You Are What You Eat.
When it comes to food, we all know what’s considered “good” and what’s “bad”.
Brian Fox, on March 10, 2017
This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure. As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.
Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.
In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle. Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days. Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.
It's now been 3 days since the Struts2 fix and disclosure. Here's the official description available from the Mitre database as of Friday, March 10th:
“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.
Summary: Sonatype now offers a new revolutionary way to instantly give your teams access to vulnerability, license, and quality related data for the components they are consuming.
From artisan to automation. High performing organizations are using DevOps principles to boost productivity, streamline software supply chains, and improve quality. These organizations are swiftly moving away from their artisanal approaches of crafting software to the high-velocity, automated practices where applications are more manufactured than developed.
Free Birds, Free Coffee, and Free Willy. Software development is hard enough, so we’re making it easier. You see, a few years ago Sonatype made a promise that Nexus Repository should provide universal component support for free. This month, we are continuing to live up to that promise by expanding component support in Nexus Repository OSS to include PyPI and RubyGems packages. Nexus Repository now offers free support for seven components types. For those who thought we only supported Java components, you must be thinking of the other guys.
U.S. Government pays closer attention to software components
Multiple agencies across the U.S. government are paying closer attention to the software they are buying. More specifically, they want to know what open source and third party components were used to build the software applications. The report notes: