Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

OSS Endgame: Nexus Firewall as Your Shield Against Open Source Invasions

June 12, 2019 By Erik Dietrich

To truly understand where a firewall fits in, we need to understand a bit about the Infinity Gauntlet from Marvel’s The Avengers. The Infinity Gauntlet has individual gemstones that each bring their individual powers to bear for the whole.

Keep this in mind as we dive into a discussion about Nexus Firewall.  

Put simply, Nexus Firewall enables the heroes. Let's look at the stones and their corresponding firewall abilities.

  • Space: it protects against more than just the Nexus Repository.
  • Reality: it helps you understand the reality of repository health.
  • Power: it quarantines components that violate your policies.
  • Mind: it acts only on the underlying basis of world class data.
  • Time: it helps establish policies to tackle current threats.

Marvel fans will notice there’s one stone missing, but we'll get to that in a bit.

Nexus Firewall in Detail

First, it's important to know you can use the Nexus Firewall with more than just the Nexus Repository; you can also use it with Jfrog's Artifactory.

Once you've enabled Firewall, you get to the "reality" portion, wherein you start in an audit mode, looking at any vulnerabilities. It provides what components are in the repository that you're using and what their status is.

But, what if you don't want to just audit? What if you want to quarantine? You can do that as well. Right within Eclipse, you can build using the firewall. And the build will fail, noting that it’s forbidden to use a dependency that fails to pass a security policy.

This shifts security as far to the left as possible and communicates the issue to the developer. The developer can then look in Artifactory to better understand what's happening.

All of this happens on the basis of world-class underlying data. Sonatype has an index of 1.4 million unique vulnerabilities. And, on top of that, their data team automates the transformation of the basic CVE into a much richer set of data, including paths that are vulnerable and that aren't. This provides much more granularity when creating policies and allowing any exceptions.

You can see some of this additional data and intelligence below.

pasted image 0 (2)

Now, let's talk now about how we can use this data to make policies. Sometimes, things are straightforward. Detect a vulnerability, block it, and prevent it from being used.

But, sometimes you need to take a more sophisticated approach. You'll want to address as much as possible through automation rather than manually blacklisting and whitelisting things. For instance, you can identify banned licenses and block those at the firewall level. You can also make policy on the basis of architectural concerns or unpopular components.

Beyond even that, you can create policies with more sophisticated concerns in mind. For instance, you can block components that are simply too new. This is particularly useful in the JavaScript world where the default might be to grab the newest bits no matter what. But since this has given rise to historical vulnerabilities, you can mandate that developers wait three weeks before getting these updates.

All of these policies combined get rolled into the audit report in general. Within Nexus, it's easy to view the audit reports, see what's quarantined, and make decisions about waivers. This makes sure that everyone can always see what's being blocked, why, and any additional details.

The Value to Your Organization

This approach combines to save lots of time and money. It's expensive and generally awful when you're dealing with these types of policies reactively, when things are in production. This shifts security as far to the left as possible by blocking it right at build time—it's almost like unit tests for security.

This is good policy for any organization and with any technology that you use. But by leveraging the Nexus Firewall in particular, you're taking that good policy and reinforcing it with a comprehensive data, actionable intelligence, and easy to understand reporting.

That stone we didn't talk about before - it was the Soul Stone. The Soul Stone is the community - which is at the heart of everything Sonatype does. So, reach out to them anytime, or head over to the Sonatype Community site, if you'd like to discuss or get more information.

You can watch Mike's full presentation from the Nexus User Conference below, for all the details on how to make Nexus Firewall your hero. 

Tags: Nexus Firewall, devsecops, Nexus User Conference, featured, Product

Written by Erik Dietrich

Erik Dietrich is a veteran of the software world and has occupied just about every position in it: developer, architect, manager, CIO, and, eventually, independent management and strategy consultant. This breadth of experience has allowed him to speak to all industry personas and to write several books and countless blog posts on dozens of sites.