij before the bad guys start throwing errant quotes into your form fields. Also don’t think that enterprise languages like Java or .NET are invulnerable to SQL injection attacks. To avoid these attacks, here’s some quick advice:

Never trust input directly from an HTTP parameter.
Use some web framework like Tapestry, GWT, or Struts, and make sure that all user input passes through whatever mechanism it is using for input processing and validation. It is very likely that the framework is built to resist SQL injection.
Use a good ORM or persistence library like iBatis or Hibernate. Again these are just more layers to make sure that your input isn’t going straight into a SQL statement.
Use Nexus 2.0 Repository Health Check to make sure that your web frameworks and persistence frameworks are up to date.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.

Update Java to avoid (and remove) the OSX Flashback Malware

April 13, 2012 By Tim O'Brien

This is something of a public service announcement because we know from our site analytics that 14.29% of you are running OSX. If you run OSX 10.6 or higher and Java, take a quick break and upgrade.

In case you missed it there is a vulnerability in Apple’s version of Java that is fueling the rise of what people are calling the Flashback botnet. According to this Computerworld article, this OSX Flashback botnet is at least 600,000 computers strong and the latest variants of the attack “do not require user intervention”. The advice to fix this Mac vulnerability? Last week a Register article stated that “F-Secure advises users to disable Java, which is not needed to visit the vast majority of Web sites, on their Mac.” Right….. disable Java. Something tells me that’s not effective advice for this developer audience.

If you want to protect yourself, follow Apple’s instructions and upgrade Java. If you are running OSX Leopard or earlier, you are out of luck and you should probably either disable Java or upgrade (really, isn’t it time for an upgrade anyway?). This upgrade from Apple will also remove installed malware if you’ve been compromised. Conclusion: Java developers, all of your OSX machines are belong to Flashback. Upgrade now.

Article Published in ISACA Journal: Mitigating OSS Risk

March 20, 2012 By Tim O'Brien

Sonatype’s Charles Gold has just published an article in the ISACA Journal: “Mitigating the Risk of OSS Software”. Here’s an excerpt from his ISACA blog discussing the article:

“[I]t has been reported that up to 80 percent of custom software code created today is assembled from open-source components. Upon closer examination, we see a software supply chain that lacks visibility and control and carries with it some glaring risks. While the industry has been quick to embrace open source for its rapid innovation and its undisputed acquisition cost benefits, it has largely ignored a fundamental problem: there is no update notification infrastructure for open-source components.”

If you are a member of a ISACA, you can read this article in the current issue (Volume 2, 2012) of the Journal. In the full article Gold defines the challenges and risks associated with unmanaged OSS consumption and then defines a series of recommended steps you can take to mitigate these risks.

What is ISACA?

ISACA is the Information Systems Audit and Control Association a nearly 100,000 member, international organization that publishes trade journals. ISACA is also responsible for two important certifications: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). If you work in an critical industry like banking, government, or defense, it is likely that you’ve had some interaction with ISACA or ISACA qualified personnel.

Gold’s article raises awareness of application-level security within the context of OSS-consumption. Here are two interesting excerpts from the article. The first talks about the disconnect between US-CERT security vulnerabilities and the consumption of artifacts from Central:

“Even when security warnings are posted and easily accessible, they are often overlooked. In March 2009, the US Computer Emergency Readiness Team (US-CERT) and the US National Figure 2—Transitive Dependencies Make It Difficult to Govern Component Usage Institute of Standards and Technology (NIST) issued a warning that the Legion of the Bouncy Castle Java Cryptography API artifact was extremely vulnerable to remote attacks. In January 2011, almost two years later, 1,651 different organizations downloaded the vulnerable version of the artifact from the Central Repository within a single month.”

And, the second addresses the problem of assessing exposure to OSS licenses:

“cutting through the complexity of acquiring and evaluating external components and the associated legal obligations can be difficult and time-consuming. There are multiple types of open-source licenses, each with different terms and conditions that must be met.”

If you are consuming OSS without paying attention to some of the critical issues outlined in this article, you can start today by downloading a trial of Nexus Professional. With Nexus Professional’s Repository Health Check you can keep track of your exposure to both security vulnerabilities and OSS licenses.

The Results Are In: Sonatype 2012 Open Source Development Survey

March 13, 2012 By Charles Gold

I’m pleased to share the results of this year’s Sonatype Open Source Software Development Survey. We were blown away by the level of participation — more than 2,550 of you took the survey.

Thank you to all of you who contributed your thoughts about your tooling, the components you use, and your organizations’ open source policies (and how you feel about them). There results are extremely interesting.

Take a look for yourself (best viewed in ‘full screen’ mode), let us know what you think, and share with your friends and colleagues.

View Original on Prezi

For those of you who would prefer our survey results as a PDF, here they are: Sonatype Survey Findings

New official Maven Central repository in Europe

October 19, 2010 By Brian Fox

Maven Central has become an increasingly important resource for the development community at large. We’ve put several efforts forward earlier this year to help improve the content quality and to reduce the time required to get artifacts into the repository. These have matured over time and are now automatically validating artifacts. These processes are documented for Maven Projects and 3rd Party Artifacts.

To improve the experience for users in Europe, Sonatype has provisioned a new official repository in the United Kingdom. This is more than a mere mirror of Central, this system is updated in lockstep with the systems here in the US, and is managed and monitored 24×7 by Contegix, the same team watching over the US repositories. The new repository consists of two fully redundant systems running in parallel to provide complete fail-over capacity.

In addition to the new repository, we have taken several steps to improve and further secure Central itself:

Continue reading →

Sonatype Blog: Latest Posts