Friday, September 8, 2017

Software Vulnerability Control with Sonatype products

Interesting introductory vide on the topic of Security in Software Supply Chain

Software Factory | Sonatype from Sonatype Nexus on Vimeo.

A really detailed presentation of the "Nexus Lifecycle" and "Nexus IQ server"

Software Supply Chain
Continuous Integration
Continuous Delivery
Release Automation Tool
DevOps Native Software Development
Nexus Firewall
Public repositories: Maven Central,

Sonar Security Rules:

Software Weakness

Software Vulnerability Common Weakness Enumeration (common software security weaknesses) - very educational FAQ on Software Weakness here CVSS Common Vulnerability Scoring System, scores explained: Nexus lifecycle NVD is National Vulnerability Database - try searching for Bouncy Castle

Using "Application Health Check" to scan vulnerabilities:

I have read the devsecops Gartner report also available here

Very interesting also the 2017 State of the Open Software

See also the famous OWASP top 10 web application security risks. Number A9 says: "Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts."

Repository Health Check RHC demo video here

Result of a WebGoat Health Check

Comparison of Free and Opensource Software Licenses

more videos on:

Brian Fox, Integration of Nexus Health Check with Eclipse

Brian Fox, Nexus IQ Server email alerts on Weak Security

Brian Fox, Nexus IQ Server, Define security policies

Q: Do I really need IQ Server? Can't I simply do a "health check" on a Nexus Repository and check manually each software vulnerability?

When you run a Health Check on a Nexus Repository, all you get is a high level report,
flagging the vulnerabilities but without pointers to the Vulnerability Database, nor indication of the newest version without vulnerability. All you get is this:

" Last generated Tue Sep 19 2017 at 5:18:09 AM
Health report for your central repository
Out of 74 components in central, 74 (100%) are known, and of these, 2 (3%) are vulnerable.
Download trends
Insufficient trend data
As you download components from central, we will show the percentage of vulnerable downloads over time.
The most vulnerable downloads over the last 30 days are listed below.
Component Vulnerabilities Last 30 Days Suggestion
com.thoughtworks.xstream : xstream : 1.3.1 Critical (3)
Update version
org.codehaus.plexus : plexus-archiver : 2.1 Severe (1)
Update version"

and then you are on your own googling for a solution

No comments: