Did you know that open source software security reviews once took an average of 25 days just to sort and map the dependencies?
Now that we’re living in “future”? Try five minutes. BOOM!
Yes, it is true says Sonatypers Jerry Gergel and Melanie Latin. Their Nexus User Conference presentation -- geared specifically for developers -- looks at how Nexus Lifecycle functions like a high grade, magnifying-glass-meets-sunlight weapon to find and burn up bugs.*
85% Sure Your App Is Vulnerable
Some context is necessary. According to last year’s State of the Software Chain Report (new one dropping very soon), the average app is composed of 85% open source software. The average app has 106 oss components, 23 known vulnerabilities, and approximately 8 policies, legal or technical, to manage.
How do you, the developer, know if these parts are still good? What policies to enforce? What might break the build if you alter or remove components? Or -- what if you didn’t even build the software to begin with, but now you’re in charge of it?
The fastest solution is to use Nexus Lifecycle which is powered by Sonatype’s IQ Server and perform a penetrating scan. In five minutes you’ll easily identify the components, know how to reduce risk, and begin to set the parameters that define “bad” components in your project.
Best Practices for Busting Vulnerabilities
Jerry and Melanie offer best practices once you’ve identified violations:
- Add a scan step to your CI build job. They (ahem) recommend you use Nexus Lifecycle because you’ll get an inventory of embedded components, and a software bill of materials (SBOM) that offers associated reports.
- Start with the highest threats. The vulnerabilities that rank highest represent components that are actively being exploited, offer the largest attack surface, or are a known vulnerability - start there. Work your way down the list unless it is urgent. Remember: you can review the application report in the IDE while working with specific component. All the data is within easy reach.
- Remediate direct dependencies. Focus on upgrading components or mitigating vulnerabilities by modifying affecting component(s). Iterate through threats, and reach out to the Sonatype community if you get stuck. We offer a lot of integrations.
- Find a component with no violations and use that. It depends on your project, but, in general, refactor, retest, and move on. Swap out frameworks if possible. This lowers your technical debt and reduces your attack surface at the same time.
For more details watch Jerry and Melanie’s presentation, below, starting at 01:59. Or scan your app to check for vulnerabilities, for free, with the Nexus Vulnerability Scanner here.
*No actual bugs were harmed with this analogy. Many real life bugs are apex predators fighting for good. Looking at you, ladybugs.