Check out this news story that broke earlier in the week: Java flaws are “increasingly targeted by attackers”. This story was filed by IDG News Service from the Black Hat USA 2012 conference, and it points at a trend we’ve also noticed. The world is waking up to the fact that Java is an attractive target. Java applications run the world’s largest organizations (from banks to governments). Where there is Java, there is usually a system worth hacking into. Security professionals are taking note.
During our initial testing of Insight Application Health Check we found that real-world applications at large enterprise contained an average of 32 publicly known security vulnerabilities. Some of these security vulnerabilities were 3s and 4s on the 10 point CVSS scale, but many were 9s and 10s. These are bugs that are easily exploitable over the network which can be used to take ownership of applications and data.
So, think about it. If you develop Java applications, you’ve been relatively isolated from security concerns for years. Java has never been the top attack vector of hackers, and, because of this, developers have never really had to think about scanning artifacts for security issues. It looks like this is changing, and if you want to do something about it, it’s easy. Just run a free summary scan of your application with Insight App Health Check.
Here’s the IDG story, enjoy:
IDG News Service – (International) Java flaws increasingly targeted by attackers, researchers say. Java vulnerabilities are increasingly exploited by attackers to infect computers, and the problem could become worse if Oracle does not do more to secure the product and keep its installation base up to date, according to security researchers who will talk about Java-based attacks at the Black Hat USA 2012 security conference. Several years ago, the most targeted browser plug-ins were Flash Player and Adobe Reader. However, many current Web exploit toolkits rely heavily on Java exploits, said a security researcher with HP DVLabs, Hewlett-Packard’s vulnerability research division.
When we launched our Support portal as a part of our relaunch of the sonatype.org site we didn’t make a big deal out of it. We didn’t jump up and down and tell everyone to come and participate. Instead, we sat back and waited for Google to find us to see if the resource was going to be useful to users. Well, the results are in, without much promotion the resource is getting tens of thousands of visits a month and we’re getting good feedback. So…
This month we’ve decided to turn on the support features of Zendesk and start directing our users to our Support Portal. Both customers and non-customers can file support requests and anyone can comment or ask questions. Have at it.
Open source software emerges when people work in unison to create something greater than any one of them could create on their own. While the result may always be a collective work, the contributions and sacrifices that make a project thrive are always individual. These contributions deserve recognition. Sonatype will be paying tribute to the members of the Java open source community, who dedicate themselves to improving these projects. We’ll do so by featuring them in our new Community Spotlight each month. This month’s spotlight is on Manfred Moser of simpligility technologies.
If there is someone you would like to nominate for the community spotlight, please don’t hesitate to contact us at email@example.com. Thank you! Continue reading
Sonatype makes it easy to add your projects to the Central Repository with a free, public hosting service called OSSRH. We first blogged about this back in 2009, but given the growth in the community, we thought some of you may not have seen that post, so we decided to update it.
Sonatype is excited to announce that we’ve teamed up with Oracle to bring Java.net open-source projects to the Central Repository, the industry-leading source for open source Java components used by over 40,000 development organizations daily.
Java.net projects such as GlassFish and others are now included in the Central Repository, making it easier than ever for you to locate and download Java.net components without the workarounds or advanced configurations previously required. You’ll be able to leverage Java.net project assets to deliver applications faster, at a higher quality, and with less risk.
The Sonatype team worked closely with Oracle during the past year to evaluate existing Java.net legacy repositories, clean-up metadata and unite disparate content into a single site. Java.net project owners can now easily automate and control synchronization of their project artifacts to the Central Repository through a hosted version of Sonatype Pro™ for Nexus donated by Sonatype to the project.
Read more about this exciting move in our press release and this article in Dr. Dobbs.