The CI ecosystem is large and complex, especially at a company like Discover. What follows is one employee’s personal insight into how to manage risk at a company where the stakes are high.
Some Background on Discover’s Code and Platform
The CI platform at Discover today is as follows:
- They use GitHub, having many repositories in a variety of languages.
- They use all products from Sonatype.
There are a lot of challenges when it comes to consuming open-source software today, especially when it comes to security. The manual vetting approach is error-prone and time consuming, and it cannot scale to meet the ever-growing demands.
It’s also worth noting that once it’s inside the enterprise, OSS is rarely reviewed again for vulnerabilities. Since security risk is proportional to the age of the OSS component, this is a problem.
Within much of Discover, open-source is heavily used. This squares with the general rule: that 80% to 90% of a modern app consists of assembled components.
This modern software requires a modern approach. The feedback has to be quick and precise. The context is also very important because licenses can vary depending on the type of application. Also important is the environments on which it’s supposed to be run. And besides all this, the tool you use to get such feedback also has to be continuous.
Is OSS Risky?
Let’s talk about the flatmap-stream incident.
A malicious developer became a maintainer at Event Stream and poisoned one of the updates after introducing a dependency. An infected npm package was downloaded as a dependency to a popular npm package. The attack was aimed at a bitcoin wallet.
Here’s the lesson from the flatmap-steam incident: attackers will continue to turn vulnerabilities into malicious code or inject malicious code into our software.
The Solution: Nexus
Nexus IQ might offer a solution to this problem. It applies security and licence policies to OSS. Such policies could be defined by the security and legal departments on your organization. Components that violate defined policies are not allowed.
Nexus Firewall is another key component of the strategy at Discover. This tool blocks and quarantines any new components violating “banned” security and licensing policies. And it works with NPM, Java, and PyPI formats.
Nexus Lifecycle helps close the loop, as well. As the perfect complement to Nexus Firewall, which won’t let threats in, Lifecycle won’t let threats out!
It applies policies against your application components and reports the OSS component violations.
Nexus Lifecycle offers reports that give you updated but also actionable information. Here’s what that looked like for our speaker.
With this kind of information, Discover is able to quickly make a decision as to their next step. Future versions of the product will have automation on this step, making it even easier.
Discover also uses Nexus’ easy boarding for new applications using standard industry formats. Another important feature of Lifecycle is “triage”: app teams can request a waiver to use a banned component. Sometimes that’s the only alternative, when all other alternative fails. Waivers have an expiration date, so you don’t run the risk of using that banned component for an indefinite time.
Finally, let’s talk about Nexus IQ. Discover can pull data out of Nexus IQ and create reports, which allows you to quickly glance at important information about the OSS licences of all your applications.
How Has This Improved Things?
By employing Nexus solutions, we’ve made a lot of improvements. Manual vetting was replaced by automated vetting. That means tasks that took up to three weeks now take only minutes. The folks at Discover now have continuous and on-demand reviews, as well as automatic recommendations to update.
Applications don’t age like wine, they age like milk. Now, Discover enjoys reduced risk due to age, a large improvement over the days when there was unmeasured risk because of their lack of inventory and dependency data.
So what’s the main takeaway from Discover’s lessons about secure components and lowered risk? It’s the importance for software developments to always update their tools and manage their dependencies.