“Cyber security is on the national political agenda, but do we really understand what it takes to be secure? Now that enterprise development has become component based, rather than using custom code running off-the-shelf platforms, it’s time for enterprise development to wake up and smell the black hats. They’re targeting your components, not just your servers.” 

Simon references our recent survey of 3500 developers, managers and architects that use open source software and our findings about the prevalence of OSS components. Things like:

• Applications are made up of at least 80% components
• Vast majority of organizations have not control over the components they use
• Developers don’t focus much on security

His quote sums up the fact that applications are the predominant threat vector, and with the recent data that today’s applications primarily consist of components it should be no surprise that components can be a significant threat. Why? Well it comes down to economy of scale. If the hacker can exploit a single component, and that component is used in hundreds or thousands of independent applications, hmmm check and mate.

In another article on InfoWorld, Simon addresses Oracle’s approach to Java stating “Oracle’s closed approach keeps Java at risk”. I’m drawn to his comments comparing whether proprietary or open source software (in this case Java) poses a greater risk. This type of editorial has been going on for years – debating the merits of the “many eyes” theory. He also discusses how technical debt in proprietary systems is a more significant issue than can be found in open source. While I understand (though I don’t agree with his thoughts), I think there is a bigger problem here. Since applications are constructed from components sourced from many locations, organizations need to treat software security using supply chain principles. Components of all types need to be managed: internally developed components, open source components, shrink-wrap (COTS), cloud services, you name it.

The issues that are coming to light with Java may vary in technical detail, but their impact is similar to the pervasiveness of Windows ActiveX controls, Adobe PDF files, or other technologies. For those of you old enough to remember, think about the rampant issues found in UNIX’s open source Sendmail program. The point being, this is not an open source vs. closed source debate, this is an application security problem that is rampant across all communities.

Personally I am glad that Oracle is starting to step up to the plate and address these issues head on, but let’s not fault the fact that not all Java is open source. And let’s not lead people to believe that by making a project open source, that security is automatically improved. While there are lots of security stars in the open source community, there are plenty of black holes. As a security community, we need to promote better security practices across all development efforts and avoid generalizations that marginalize any one approach.

When asked how organizations can hire good security talent in today’s competitive marketplace, Wendy noted:

• “Some of the best app security people that I have seen are really good developers that picked up the security mindset and learned more about it. If you have really smart architecture people… developers that already know your applications, and they have the right mindset to learn the hacking side of things, they can make really good app sec people.”

Ryan went on to explain:

• “Developers are the front line – but you really need to have both. Since developers understand the development process they make good security people… Having someone that is part of the agile development process, who understands the business requirements. You need the security angle but you need to think about usability and how things might be exploited. Developers can bring a balanced view because they understand how the development organization works.”

And Ryan commented on how management has to be committed to security:

• “I haven’t found a developer that says ‘I want to write really insecure code today’… half the time they don’t have the tools, the training, or the backing of the organization that says security is an important thing and this should be something that is part of your day-to-day responsibility.”

We believe Ryan is correct, developers want to write secure code, but they lack tools that help them do this without causing development delays. Today’s security tools aren’t designed for developers and they aren’t designed to support agile, component-based development approaches. The Sonatype CLM was designed to address this issue.

• The CLM provides information in the IDE that helps the developer pick the best component from the start. This eliminates downstream problems that are more costly to fix.
• The CLM integrates security, licensing, and quality information in the tools that developers use throughout the development lifecycle. Developers don’t have to learn new tools or become security experts to use the information.
• The CLM inventory and vulnerability information is generated instantaneous – it does not require a long running scan that can’t be integrated naturally into the development process.

For more information about the CLM check out the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

When asked about how the security team can effectively collaborate with the development organization, Wendy (with tongue in cheek) responded:

• “Personally I have always been a fan of bribery. Buying food, lots of drinks.”

