Before JavaOne 2012 a few of us joined the Jenkins community at the Jenkins User Conference 2012 in San Francisco as Gold Sponsors. We had a great time talking to KK, Andrew and others as well as showcasing Insight For CI for Jenkins at the booth. The presentation about “Improving Software Quality Using Component Lifecycle Management with Jenkins” was very well attended and there seemed to be a lot of interest. In case you missed it you are however in luck …
When we announced Insight for CI a few weeks ago, our message was simple “Get Proactive about Security with Insight”. A few months ago, when we introduced the Repository Health Check in Nexus Professional, we had a similar message about licensing, “Lead or Be Led to OSS Compliance”. For months we’ve been making the case that the time to worry about application security is now.
Another thing we’ve been saying is that it is our responsibility, as developers, to start paying attention to security vulnerabilities, and if we don’t take responsibility for application-level security, someone else will impose this requirement on us…
…and that’s exactly what’s we’re seeing both in the EU’s reform of Data Protection Laws and as the US Congress responds to the latest data breach at LinkedIn. Now, who knows what sort of regulations we’re going to see in the coming months, but one thing is sure, the fact that lawmakers feel compelled to act is proof that we’re not doing enough as an industry to address security.
The best security is a layered approach: multiple levels of network security, security policies for production resources that limit access to individuals that need it, secure password policies, and application security. Sonatype’s focused on that last item, application security, and our approach focuses on the components you assemble to create your applications. If you develop software today, you understand that much of your work is spent creating applications that sit atop frameworks like Spring and Hibernate. It isn’t enough for your own software and infrastructure to be secure. These days, you need to account for vulnerabilities in your dependencies.
And, again, this isn’t operation’s responsibility. Security is a shared responsibility across both development and operations. This is something that developers need to take ownership of. While we’ll probably never know how sites like LinkedIn, eHarmony, and Last.fm were compromised, there’s a good chance that some of these sites were compromised via known vulnerabilities in outdated components. Components like Tomcat or frameworks like Struts are among the list of artifacts that have known problems.
Don’t get hacked because you didn’t upgrade to the latest version of Tomcat or because you happened to be using some ancient version of Spring with a known vulnerability. If you are consuming artifacts from Central (and if you are a Java developer, you probably are), you need to start using Nexus Professional to keep track of your dependencies. If you are using Hudson or Jenkins, take some time to evaluate Insight for CI.
A big thanks to all of you who registered and attended our Insight for CI Demo last week. We had a great turnout and a lot of fantastic questions! If you didn’t have a chance to register, that doesn’t mean you have to miss out. The replay is now available.
Ready to try Insight for CI for yourself? Let us help you get started.
There’s a shift in the way organizations are thinking about security, and This article in Infoworld “IBM: Security execs move more toward active risk management” is exactly what we’ve been talking about. Here’s the quote that stood out:
“Nearly two-thirds of security leaders say their senior executives are paying more attention to security today than they were two years ago, due in large part to media attention.” and “60 percent of the advanced organizations named security as a regular boardroom topic, compared to only 22 percent of the least advanced organizations”
Instead of simple three-tiered applications following a standard Apache -> Tomcat -> RDBMS pattern, today’s scaleable applications involve a portfolio of technologies: Redis, Hadoop, real-time BI systems, integration with 3rd party APIs, Node.js, with more and more companies adopting a portfolio of technologies. It is becoming increasingly difficult to draw a line around a particular application and evaluate security vulnerabilities in isolation.
Today, you need to have your security group sitting next to you evaluating a complex application as it evolves…. but, back to the article, it isn’t just the evolution of technology that is making security a focus for business, it is a series of high-profile, embarrassing data breaches. A CEO that wouldn’t have thought very much about security technology a few years ago, sees what happens to a Stratfor or Global Payments and they understand the risks. Data security is front and center in the news, and a data breach can be a business-ending event.
So get out in front the problem. Start tracking your application dependencies and identify known vulnerabilities with Insight.
When we launched Nexus Professional and integrated Sonatype Insight information we gave you the ability to keep track of your overall exposure to security vulnerabilities. Your IT organization gained a window into the intersection of known vulnerabilities with the artifacts you download from Central. That was a good start, but the real benefit is Insight for CI. We launched Insight for CI this week, and it’s the tool you’ll want to use to address security vulnerabilities in specific products. If it is your responsibility to keep up with security, one of the easiest ways to take a more proactive approach is to start using Insight for CI to track your application’s dependencies.
Click here to get started with Insight for CI. It works with either Hudson or Jenkins, and it covers both license and security information.
Join Brian Fox tomorrow, Wednesday, May 23 at 11AM EDT or 2PM EDT (GMT-0400) for a 30 minute tour of Insight for CI. In this demo, Brian will show how Insight for CI will help you:
- Generate a detailed bill of materials for every build in Hudson and Jenkins.
- Find and fix license, security and quality problems quickly.
- Set rules to notify you of problems, fail builds, or establish workflows.
If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.
Two sessions are available tomorrow, Wednesday, May 23. Choose the best time for you: