Today the use of 3^rd party frameworks and libraries in application development is an everyday practice, but unfortunately proper security policies aren’t. So how do you know what security risks really exist? As OWASP points out, this isn’t an easy question to answer “most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.”

So how do you manage this problem effectively? Well our CEO says, securing the software lifecycle requires both humans and machines. Humans define the security and license policies, machines automate these policies and humans manage the expectations. With these policies and enforcement in place (right in the developer environment) the possible vulnerabilities are detected earlier in the software development lifecycle and developers have the option to remediate these risks and use other components that meet their organization’s security policies.

A perfect use case for remediating possible security threats during the development lifecycle happens after the build promotion and staging. You can define policies based on security, licensing  and quality standards. If the build doesn’t meet the set policies, the build can be stopped and the developer can be notified before the release workflow is allowed to continue. You can see this example in action in an upcoming webinar, ‘Nexus Pro: Fully Automate Your Build Promotion’ as a way to start thinking about the value of managing components against your open source security policies.

For those concerned about the recent OWASP A9 announcement (which should be all of you), watching this webinar is a great entry point into defining a larger vision for lifecycle component management. Don’t wait to your CISO comes to you with a question about where and how you’re using 3^rd party components with known vulnerabilities, start incorporating policy enforcement during the development lifecycle now.

Wondering what’s new in Nexus? Just ask the experts.

We’re hosting another Nexus Office Hours this Friday, on Google+ Hangout On Air. Our Nexus experts Brian Fox, Manfred Moser and Rich Seddon will demo the latest in Nexus and dedicate most of the hour to Q&A time with you!

How to join: No registration required, just RSVP on Google+, and the event will appear in your calendar. You can join through your calendar invite or by returning to the event page at the start of the hangout. Be sure to bring your Nexus questions with you. If you can’t make it — be sure to leave your questions on the event page in the comments section and we’ll be sure to answer them during the session. That way you can tune into the recording later, and get your answers!

*Interested in joining our panel that day in the video conference? Sign up for one of the spots on our panel, by leaving us a comment on the event page and we’ll invite you in before we go live. Space is limited, so be sure to sign up early!

Please feel free to pass along this invite to your friends and colleagues.

RSVP

Please feel free to share this with your colleagues who are interested in learning how to get the most out of Nexus.

Have a great weekend everyone!

Watch the replay.

If you missed the live broadcast, the recording is now available here.

Interested in checking out our next session? Moving forward, Nexus Office Hours will be held the last Friday of every month. Join us and be sure to bring any general repository management or specific Nexus questions you may have, since we’ll be dedicating most of the hour to your live Q&A.

Join us for our April Nexus Office Hours on Friday, April 26 from 1PM-2PM EDT (GMT-0400). RSVP here.

We want to give you a sneak preview. On Thursday, April 18, 2013 from 11:00AM-11:30AM EDT (GMT-0400), Brian Fox will demo Sonatype CLM, and show you how it will help you develop faster, and still meet your company’s requirements for security and licensing. Plus, we’ll provide some tips on how you can take advantage of Nexus-only features like procurement and staging.

If you register, you’ll also receive access to the recording after the event. So if something comes up and you can’t make it, you won’t miss out.

Reserve Your Seat

We’re pleased to announce that Sonatype will be hosting Nexus Office Hours each month starting in March! Our Nexus experts Brian Fox, Manfred Moser and Rich Seddon will demo the latest Nexus tips & tricks and will take real-time questions from you!

When: Friday, March 22, 2013 – 1:00-2:00PM EDT (GMT-0400)

Where: In a Google+ Hangout On Air! Once we begin, our hangout will broadcast live to the Nexus Office Hours event page on Google+, as well as our Sonatype YouTube channel.

How: Be sure to RSVP ‘Yes’ on the Nexus Office Hours event page, and this event will be automatically saved to your Gmail calendar and you will receive a reminder just before we start the hangout. Not on Google+? No worries, you can still view the broadcast on the event page or the Sonatype YouTube channel when the hangout begins.

We will be taking real-time questions submitted on the Nexus Office Hours event page, Twitter (please use hashtag #nexusofficehours) and on our YouTube page in the comments section of the broadcast.

**If you’d like to join our panel that day in the hangout, please leave us a comment on this page and the first 6 people will be invited in as the session starts. This event will be recorded and saved to Google+ as well as our YouTube channel.

RSVP Now

We’re using SSL because it is the standard mechanism for protecting web traffic – across the spectrum of Ecommerce, banking, health care, and so on. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.

Given the tremendous growth of Central, and to better protect applications that are now largely built from OSS components, we’re making SSL connectivity to Central available to anyone regardless of their repository manager. SSL is now the default connectivity option for Nexus Pro users. SSL is available for other repository managers, such as Nexus OSS & Artifactory or Archiva, for a $10 donation that will be used to support open source foundations such as Apache and Eclipse.

After you register and make the $10 donation, a token will be provided that your organization can use to secure access to Central.

If you are an Artifactory, Archiva or Nexus OSS user, you can get SSL access here.

Archiva 1.4+ is required.

Artifactory 2.6.5 is required.

If you are an existing Nexus Pro customer, you can download the latest release from the support page.

We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager. Given the tremendous growth of Central, and the fact that modern applications are largely built from OSS components, this capability is likely to be leveraged by many organizations. SSL has become the standard mechanism for protecting web traffic – across the spectrum of Ecommerce, banking, health care, and so on. Providing SSL support for Central means that your components are no longer susceptible to man-in-the-middle attacks that could compromise the component. SSL also eliminates the potential for a hacker to gain visibility into your organization by tracking the components that you download for your development initiatives.

As of Nexus Pro 2.2 (available now), SSL is now the default connectivity option for Nexus Pro users. Because we take security of the ecosystem seriously, we aren’t stopping there, we’re making SSL connectivity to Central available to you even if you aren’t using Nexus Pro.

In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes. For the first 60 days all donations will go to the Apache Software Foundation. After that, the donations will go to other open source foundations such as Eclipse. Sonatype will provide a donation on behalf of Nexus Pro customers since we’ve included SSL access to all Pro customers automatically.

If you happen to be using Nexus OSS (any version), support for the SSL token is included already. I’ve already reached out to the Artifactory and Archiva teams and they are working on the changes necessary to enable SSL to Central – we’ll let you know when that support is enabled. If you’re not using a repository manager at all, what are you waiting for?

If you are an existing Nexus Pro customer, you can download the latest release from the support page.

If you would like to make a donation to the open source community and get SSL access, you may do so here.

Some of you might be interested in using our Yum support to facilitate application deployment to staging and production networks. A lot of companies that deploy Java and other technologies end up packaging applications as RPMs and deploying them through Yum on Redhat or Centos because it provides a really easy way to manage, deploy, and rollback software packages in production. It is much easier to tell Operations to deploy RPMs than it is to draw up a series of instructions for installing Jetty or Tomcat from a tarball. To support these use cases, we’re going to invest some of our time developing more documentation and training to support developers that need to adapt applications to deployments that depend on this Yum integration.

While Nexus is primarily used to support application development, this Yum support can be used on its own as a way to cache and simplify Yum repository configuration and package data. We’ll also be building out more examples of how Nexus can be integrated with infrastructure management tools such as chef and puppet.

Features of the Nexus Yum Support

As we integrate this feature into Nexus proper, here is the current list of features. We expect this support to evolve over time, but here’s what the plugin provides now.

• Expose an existing Maven repository as an RPM repository – Use a Maven repository, hosted in Nexus, containing RPMs as if it is a Yum repository. This leverages the virtual repository mechanism in Nexus which allows you to use Maven tooling to deploy RPMs into a Maven repository but still allow Yum clients to interact with the repository using the protocol it understands.
• Automated Refresh of Repository Data – Yum repositories are automatically updated if you upload/deploy/delete a new RPM into Nexus. In a traditional RPM repository you have to run createrepo to refresh repository metadata. With Nexus this is all taken care of automatically.
• Full group support so that you can logically group a set of Yum repositories behind a single URL. If your infrastructure relies on a number of remote RPM repositories you can consolidate OS configuration to point to a single Yum repository that can aggregate multiple repositories into one.
• Versioned views on repositories: http://your.nexus/nexus/service/local/yum/repos/releases/1.2.3/ gives you a Yum repository with all packages in version 1.2.3 in repository releases. This particular feature is a game-changer for companies that release software using RPM as a delivery mechanism.
• Alias Definitions for Specific Versions eg. production=1.2 and testing=2.0 and access them via the alias: http://your.nexus/nexus/service/local/yum/repos/releases/testing/ and http://your.nexus/nexus/service/local/yum/repos/releases/production/ to get constant repository URLs for your servers. A new release is then applied to the server by setting the alias to a new version.
• createrepo Nexus Tasks Types – Create Yum createrepo tasks manually via web interface. Multiple createrepo tasks on the same repository are merged.
• Full Integration with Nexus Staging – Use Yum group repositories as target of staging repositories (Nexus Pro). Stage RPM artifacts to development environments configured to pull artifact from Nexus repository groups./li>

You can find the source for the Nexus Yum Plugin in our Github Repository. We would love your feedback as we still have time to make changes and improvements before the Nexus Yum Plugin is integrated into Nexus OSS proper.