First-of-its-kind, automated offering stops vulnerable open source at DevOps front door
Sonatype, the leader in open source governance and DevSecOps automation, today announced that Nexus Firewall is now available to support the more than 10 million developers currently using the open source version of Nexus Repository. Previously only available to commercial users of Nexus Repository Pro, the newest version of Nexus Firewall gives all Nexus Repo users the ability to automatically stop vulnerable open source components from entering a DevOps pipeline.
New research, released today, from Sonatype reveals that one in eight open source components downloaded to repository managers by developers in the UK contained a known security vulnerability — up 120% from the prior year. Companies with non-existent or manual governance processes are prone to these vulnerable components making their way into production, dramatically increasing the risk of breaches.
By way of illustration, over 145,000 downloads of vulnerable versions of Apache Commons Collections were recorded in the UK in 2017. Vulnerable versions of this component have been implicated in ransomware attacks.
Over the course of the year, UK developers also unwittingly downloaded 68,000 known vulnerable versions of Bouncy Castle components relied upon for cryptography and 40,000 vulnerable versions of Apache Struts components implicated in the breach at Equifax. In all instances, safe versions of these same components were available for developers to download.
“All developers love using open source components to accelerate innovation – indeed, between 80 and 90 percent of an application today is assembled from open source components”, said Brian Fox, CTO of Sonatype. “Nexus Firewall automatically stops vulnerable open source components from reaching developers — which mitigates risk at the earliest stage of the development life cycle. The results have been incredible. Within the first 90 days of using Nexus Firewall, one customer automatically prevented 1,500 vulnerable components from entering their development lifecycle and eliminated 34,000 hours of manual reviews.”
“Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components (and in cases of serious vulnerabilities, block the download)?”, wrote Gartner analysts Neil MacDonald and Ian Head in their 3 October 2017 report, 10 Things to Get Right for Successful DevSecOps. “To address this issue, some providers offer an ‘OSS firewall’ (Sonatype Nexus Firewall) to expose the security posture of libraries to developers to make educated decisions about which versions to use. Using this approach, the developer can explicitly block downloads of components and libraries with known severe vulnerabilities (for example, based on the severity of the CVE assigned).”
Nexus Firewall is now available for all Nexus Repository OSS users. Benefits include:
- Automated open source governance policies at the earliest point in the software development life cycle
- Prevention of vulnerable open source components from entering your software supply chain, by blocking and quarantining at the perimeter
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.