Scale developer security with expanded Sonatype Platform features

February 17, 2022 By Chris Good

6 minute read time

Image of a red umbrella blocking part of the ground from rain all around it

We are in the midst of a wave of low-cost, high damage techniques by hackers in the wild. Bad actors are finding easy, inventive, and well-disguised ways around common security measures by targeting the open source building blocks of software. These include typosquatting, dependency confusion, and malware injection, of which Sonatype's automated malware detection has caught upwards of 63,000 packages to date.

Some attacks are even tailor-made for their targets' development tools.

Engineering teams need to get ahead of bad actors, so we've introduced new features and enhanced the identification of malicious code early in the software development life cycle. Teams need to address security concerns and legal liability without slowing down - we're giving them the tools to do just that.

New capabilities in the Sonatype Platform 

With our latest Sonatype Platform update, we're:

  • Extending Sonatype Repository Firewall's automated malware and early warning detection to the Python ecosystem.
  • Improving detection and blocking of hidden text encoding attacks and other malicious components.
  • Helping you focus on the safest component possible with an industry-first feature that identifies potentially malicious components, guiding you to the most up-to-date package that isn't suspicious.
  • Protecting your JFrog Artifactory from known and unknown open source risk with Sonatype Repository Firewall’s expanded support. This includes not just Artifactory Pro but also now Artifactory Enterprise.
  • Enabling broad sharing of vulnerability reports, with detailed component pages including insights about package usage and severity, available to your extended team without a Sonatype login.

Suspicious package blocking for PyPI

Over the last few years, we have seen exponential growth in the number of dependency confusion and typosquatting attacks, as documented within our vulnerability timeline. It's clear from history that developers will remain the primary target for bad actors in 2022.

To address this, Sonatype is extending our Suspicious Package Blocking feature to include Python.

Powered by Sonatype Intelligence data, the Suspicious Package Blocking feature combines over 50 different signals used to identify potentially malicious activity and block risks before download. These signals feed into a first-of-its-kind Artificial Intelligence / Machine Learning (AI/ML)-powered defense, working together for full-spectrum protection.

Protection against trojan source unicode attacks

In November 2021, researchers at the University of Cambridge found yet another way to sneak arbitrary code into open source software, called "Trojan Source." The technique aims to exploit a weakness in Unicode text encoders that compile and interpret source code differently from how it's displayed to developers.

All this confusion builds a bridge that lets bad actors include code features that are invisible to the human eye, but will be executed by the software. Because harmful code could hide in plain sight, it can be a significant threat to development environments.

To address this issue, we've expanded the Suspicious Package Blocking feature and added signals for continuous monitoring for any "odd behaviors." The tool flags suspicious code for potentially harmful Unicode elements within your environment and sends them to our research team for manual review.

This new protection against these attacks is available right now in Sonatype Repository Firewall. Sonatype is among the first to offer intelligent, automated protection against this sophisticated attack method.

Safe component selection

Crucial projects will see delays if developers are charged with researching the latest safe and secure software version, manually releasing components, or otherwise keeping track of status changes. When downloading the latest version of a software package from a registry, your company needs to know it's safe.

With governance from Sonatype Repository Firewall, downloads are automatically evaluated according to your team's policy and returns the known-safe version, all without developer involvement. These decisions are made entirely in the background based on an adjustable set of policies, including common risk factors like popularity, licensing, and known vulnerabilities.

An overview of this evaluation process is pictured below.

article - repo firewall flowchart

Non-new components?

What if a new or recently stored version of a software package gets flagged as suspicious or harmful? To help keep you safe, the following process happens automatically:

  1. The version is placed in the Quarantine Area for manual review by Sonatype's security research team.
  2. During this evaluation, only Known Safe versions can be pulled "downstream" into a developer's build environment.
  3. Once the component is found safe to use (and policy-compliant), it is released back as a component into the development pipeline.

All of these steps happen without any effort on the developer's part. These capabilities in the Sonatype Platform provide developers the most accurate version recommendations possible, helping development teams secure their software supply chain with no overhead.

JFrog Artifactory enterprise integration

Sonatype Repository Firewall connects with binary repositories to protect organizations from malicious components that can enter your software supply chain. This latest version extends its Artifactory Pro integration to now support JFrog Artifactory Enterprise. It includes multi-node deployments and brings best-in-class Sonatype vulnerability data and protection from known and unknown risks.

Anonymous developer view

Because it’s important for people across the organization to understand the status of vulnerable components, Sonatype has enabled broader report access without a login. Now, Sonatype Repository Firewall delivers in-depth details about a given blocked component to AppSec, DevOps, and associated teams, including severity, license details, and whether the issue is transitive or direct.

Insights are immediately visible in reports, reducing confusion and Mean Time to Remediation (MTTR).

View of of the available Quarantine Report in the Anonymous Developer View

Less open source risk with Sonatype

Avoid malware and make smarter decisions with the best possible information. Give your engineers the tools to maintain rapid and secure application development with Sonatype Repository Firewall. You can find out more, including installation, configuration, and more on the Sonatype Help portal.

Tags: Product Release, featured, Product, Sonatype Repository Firewall

Written by Chris Good

Chris is a Product Marketing Manager with Sonatype. Originally from Pittsburgh, PA, Chris studied Communications and Computer Science at the University of Pittsburgh. He enjoys working for Sonatype because of the culture here at the company -- it's diverse and promotes creativity. When he's not working with DevSecOps community, he loves snowboarding, cycling, and traveling.

Learn more on: