Tag Archives: Insight

Use Maven to Find Security Vulnerabilities and Viral Licenses in Applications


October 10, 2012 By Bentmann Benjamin

A few months ago, we launched Insight Application Health Check. Today, I’d like to announce another way to get started tracking licensing and security issues. In this post, I’m going to show you how to scan your project with nothing more than Maven and an existing project. You can get started with Insight without having to download a client or server. All you’ll need to do is run a simple plugin from the commandline.

To enable users to scan their applications, we provide an executable JAR with a graphical user interface. With this interface users are a few clicks away from results. But, even with this GUI, some users want to be able to use Insight’s Application Health Check from the command-line because sometimes “clicking” isn’t the most effective way to get something done. If you’re building your application using Apache Maven, you probably already have a terminal window open to invoke its build phases. So, while you’re in there, adding or updating some dependencies in your POM and repackaging your application, why not check whether this dependency update introduced some security vulnerability or license issue, especially if it’s as easy as adding another goal to your command line? Meet the Application Health Check Maven Plugin:

mvn package com.sonatype.insight:ahc:run -D ahc.email=my.name@mycompany.com

Continue reading

Dogfooding Sonatype Insight: We found Vulnerabilities in Nexus


August 13, 2012 By Tim O'Brien

“Dogfooding” is such a strange word, and I’m using it as a substitute for “Eating your own dog food”. As we do have a global audience, I worry that the term is somewhat provincial (and maybe a bit strange out of context). So here, here’s the explanation of this idiom on Wikipedia.

Sonatype is “recursive”. We’re a group of developers, creating tools for developers, getting feedback from developers. Logically, we tend to use everything we make. We’re the first customer. We deploy early development releases of Nexus Professional to our own Nexus Professional instance, we use repository.sonatype.org as a test case as the release approaches, and every feature we send out to our customers has been audited and tested internally. By the time you download our software, we’ve already been using it often for a few months or weeks, and we also make heavy use of Sonatype Insight to identify licensing and security risks.

Now, this blog post is a bit risky. I’m about to tell you about the security issues that the Engineering team discovered in Nexus when we ran Nexus through our Insight scanner during the Nexus 2.1 release. By doing this, I’m exposing people that haven’t updated Nexus to 2.1 to some risk. At the same time, I’ve given everyone ample notice to upgrade (I even made a video imploring people to upgrade), and I’m a big believer in transparency. If we know something related to security, you should know it as well after we’ve given people enough time to upgrade.

Continue reading

Why Insight App Health Check is so Important: Java Flaws Increasingly Targeted By Attackers


July 25, 2012 By The Vigilant Application Owner

Check out this news story that broke earlier in the week: Java flaws are “increasingly targeted by attackers”. This story was filed by IDG News Service from the Black Hat USA 2012 conference, and it points at a trend we’ve also noticed. The world is waking up to the fact that Java is an attractive target. Java applications run the world’s largest organizations (from banks to governments). Where there is Java, there is usually a system worth hacking into. Security professionals are taking note.

During our initial testing of Insight Application Health Check we found that real-world applications at large enterprise contained an average of 32 publicly known security vulnerabilities. Some of these security vulnerabilities were 3s and 4s on the 10 point CVSS scale, but many were 9s and 10s. These are bugs that are easily exploitable over the network which can be used to take ownership of applications and data.

So, think about it. If you develop Java applications, you’ve been relatively isolated from security concerns for years. Java has never been the top attack vector of hackers, and, because of this, developers have never really had to think about scanning artifacts for security issues. It looks like this is changing, and if you want to do something about it, it’s easy. Just run a free summary scan of your application with Insight App Health Check.

Here’s the IDG story, enjoy:

IDG News Service – (International) Java flaws increasingly targeted by attackers, researchers say. Java vulnerabilities are increasingly exploited by attackers to infect computers, and the problem could become worse if Oracle does not do more to secure the product and keep its installation base up to date, according to security researchers who will talk about Java-based attacks at the Black Hat USA 2012 security conference. Several years ago, the most targeted browser plug-ins were Flash Player and Adobe Reader. However, many current Web exploit toolkits rely heavily on Java exploits, said a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research division.

Source: http://www.computerworld.com/s/article/9229641/Java_flaws_increasingly_targeted_by_attackers_researchers_say

Component Lifecycle Management with your Apache Maven Infrastructure


July 5, 2012 By Jason van Zyl

The way software is being developed has changed over the last ten years, it has shifted from companies developing the vast majority of their own software to a software development approach that depends on open source components that are freely available. Today, the vast majority (upwards of 90%) of Java-based applications are assembled from components. Very little of these applications consist of code that companies build internally. The extent to which open source components are being used is not widely known within companies that have thousands of applications and hundreds of thousands of downloads from the Central repository.

In last week’s webinar I discussed the trends we’ve identified and the tools we’ve developed to address this challenge. Tracking down where components come from, managing your application to account for changes in components, and dealing with security and licensing issues that relate to your application’s dependencies is our focus. If you develop software using open source components, here’s a video of my webinar. If you are interested in learning more about our Insight products and starting to keep track of the components you consume, go to http://www.sonatype.com/insight.

The Time to Pay Attention to Application Security is Now


June 12, 2012 By Tim O'Brien

When we announced Insight for CI a few weeks ago, our message was simple “Get Proactive about Security with Insight”. A few months ago, when we introduced the Repository Health Check in Nexus Professional, we had a similar message about licensing, “Lead or Be Led to OSS Compliance”. For months we’ve been making the case that the time to worry about application security is now.

Another thing we’ve been saying is that it is our responsibility, as developers, to start paying attention to security vulnerabilities, and if we don’t take responsibility for application-level security, someone else will impose this requirement on us…

…and that’s exactly what’s we’re seeing both in the EU’s reform of Data Protection Laws and as the US Congress responds to the latest data breach at LinkedIn. Now, who knows what sort of regulations we’re going to see in the coming months, but one thing is sure, the fact that lawmakers feel compelled to act is proof that we’re not doing enough as an industry to address security.

The best security is a layered approach: multiple levels of network security, security policies for production resources that limit access to individuals that need it, secure password policies, and application security. Sonatype’s focused on that last item, application security, and our approach focuses on the components you assemble to create your applications. If you develop software today, you understand that much of your work is spent creating applications that sit atop frameworks like Spring and Hibernate. It isn’t enough for your own software and infrastructure to be secure. These days, you need to account for vulnerabilities in your dependencies.

And, again, this isn’t operation’s responsibility. Security is a shared responsibility across both development and operations. This is something that developers need to take ownership of. While we’ll probably never know how sites like LinkedIn, eHarmony, and Last.fm were compromised, there’s a good chance that some of these sites were compromised via known vulnerabilities in outdated components. Components like Tomcat or frameworks like Struts are among the list of artifacts that have known problems.

Don’t get hacked because you didn’t upgrade to the latest version of Tomcat or because you happened to be using some ancient version of Spring with a known vulnerability. If you are consuming artifacts from Central (and if you are a Java developer, you probably are), you need to start using Nexus Professional to keep track of your dependencies. If you are using Hudson or Jenkins, take some time to evaluate Insight for CI.