Wendy went on to provide the following advice:

• “Helping the developers achieve their goals, not your goals, is what is going to lead you to working better together. If they feel that you are on their side, that they see you as assistance not as an obstacle. You really need to spend time with them, learn about what they are trying to do, see if there is any way you can help even if it has nothing to do with security.”

We took this approach and extended it in the design of the Sonatype CLM. We realize that if the security, licensing, development, and IT Ops teams are not on the same page, that application risk will not be managed effectively. We account for today’s modern development approach that uses short sprint cycles as part of an agile methodology.

• The CLM provides guidance throughout the development lifecycle. The CLM prevents problems by providing information early in the lifecycle vs. a phonebook of potential issues that the developer has to address just before production.
• Policies can be implemented that provide flexibility to the developer early in the development lifecycle while locking down production deployment. The CLM doesn’t force the developer through a laborious approval process before they can use a component.
• The CLM allows the security team to assess overall enterprise risk and policy compliance. This information makes it easy for the security team to communicate with development management and executives. 

To see how policies can actually speed development & improve collaboration, check out the “Implement flexible policies that speed agile development with guidance for each lifecycle stage” section of the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

• “Management will want to wait until there is an actual breech before they bring resources back to fix it.”

• “That big corporation (with the 3 or 4 letter acronym) will wait until their software flaw is trending on Twitter before they are going to do something about it.”

• On the resource commitment: “Fixes through change management… traceability for every fix that you make… getting the builds done… rebuilding it is going to be difficult… testing is going to take time… you may not have a slot in QA… and then there is deployment.”

Wendy also noted the need to protect the entire supply chain including assets that are sourced from third parties. Her Twitter reference implied that some suppliers will not address security flaws until negative publicity forces them to act.

There are multiple reasons flaws are not fixed: lack of budget, poor project planning, shifting resources, etc. Another factor is that today’s security tools are focused on discovery, they don’t help you fix problems. Ryan went on to say:

• “We don’t have a problem finding problems, we have a problem managing what we have. And to make sure that when we make a change or a fix that it rolls through the entire development lifecycle into production.”

We took this challenge into account when we designed the Sonatype CLM. Not only does the CLM help you identify security, licensing and quality flaws, it helps you prioritize and fix the problems, directly in the IDE.

• The flawed components are prioritized by an aggregate threat level.
• The developer can find a suitable replacement for the component without leaving the IDE.
• The developer can see the components side-by-side to assess change impact.
• The code can be refactored  automatically by pushing a button in the IDE.

To see how you can fix flaws with the Sonatype CLM, check out the “Quickly identify your exposure and remediate flaws” section of the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

In this first post, Wendy was talking about the need to integrate security in from the beginning…

• “The best place to set security standards is across the board before any projects get started. If you have the same requirements for everyone right out of the gate you’ll have less to change for each individual project.”

• “In QA, it’s almost too late, all the time and resources that were budgeted for the project will have been used up. It’s extremely hard to sell the concept of going back and changing the design. The inertia here to get management to slow the release or to fix problems is really big.”

• “In production you have the greatest inertia. It has already been rolled out, it’s running just fine and the developers have been reallocated to other projects. There is one poor guy named Mike left to support it along with 2 or 3 other applications. Good luck getting Mike to fix big security flaws.“

The interesting thing about Wendy’s recommendation is that it represents a key design principle of the Sonatype CLM. Integrating security throughout the entire lifecycle – from design, development, on through production deployment.

With the CLM, it starts by providing security, licensing and quality information in the IDE so the developer can make informed decisions about the best components to use. This prevents problems from occurring downstream, problems that become more expensive to fix.

To learn more about Sonatype CLM, check out the product tour.

Make sure you read Wendy’s research Mission Impossible: securing the open source software supply chain with Sonatype.

Jeff Williams, CEO of Aspect Security and founding member of OWASP puts a fine point on the challenge…

• “The performance, time and cost advantages of agile, open-source development comes at a price – you have to ensure the components you use are up-to-date and secure.”
• “Unfortunately, it’s not trivial to figure out what components your applications are using, and even harder to figure out which vulnerabilities apply to those components.”
• “The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”

So why should managing and securing components be a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and organizations.

OWASP provides a set of best practice recommendations, including:

1. Identify the components and their versions you are using, including all dependencies.
2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable license.

Sonatype CLM goes beyond these recommendations and is designed to manage the entire component lifecycle. The CLM integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your production applications.

For more information on recommended best practices, check out the 7 steps to Good Component Practice section (it’s at the end) of the 2013 Sonatype Survey results.

You can also check out the press release announcing OWASP A9.  

Check out the CLM product tour to see more and come back to the blog to post your impressions.

Policy & governance

• “Just by using the CLM we are enforcing policy.” – Dev Manager
• “A week is too long to wait for approval. The CLM automates the process and provides visibility.” – Agile developer
• “For products to effectively govern, they must have high usability. With CLM, it’s really easy to build and reuse policies – there are no special tools that are required, just a Web browser.” – Lead Architect
• “Integrating disparate data (from other security tools) while automating policy is transformative for our processes.” - CISO

Simplicity

• “If you can’t make it simple, you can’t make it secure.” – Enterprise Architect
• “We need a zero overhead approach that doesn’t require weeks of user training. That’s what we have experienced with other alternatives – but your approach is different.” – Dev Manager
• “The CLM reduces the impedance for developers that results in non-compliance. Your policy enforcement approach eliminates the biggest reason for developers not to comply with FOSS policies – you eliminate delays caused by manual component reviews.” – Security Analyst
• “If you can’t make governance simple, you’re creating more barriers to making it secure.” – CISO
• “We didn’t have to learn new tools, information we need to take action is in the tools we use.” - CTO

Nexus users

• “We have been using Nexus for years and the Nexus Pro features are interesting. Since we are really focused on security, the CLM is what we need.” – Dev Manager
• “Don’t build the tool to be tool agnostic… Maven is all you need!” – Maven Fanatic <Editorial note: the CLM is tool agnostic, it is designed to support multiple IDEs, Repo Managers, Build & CI tools>

OSS management 

• “You are the only company that combines component binary repository with FOSS governance: a single view and repository (approvals + component metadata + binaries + promotion model).” – Open Source Board Manager

Remediation support

• “With the CLM, I can quickly replace flawed components in my application without leaving the IDE.” – Lead developer

Securing your apps

• “You help support our “defense in depth” strategy – CLM provides centralized FOSS rule management with multiple enforcement points (IDE, CI server, binary repo, deployment promotion etc)” – CISO
• “For products to effectively govern, they must have high usability. With CLM, it’s really easy to build and reuse policies – there are no special tools that are required, just a Web browser.” – Security Admin

CLM complements security scanners

• “When we presented CLM to the security team Fortify… they were very excited… they liked it because they can focus their efforts on code built in house.” – Application Architect
• “Sonatype provides the ability to identify issues early in the process, that decreases our development cost. Using Sonatype will allow the Fortify team to focus on things that are more likely to have issues.” – Dev Manager

CLM: It’s better than the competition!

• “When you have as many apps as we do and you can’t scan them automatically… and you don’t have a degree in rubbish… vendors that require long scan times that produce a lot of results don’t work for an organization of our size.” – Architect Manager
• “With vendors that have long scan times… you can’t have those lead times, we need to be able to know whether a component is suitable to use right away. There is also no way to tie it into our system, it was simply opt in… people have to submit things and it takes several days to get it approved. We can’t wait for this, we are under pressure to deliver… we are going to forge ahead, we are going to ask for forgiveness.” – Lead Developer

The CLM is a culmination of several factors:

• The Nexus community has been an invaluable source of feedback. Although the repository manager is critical, we learned that managing components requires a complete lifecycle approach.
• Sponsoring Sonatype Central allows us to expand the value that we provide to our customers. Security, licensing and quality intelligence is key to assessing risk and fixing flaws.
• The explosive growth of component-based development using agile methodologies requires a different approach, a flexible approach that drives collaboration between development, security and compliance professionals.

You’ll notice how we use the phrase “Go Fast. Be Secure” to describe the CLM. This is a key Sonatype theme and illustrates our focus on helping development deliver applications fast while supporting the security goals of the CISO, the licensing goals of compliance, and the quality goals of the enterprise architects. We truly believe that it doesn’t have to be speed OR security, with the CLM, you can have both.

Other key design tenets that drove the CLM include:

• CLM supports the entire development lifecycle by integrating intelligence in the tools that developers use today (Repository Manager, IDE, Build/CI tools).
• While understanding your component inventory and identifying risk is important, ultimately its about eliminating exposure – this requires the ability to remediate or fix flaws quickly and early in the development process.
• Managing the development lifecycle ensures delivery of trusted apps, but extending trust into your production environment is also important. Sonatype provides continuous monitoring and alerts for newly discovered vulnerabilities that impact your production apps.
• Sonatype CLM is designed to be an Open Platform for integration of all metadata related to Open Source Software components and their use throughout the Software Lifecycle. With that in mind, Sonatype is developing a plugin for Sonar, enabling Sonar dashboard users to see valuable project information from CLM within the Sonar environment. This enhancement to the Sonatype CLM solution is expected in August.

There is a wealth of information available on our Website that introduces the CLM, including the CLM product tour, but here is a quick intro of the key CLM functional areas:

• CLM Server: Provides a central facility for active risk assessment and management across development environments, applications and teams.
• CLM for Development: Informs and governs the software supply chain by validating, authenticating, securely delivering, and monitoring component security, popularity and licensing information throughout the development lifecycle. It offers developer-friendly policy enforcement and early flaw detection and prevention.
• CLM for Continuous Monitoring: Ensures the security and integrity of the components that make up critical applications by providing a complete component and application bill-of-materials inventory and a fast-path to discovering and fixing at-risk applications.

For more information, check out the press release or view the CLM product tour.

You can also see what our early customers have to say about the CLM.

• An overwhelming 86 percent of you stated that your applications are at least 80 percent open source with the remaining 20 percent custom components and code.

Organizations are reacting to this trend by providing development infrastructure that is designed to leverage open source components and frameworks (e.g., Maven, Hudson/Jenkins, Eclipse, Git, Nexus, etc.):

• 53% noted that they are standardizing on an open source development infrastructure stack.

But given the explosive growth in component usage – 8 billion downloads from the Sonatype Central Repository in 2012 represents an 800% increase in activity since its inception – it comes as no surprise that organizations are struggling to keep up:

• 76% of large organizations have no control over what components are being used in software development projects
• 65% don’t maintain an inventory of components used in production applications.

And since development is under extreme pressure to deliver applications fast while budgets are being cut, it’s also not surprising to see security taking a back seat:

• More than half of large organizations shared that developers don’t focus on security at all.

The good news is that Nexus users have a natural path to address these shortcomings – a strategy that we call Component Lifecycle Management. And we will soon launch a community relating to Good Component Practice.

But, lets’ get back to the survey.

The survey results are also available in pdf format here.

Let us know what you think about the results. What did you find surprising? What actions will you take?

And check back with us to continue the dialogue and to learn more about best practice approaches for managing your components.

We have a problem. Application development has become agile, component-based, and open source dependent. But security approaches haven’t kept up. Every day we’re forced to make the dangerous choice between speed and security, putting Development and Security at odds. There has to be a better way.

Join Wendy Nather, Research Director, Security, at 451 Research tomorrow, Tuesday, April 30 from 11:00AM-11:45AM EDT (GMT-0400) to understand:

•     The changes in application development that have left security behind.
•     Limitations of existing security approaches that could leave your organization exposed.
•     The new requirements that are driving security to align with application development.

In addition, Sonatype CSO Ryan Berg will provide a brief overview of Sonatype CLM, a new application security platform designed specifically for today’s applications and for managing the modern software supply chain.

Reserve Your Seat

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.