Category Archives: Sonatype

Which would you choose? Secure Apps or Productive Developers


February 6, 2013 By Mark Troester

 

We just finished a webinar with SANS that was presented by our CSO, Ryan Berg, focused on the hidden risk of components. Ryan engaged us with practical advice based on his years in the security business. Here are the key points that I gathered from his discussion.

  • Components are pervasive – organizations have moved from manual coding to assembling applications with components. Components make up 80-90% of most applications. 8 billion components were downloaded from Central last year.
  • Components introduce risk – although components can provide a huge productivity increase, if you fail to manage them they will introduce security risk (not to mention licensing and quality risk). Attackers are focused on components since they have become pervasive.
  • Most organizations aren’t aware of component usage, let alone risk – many organizations have trouble tracking all of their applications, let alone the components used to build those applications. Since they don’t know what they have, they have limited visibility into their risk profile.
  • You can’t NOT use open source – some organizations naively overreact by attempting to eliminate the use of open source. That is simply not possible given how applications are built today.
  • Security must be designed for agile development – cumbersome security policies that were challenged in a waterfall development process will simply fail in an agile environment. Developers will simply work around the policy if it hinders their progress.
  • Security must be woven into the development process – security must be built into the entire development process – including smart policies that drive appropriate action at different development stages. Integration directly in the development tools is key – including Repository Managers, IDEs, Build and CI environments.
  • The security team must speak the language of the developer – the security team should approach the development team as an equal partner – they can’t mandate behavior or simply provide a list of potential vulnerabilities that need to be fixed.
Ryan concluded the presentation by talking about placing a hungry and thirsty donkey equidistant from a source of water and food – the donkey, not being able to make a decision, both starves and dies of thirst. Ryan used it to illustrate the dilemma between patching and replacing flawed software components. I think it also illustrates the fact that you don’t have to pick between secure applications & developer productivity. It doesn’t have to either or – if you take a best practices approach that aligns all of the constituents you can manage components and application security effectively.

Join the conversation on Twitter using the #CSORisk.

View the webcast recording here.

Open Source – It’s not just about Linux, Apache HTTP & MySQL


February 5, 2013 By Mark Troester

Although the hype of open source has been eclipsed by the cloud, mobile and big data, you could argue that open source remains the biggest productivity driver for IT. If you ask most people what technologies they think about when it comes to open source, they’ll probably mention Linux, or the Apache HTTP Server. Or if they are thinking data, they’ll mention MySQL, or big data technologies like Hadoop. There are entire stacks of open source infrastructure technologies like LAMP and vendors like RedHatCloudera, and Zend have stepped into help organizations manage open source infrastructure.

But what about the components that developers use to build applications? Many organizations that we talk to assemble their applications from open source components. They no longer write a lot of custom code, they stitch together components from various sources – in many cases 80-90% of modern applications are made up of components. This may seem surprising until you think of the various types of components that are used to develop  applications: utility classes, logging, caching, database access, testing frameworks, web frameworks, collection handling, etc. Why develop those feature from scratch when you can reuse components freely available on the Web?

So why compare Linux, Apache HTTP Server, and MySQL with open source components like junit, commons-collections, log4j? I think it helps illustrate the need for a dramatically different management approach.

When it comes to major decisions like operating systems, web/application servers & databases, many organizations…

  • Architecture Review -  conduct a comprehensive technology selection process driven by the architecture team… .vs. OSS components that are often selected by individual developers.
  • Vendor Selection - go through a deliberate vendor selection process, including RFI/RFP, POCs, etc… vs. OSS components where the project team is not vetted.
  • License Indemnification – protected from potential license issues via vendor indemnification… vs. OSS components with transitive dependencies on components with problematic licenses.
  • Contractual Procurement - officially contract and procure software through purchasing departments… vs. OSS components that are “free”.
  • Production Monitoring - monitor as part of an overall enterprise level BAM strategy… vs. OSS components that are often hidden in plain site (organizations don’t even know what they have).
  • Financial Budget - built into the regular IT budgeting cycle… vs. OSS components – again, aren’t they “free”.
  • Updates/Patches - update periodically via a pre-planned patch / update process… vs. OSS components where regular updates are not even considered.

Although organizations probably don’t think risk management per se when making major open source infrastructure decisions, that really drives their decision process – minimize risk by selecting infrastructure software that is reliable, easily maintained and cost effective.

Shouldn’t you be doing the same at the application level? With components making up the bulk of your applications, it makes sense to manage the components in a systematic fashion. But you can’t use the same process for OSS components as you do for operating systems, databases, etc.

How to start? We call it Component Lifecycle Management. Stay tuned as we introduce this concept over the coming weeks and months.

Secure Central Connectivity – Artifactory & Archiva Now Supported


January 15, 2013 By Mark Troester

Keeping with our desire to protect the entire Central Repository ecosystem, SSL connectivity to the Central Repository from JFrog Artifactory or Apache Archiva is now available.

We’re using SSL because it is the standard mechanism for protecting web traffic – across the spectrum of Ecommerce, banking, health care, and so on. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.

Given the tremendous growth of Central, and to better protect applications that are now largely built from OSS components, we’re making SSL connectivity to Central available to anyone regardless of their repository manager. SSL is now the default connectivity option for Nexus Pro users. SSL is available for other repository managers, such as Nexus OSS & Artifactory or Archiva, for a $10 donation that will be used to support open source foundations such as Apache and Eclipse.

After you register and make the $10 donation, a token will be provided that your organization can use to secure access to Central.

If you are an Artifactory, Archiva or Nexus OSS user, you can get SSL access here.

Archiva 1.4+ is required.

Artifactory 2.6.5 is required.

If you are an existing Nexus Pro customer, you can download the latest release from the support page.

Nexus 2.3 Now Available – Includes Support for Yum


By Mark Troester

We know how critical Nexus has become to effectively source components and drive greater efficiency in the development lifecycle. We are constantly working to expand the Nexus ecosystem so Nexus can be used to manage additional component technologies. The latest release, Nexus 2.3, available now, provides support for Yum repositories.

Now you can leverage Nexus, a proven repository to support your RPM artifacts. Maven tooling can be used to deploy RPM artifacts to Maven while Yum clients continue to use the familiar and standard YUM protocol. Yum support includes:

  • Any Maven 2 repository hosted in Nexus can act as a Yum repository to manage RPMs.
  • Maven tooling can be used to deploy RPMs into the Maven repository
  • Yum clients can interact with the repository using the standard and familiar Yum protocol.
  • Yum repositories are automatically updated when RPMs are uploaded, deployed or deleted from Nexus.
  • Yum repositories can be logically grouped using a single Maven supported URL.
  • Yum group repositories can be used as a target for staging.

Nexus 2.3 also includes these new capabilities: 

Improved Search/Index Capability – The Nexus search/index capability has been enhanced so that it is faster, more reliable with enhanced scalability.

Smart Proxy Enhancements – The Nexus Smart Proxy capability now supports the ability to delete events and includes full support for drop/close/release staging. Individual message for affected artifacts are provided which enables pre-emptive fetching.

Support for New MIME Types & Modifying Existing MIME Types – Nexus validates the file’s content based on the MIME type for files that are downloaded into proxy repositories. This works well for most file types, but you may need to define a new MIME type or add additional file extensions to existing MIME types. Nexus 2.3 supports this capability so that you can accommodate additional MIME types.

For more information about this release, check out the release notes. As always, please share your thoughts and experiences using Nexus and Yum.

Last Chance: 2013 Open Source Development Survey Closes Tomorrow Take It For Your Chance To Win A Brand New Apple Workstation


January 14, 2013 By Emily Blades

Don't Miss Out: Take Our Survey And This Could Be Yours!

Time is running out!  Share your open source knowledge, experiences and challenges for your chance to win Jason’s brand new Apple workstation including a 15″ MacBook Pro with Retina display, a 27″ Thunderbolt display, an Apple Magic Mouse and an Apple Wireless Keyboard. We’ve also snagged both of his iPad minis. That’s enough loot for 3 winners!

Our survey closes at 11:59:59 pm EST, January 15, 2013, so don’t miss your chance! Also, if you respond to our survey, we’ll give you early access to our findings.

The survey will take less than 10 minutes. We promise.

Take Survey Now

 

 

*Official Rules for the Sonatype Open Source Survey Promotion can be found here.