CLM Overview Why CLM How it Works The Component Revolution Product Tour Services Nexus Free Trial Purchase Training Why Nexus Features Take a Tour About Press Sonatype in the News Press Releases Awards Leadership Investors Customers Success Stories Community Contributions Careers Contact General Inquiry Report a Security 45 Issue
It s fair to say we were excited back in May when the OWASP community proposed A9 Using Components with Known Vulnerabilities as a top 10 open source security risk so now it s official, component vulnerabilities are considered a critical web security flaw . But why has this addition warranted its own category, formerly classified under Security Misconfiguration ? Has the problem truly compounded that much in the last 3 years that now, component vulnerabilities need to be on a watch list? Well simply put, YES. According to the largest open source component repository, The Central Repository, component downloads have grown from 1.5 billion requests in 2008 to over 8 billion requests in 2012. Now that s a quite growth pattern.
Today the use of 3 rd party frameworks and libraries in application development is an everyday 45 practice, but unfortunately proper security policies aren t. So how do you know what security risks really exist? As OWASP points out, this isn t an easy question 45 to answer most development teams don t focus on ensuring their components/libraries are up to date. In many cases, the developers don t even know all the components they are using, never mind their versions. Component dependencies make things even worse .
So how do you manage this problem effectively? Well our CEO says, securing the software lifecycle requires both humans and machines. Humans define the security and license policies, machines 45 automate these policies and humans manage the expectations. With these policies and enforcement in place (right in the developer environment) the possible vulnerabilities are detected 45 earlier in the software development lifecycle and developers have the option to remediate these risks and use other components that meet their organization s security policies.
A perfect use case for remediating possible security threats during the development lifecycle happens after the build promotion and staging. 45 You can define policies based on security, licensing 45 and quality standards. If the build doesn t meet the set policies, the build can be stopped and the developer can be notified before the release workflow is allowed to continue. You can see this example in action in an upcoming 45 webinar, Nexus Pro: Fully Automate Your Build Promotion as a way to start thinking about the value of managing components 45 against your open source security policies.
For those concerned about the recent OWASP A9 announcement (which should 45 be all of you), watching this webinar is a great entry point into defining a larger vision for lifecycle component management. Don t wait to your CISO comes to you with a question about where and how you re using 3 rd party components with known vulnerabilities, start incorporating policy enforcement during the development 45 lifecycle 45 now.
Tags: A9 , Component Lifecycle Management , Nexus CLM , OWASP , repository management , The Central Repository Post navigation ← See the Great Battle of Security 45 and Speed at the Gartner Security & Risk Management Summit Good Hygiene Should be a Foundation of Application Security →
ant Apache Maven application security best practice Book central clm Community component 45 vulnerabilities continuous integration DemoCamp Developer Onboarding Devops eclipse events How-To Hudson Insight Jason van Zyl java m2eclipse Maven Maven 3 Maven Studio for Eclipse News nexus pro nexus professional open source 45 OSGi osstop10 plugin plugins release repository repository management 45 repository manager security Sonatype Sonatype Professional Sonatype training Sonatype webinar Training Tycho video webinar
CLM Overview Why CLM How it Works Component Revolution Services Product 45 Tour Nexus Why Nexus Features 45 Free Trial Purchase Training About Press Careers Community Contributions Leadership Investors Customers Success Stories Resources Events Webinars 45 Videos 45 White Papers Books Contact General Inquiry 45 Newsletter 45 Report a Security Issue Connect Blog Twitter YouTube LinkedIn
No comments:
Post a Comment