The tide is turning. OWASP A9 is more recognition that modern applications are constructed primarily of components. In our recent survey of 3500 developers, managers and architects that use open source, 86% of participants noted applications built today are at least 80% open source. OWASP A9 highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development.
Jeff Williams, CEO of Aspect Security and founding member of OWASP puts a fine point on the challenge…
- “The performance, time and cost advantages of agile, open-source development comes at a price – you have to ensure the components you use are up-to-date and secure.”
- “Unfortunately, it’s not trivial to figure out what components your applications are using, and even harder to figure out which vulnerabilities apply to those components.”
- “The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”
So why should managing and securing components be a priority? Simply put, components have become a rich attack vector because of their pervasive reuse. Reuse that makes it easy for hackers to propagate their attack across multiple applications and organizations.
OWASP provides a set of best practice recommendations, including:
- Identify the components and their versions you are using, including all dependencies.
- Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
- Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable license.
Sonatype CLM goes beyond these recommendations and is designed to manage the entire component lifecycle. The CLM integrates security, licensing and quality information about the components directly in the tools that developers use (repository manager, IDE, build/CI environment), provides early and quick remediation capabilities, and continuously monitors your production applications.
For more information on recommended best practices, check out the 7 steps to Good Component Practice section (it’s at the end) of the 2013 Sonatype Survey results.
You can also check out the press release announcing OWASP A9.
We thought it would be interesting to share some of the feedback that we are getting from early CLM customers.
Check out the CLM product tour to see more and come back to the blog to post your impressions.
Policy & governance
- “Just by using the CLM we are enforcing policy.” – Dev Manager
- “A week is too long to wait for approval. The CLM automates the process and provides visibility.” – Agile developer
- “For products to effectively govern, they must have high usability. With CLM, it’s really easy to build and reuse policies – there are no special tools that are required, just a Web browser.” – Lead Architect
- “Integrating disparate data (from other security tools) while automating policy is transformative for our processes.” - CISO
- “If you can’t make it simple, you can’t make it secure.” – Enterprise Architect
- “We need a zero overhead approach that doesn’t require weeks of user training. That’s what we have experienced with other alternatives – but your approach is different.” – Dev Manager
- “The CLM reduces the impedance for developers that results in non-compliance. Your policy enforcement approach eliminates the biggest reason for developers not to comply with FOSS policies – you eliminate delays caused by manual component reviews.” – Security Analyst
- “If you can’t make governance simple, you’re creating more barriers to making it secure.” – CISO
- “We didn’t have to learn new tools, information we need to take action is in the tools we use.” - CTO
- “We have been using Nexus for years and the Nexus Pro features are interesting. Since we are really focused on security, the CLM is what we need.” – Dev Manager
- “Don’t build the tool to be tool agnostic… Maven is all you need!” – Maven Fanatic <Editorial note: the CLM is tool agnostic, it is designed to support multiple IDEs, Repo Managers, Build & CI tools>
- “You are the only company that combines component binary repository with FOSS governance: a single view and repository (approvals + component metadata + binaries + promotion model).” – Open Source Board Manager
- “With the CLM, I can quickly replace flawed components in my application without leaving the IDE.” – Lead developer
Securing your apps
- “You help support our “defense in depth” strategy – CLM provides centralized FOSS rule management with multiple enforcement points (IDE, CI server, binary repo, deployment promotion etc)” – CISO
- “For products to effectively govern, they must have high usability. With CLM, it’s really easy to build and reuse policies – there are no special tools that are required, just a Web browser.” – Security Admin
CLM complements security scanners
- “When we presented CLM to the security team Fortify… they were very excited… they liked it because they can focus their efforts on code built in house.” – Application Architect
- “Sonatype provides the ability to identify issues early in the process, that decreases our development cost. Using Sonatype will allow the Fortify team to focus on things that are more likely to have issues.” – Dev Manager
CLM: It’s better than the competition!
- “When you have as many apps as we do and you can’t scan them automatically… and you don’t have a degree in rubbish… vendors that require long scan times that produce a lot of results don’t work for an organization of our size.” – Architect Manager
- “With vendors that have long scan times… you can’t have those lead times, we need to be able to know whether a component is suitable to use right away. There is also no way to tie it into our system, it was simply opt in… people have to submit things and it takes several days to get it approved. We can’t wait for this, we are under pressure to deliver… we are going to forge ahead, we are going to ask for forgiveness.” – Lead Developer
We’re pleased to announce Sonatype CLM (Component Lifecycle Management). Although this is the official release date, we’ve been building off a number of mature technologies and we already have customers in production.
