Friday, September 8, 2017

Software Vulnerability Control with Sonatype products

Interesting introductory vide on the topic of Security in Software Supply Chain https://vimeo.com/217179090

Software Factory | Sonatype from Sonatype Nexus on Vimeo.



A really detailed presentation of the "Nexus Lifecycle" and "Nexus IQ server"





Software Supply Chain
Continuous Integration
Continuous Delivery
Release Automation Tool
DevOps Native Software Development
Nexus Firewall
Public repositories: Maven Central,

Sonar Security Rules: https://docs.sonarqube.org/display/SONAR/Security-related+rules

Software Weakness

Software Vulnerability

http://cwe.mitre.org/ Common Weakness Enumeration (common software security weaknesses) - very educational FAQ on Software Weakness here http://cwe.mitre.org/about/faq.html#A.1

https://www.first.org/cvss/ CVSS Common Vulnerability Scoring System, scores explained: https://www.first.org/cvss/specification-document

https://www.sonatype.com/nexus-lifecycle-tour-software-supply-chain-automation-sonatype Nexus lifecycle

https://nvd.nist.gov/ NVD is National Vulnerability Database - try searching for Bouncy Castle

Using "Application Health Check" to scan vulnerabilities:



I have read the devsecops Gartner report https://www.sonatype.com/devsecops also available here https://cdn2.hubspot.net/hubfs/1958393/White_Papers/devsecops_how_to_seamlessly__315283.pdf?t=1482418124868

Very interesting also the https://www.sonatype.com/ssc2017?hsCtaTracking=d915532d-28ac-4818-a2db-d4e8feb07036%7C61ff62a0-da6f-47d1-9591-c89200a00454 2017 State of the Open Software

See also the famous https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/owasptop10/OWASP%20Top%2010%20-%202013.pdf OWASP top 10 web application security risks. Number A9 says: "Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts."

Repository Health Check RHC demo video here https://sonatype.wistia.com/medias/77jh7h47av

Result of a WebGoat Health Check https://clm.sonatype.com/reports/Sonatype/71fe66f5c3b540f09caa9ebf1f103e7a-8fae0/

Comparison of Free and Opensource Software Licenses https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses

more videos on:

Brian Fox, Integration of Nexus Health Check with Eclipse https://www.youtube.com/watch?v=_wqxy5A7-oA&feature=youtu.be

Brian Fox, Nexus IQ Server email alerts on Weak Security https://www.youtube.com/watch?v=UHulp3PWqFk

Brian Fox, Nexus IQ Server, Define security policies https://www.youtube.com/watch?v=EnKHimjNjvQ




Q: Do I really need IQ Server? Can't I simply do a "health check" on a Nexus Repository and check manually each software vulnerability?

http://www.sonatype.org/nexus/2017/06/29/is-manual-remediation-with-repository-health-check-as-good-as-it-gets/

When you run a Health Check on a Nexus Repository, all you get is a high level report,
flagging the vulnerabilities but without pointers to the Vulnerability Database, nor indication of the newest version without vulnerability. All you get is this:

" Last generated Tue Sep 19 2017 at 5:18:09 AM
Health report for your central repository
Out of 74 components in central, 74 (100%) are known, and of these, 2 (3%) are vulnerable.
Download trends
Insufficient trend data
As you download components from central, we will show the percentage of vulnerable downloads over time.
The most vulnerable downloads over the last 30 days are listed below.
Component Vulnerabilities Last 30 Days Suggestion
com.thoughtworks.xstream : xstream : 1.3.1 Critical (3)
Update version
org.codehaus.plexus : plexus-archiver : 2.1 Severe (1)
Update version"




and then you are on your own googling for a solution




No comments: