At RSA 2012, Wayne Jackson gave a short presentation focused on the security aspects of Sonatype Insight and the newly released Repository Health Check in Nexus Professional. This five minute overview gives you a sense of the magnitude of the problem we are trying to solve.
Here are some of the highlights from Wayne’s presentation followed by the video of his talk and his slide deck:
“The benefits of ‘many eyeballs’ in open source does create better software but you can only leverage that if you know about it. That’s particularly troubling in the context of the fact that more than 80% of the modern software application is [comprised of] open source and the components that are used to build those applications are surprisingly complex.”
“That complexity is compounded by the fact that when issues arise their implications are viral and the big problem is that when those issues are resolved in the root components the solutions are not [similarly viral] . Spring Beans 2.5.6 compromised 1400 open source components and God knows how many downstream applications. When Spring Beans 2.5.6 was fixed, none of the others were fixed.”
“You can imagine the ripple effect of compromising open source. And the combination of things like the lack of notification infrastructure and the complexity of open source componentry is how you get situations like this. 6,982 organizations including the Dept of Homeland Security and several financial institutions are still using a 3 year old crypto library with an “as bad as it gets” Level 10 flaw that has known exploit code.”
“Sonatype is creating an extraordinary infrastructure for finding out everything knowable about a given component. So that when flaws are discovered, we can know and we have the ability to deliver that knowledge into the tools that developers are using every day. This family of technologies is called Insight.”
“Critical to that is the Central repository. Central houses hundreds of thousands of components from nearly every open source project in the world and it is used by tens of thousands of organizations.”
Unless you develop code on an isolated island disconnected from the internet, it’s a safe bet that you use open source in your development cycle somewhere. Maybe you use an open source IDE, or maybe you deploy to Linux; in 2012, it is likely that you have some bits in your process covered by an OSS license. Despite the prevalence of OSS software, most organizations tend to follow the “Make it Up as You Go” process for identifying the licenses they are incorporating and distributing at the tail end the software development process.
In this post, I outline the “Make it Up as You Go” process and talk about some of the pitfalls you’ll encounter if this is a process you find yourself following. This is the case of a real company and how they went about assessing license exposure for a project that was already finished. Names have been omitted to protect the innocent. (Law and Order noise.)
Note: Many of the issues in this post could have been avoided with Nexus Professional 2.0′s Repository Health Check. This post talks about what it is like to take on the responsibility for auditing licenses manually. Nexus 2.0 can automate this process and perform this check continuously as dependencies are consumed from remote repositories. We also go out of our way to get licensing information from more than just the POM. This is the unique advantage of using Nexus, we’re not just looking at the POM.
Are you available to do a license audit?
That was the initial request. “But, I’m not a lawyer? Don’t you want a lawyer to do that?”, I asked.
As part of our launch of Nexus 2.0 and the Repository Health Check, we’re telling some stories about security and how security affects working developers. As developers we’re not always focused on security, but as attacks grow more complex, more aware of platforms like Java and .NET, and more capable of affecting custom application code, security is going to play an increasingly important role in development. In this post, I talk about a security incident I watched unfold last year and identify some of the lessons I walked away from the experience with.
But first, a message from our sponsor: Sonatype’s Nexus 2.0 offers a Repository Health Check. It’s not an answer to security by itself, but it can play a critical part in a larger, organization-wide approach to security. If you are developing applications with Tomcat, Spring, and other well-known components you’d be surprised at the kinds of vulnerabilities that are floating around in production. Once you have this capability to run a detailed RHC report in Nexus Professional, you can remove these components from applications, iterate, and get rid of known vulnerabilities. Click here to learn more about Nexus 2.0.
Continue reading →
Nexus 2.0 turns your repository manager into the first line of defense against security vulnerabilities and the perfect platform to assess your exposure to open source licenses. With this release, your repository becomes more than just a place to file binary artifacts, it becomes a tool you can use to implement security policy and govern which open source licenses are used in your projects.
Nexus is in perfect position to be your OSS “sentry”: keeping watch over insecure artifacts as they are downloaded from remote repositories. Your builds and your developers request open source artifacts from Nexus all the time, and Nexus relays those requests to remote repositories downloading the open source artifacts your teams have come to depend on. While your company builds software and completes CI builds, your Nexus instance is assembling a local cache of all the artifacts used in your applications. You can scan this local proxy cache for problematic components with a feature we’ve named Repository Health Check.
Sonatype is pleased to announce Nexus 2.0, a major update for Nexus including several major features and features that add a new layer of intelligence about the artifacts stored in your repositories.
Today is a big day in the history of Nexus. It has been six years since Nexus was created and the product hasn’t only come along way since then, it has set the standard for repository management. When we started, few people were thinking about running a local repository manager. These days, you’d have to work to find a serious development effort that doesn’t use one. Repository managers are essential.
Today Sonatype is redefining repository management, taking the core ideas of remote proxies and hosted repositories and adding a layer of intelligence. Everyone consumes open source. You couldn’t code anything worth coding without using something like Guice, Spring, or a hundred other essential libraries. Even though OSS is everywhere, very few organizations are paying attention to license and security information about those artifacts. We’re changing that today by making Insight integration a part of Nexus.
Repository Health Awareness
In Nexus 2.0 you have the ability to request a repository health check from the Sonatype Insight service. Our Insight service maintains a database of security vulnerabilities and open source licenses. We scan source distributions to identify inconsistencies between declared licenses and effective licenses, and our security database is constantly scanning for the latest vulnerabilities.
When you submit a repository for a Repository Health Check, the process is non-invasive and non-disruptive. Nexus sends non-identifiable hash codes for artifacts to the Insight service which then returns actionable quality, security, and licensing information about the open source components in your repositories. From the Insight summary report you can see your exposure to both security vulnerabilities and various open sources licenses.
Repositories are scanned for artifacts with known security issues producing summary reports showing how many Critical, Servere, and Moderate vulnerabilities are present in a given repository. Licensing reports generate a overall summary of your exposure to copyleft licenses like GPL, and liberal licenses such as the Apache license. Nexus Professional customers can drill down into a detailed reports identifying specific components with unacceptable licenses or security vulnerabilities.
These reports can be used to implement policies managing your exposure to security risks and tracking the array of open source licensed used by your development teams.
Availability Architecture – Smart Proxy
If you require more than one instance of Nexus, Nexus Professional 2.0 has an entirely new availability architecture making it easier to support distributed teams. If you run several instances, the smart proxy capability new in Nexus 2.0 connects two or more instances of Nexus in real-time. This adds an intelligent, distributed mechanism to keep repositories in sync. One instance of Nexus subscribes to messages from another receiving repository change events notifying it of newly published artifacts.
Before Nexus 2.0, distributed architectures had to resort to a workaround that affected performance, not found caches for snapshot repositories had to be set very low and reduced the benefit of having local caches. After Nexus 2.0, distributed teams can collaborate closely knowing that a Nexus smart proxy is keeping repositories in sync without sacrificing performance. When two Nexus instances and two repositories are related using Smart Proxy, one repository subscribes to events published by the other. This means that changes are communicated immediately.
Smart proxy makes Nexus aware of distributed deployment architectures. This makes Nexus 2.0 ready for the the largest, most mission critical Nexus installations.
.NET Package Repository
If you develop .NET applications, Nexus Professional 2.0 adds support for NuGet. NuGet is a Visual Studio extension that makes it easy to install and update open source libraries and tools. NuGet Gallery is the equivalent of the Central repository for .NET developers and with Nexus 2.0 you can proxy and cache artifacts from NuGet Gallery on your local Nexus instance.
In addition to proxying NuGet repositories in Nexus you can also publish your own .NET packages to hosted repositories. This new ability to use Nexus as a publishing end point for internal .NET applications means that your development teams can start to share libraries using a corporate NuGet repository.
Nexus adds full support for .NET, in addition to proxying and hosting repositories, Nexus 2.0’s .NET support enables you to group NuGet repositories. You can also create virtual NuGet repositories that scan other repositories for NuGet packages and expose them to the NuGet feed.
Nexus 2.0 provides first-class support for .NET artifacts, with this release you get a common place to manage artifacts for both .NET and Java development efforts.
There are other features in the 2.0 release that we’ll be talking about in the coming weeks, but these three major features: Repository Health Check, Smart Proxy, and NuGet support are important upgrades to the Nexus project. To find out more about how you can start your evaluation of Nexus Professional, go to http://sonatype.com/nexus.