The CLM is a culmination of several factors:
- The Nexus community has been an invaluable source of feedback. Although the repository manager is critical, we learned that managing components requires a complete lifecycle approach.
- Sponsoring Sonatype Central allows us to expand the value that we provide to our customers. Security, licensing and quality intelligence is key to assessing risk and fixing flaws.
- The explosive growth of component-based development using agile methodologies requires a different approach, a flexible approach that drives collaboration between development, security and compliance professionals.
You’ll notice how we use the phrase “Go Fast. Be Secure” to describe the CLM. This is a key Sonatype theme and illustrates our focus on helping development deliver applications fast while supporting the security goals of the CISO, the licensing goals of compliance, and the quality goals of the enterprise architects. We truly believe that it doesn’t have to be speed OR security, with the CLM, you can have both.
Other key design tenets that drove the CLM include:
- CLM supports the entire development lifecycle by integrating intelligence in the tools that developers use today (Repository Manager, IDE, Build/CI tools).
- While understanding your component inventory and identifying risk is important, ultimately its about eliminating exposure – this requires the ability to remediate or fix flaws quickly and early in the development process.
- Managing the development lifecycle ensures delivery of trusted apps, but extending trust into your production environment is also important. Sonatype provides continuous monitoring and alerts for newly discovered vulnerabilities that impact your production apps.
- Sonatype CLM is designed to be an Open Platform for integration of all metadata related to Open Source Software components and their use throughout the Software Lifecycle. With that in mind, Sonatype is developing a plugin for Sonar, enabling Sonar dashboard users to see valuable project information from CLM within the Sonar environment. This enhancement to the Sonatype CLM solution is expected in August.
There is a wealth of information available on our Website that introduces the CLM, including the CLM product tour, but here is a quick intro of the key CLM functional areas:
- CLM Server: Provides a central facility for active risk assessment and management across development environments, applications and teams.
- CLM for Development: Informs and governs the software supply chain by validating, authenticating, securely delivering, and monitoring component security, popularity and licensing information throughout the development lifecycle. It offers developer-friendly policy enforcement and early flaw detection and prevention.
- CLM for Continuous Monitoring: Ensures the security and integrity of the components that make up critical applications by providing a complete component and application bill-of-materials inventory and a fast-path to discovering and fixing at-risk applications.
For more information, check out the press release or view the CLM product tour.
You can also see what our early customers have to say about the CLM.
Once again, you’ve helped us make this year’s annual survey the largest of it’s kind. 3500 of you participated in the latest survey of developers using open source. Your enthusiasm accurately represents the use of open source software in the survey findings:
- An overwhelming 86 percent of you stated that your applications are at least 80 percent open source with the remaining 20 percent custom components and code.
Organizations are reacting to this trend by providing development infrastructure that is designed to leverage open source components and frameworks (e.g., Maven, Hudson/Jenkins, Eclipse, Git, Nexus, etc.):
- 53% noted that they are standardizing on an open source development infrastructure stack.
But given the explosive growth in component usage – 8 billion downloads from the Sonatype Central Repository in 2012 represents an 800% increase in activity since its inception – it comes as no surprise that organizations are struggling to keep up:
- 76% of large organizations have no control over what components are being used in software development projects
- 65% don’t maintain an inventory of components used in production applications.
And since development is under extreme pressure to deliver applications fast while budgets are being cut, it’s also not surprising to see security taking a back seat:
- More than half of large organizations shared that developers don’t focus on security at all.
The good news is that Nexus users have a natural path to address these shortcomings – a strategy that we call Component Lifecycle Management. And we will soon launch a community relating to Good Component Practice.
But, lets’ get back to the survey.
The survey results are also available in pdf format here.
Let us know what you think about the results. What did you find surprising? What actions will you take?
And check back with us to continue the dialogue and to learn more about best practice approaches for managing your components.
We have a problem. Application development has become agile, component-based, and open source dependent. But security approaches haven’t kept up. Every day we’re forced to make the dangerous choice between speed and security, putting Development and Security at odds. There has to be a better way.
Join Wendy Nather, Research Director, Security, at 451 Research tomorrow, Tuesday, April 30 from 11:00AM-11:45AM EDT (GMT-0400) to understand:
- The changes in application development that have left security behind.
- Limitations of existing security approaches that could leave your organization exposed.
- The new requirements that are driving security to align with application development.
In addition, Sonatype CSO Ryan Berg will provide a brief overview of Sonatype CLM, a new application security platform designed specifically for today’s applications and for managing the modern software supply chain.
Reserve Your Seat
If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.