Friday, September 8, 2017

Software Vulnerability Control with Sonatype products

Interesting introductory vide on the topic of Security in Software Supply Chain https://vimeo.com/217179090

Software Factory | Sonatype from Sonatype Nexus on Vimeo.



A really detailed presentation of the "Nexus Lifecycle" and "Nexus IQ server"





Software Supply Chain
Continuous Integration
Continuous Delivery
Release Automation Tool
DevOps Native Software Development
Nexus Firewall
Public repositories: Maven Central,

Sonar Security Rules: https://docs.sonarqube.org/display/SONAR/Security-related+rules

Software Weakness

Software Vulnerability

http://cwe.mitre.org/ Common Weakness Enumeration (common software security weaknesses) - very educational FAQ on Software Weakness here http://cwe.mitre.org/about/faq.html#A.1

https://www.first.org/cvss/ CVSS Common Vulnerability Scoring System, scores explained: https://www.first.org/cvss/specification-document

https://www.sonatype.com/nexus-lifecycle-tour-software-supply-chain-automation-sonatype Nexus lifecycle

https://nvd.nist.gov/ NVD is National Vulnerability Database - try searching for Bouncy Castle

Using "Application Health Check" to scan vulnerabilities:



I have read the devsecops Gartner report https://www.sonatype.com/devsecops also available here https://cdn2.hubspot.net/hubfs/1958393/White_Papers/devsecops_how_to_seamlessly__315283.pdf?t=1482418124868

Very interesting also the https://www.sonatype.com/ssc2017?hsCtaTracking=d915532d-28ac-4818-a2db-d4e8feb07036%7C61ff62a0-da6f-47d1-9591-c89200a00454 2017 State of the Open Software

See also the famous https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf OWASP top 10 web application security risks. Number A9 says: "Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts."

Repository Health Check RHC demo video here https://sonatype.wistia.com/medias/77jh7h47av

Result of a WebGoat Health Check https://clm.sonatype.com/reports/Sonatype/71fe66f5c3b540f09caa9ebf1f103e7a-8fae0/

Comparison of Free and Opensource Software Licenses https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses

more videos on:

Brian Fox, Integration of Nexus Health Check with Eclipse https://www.youtube.com/watch?v=_wqxy5A7-oA&feature=youtu.be

Brian Fox, Nexus IQ Server email alerts on Weak Security https://www.youtube.com/watch?v=UHulp3PWqFk

Brian Fox, Nexus IQ Server, Define security policies https://www.youtube.com/watch?v=EnKHimjNjvQ



No comments: