Sonatype expands firewall to stop dev vulnerabilities
Friday, March 9, 2018
Christian Hargrave |
New developer security solution announced to stop open source vulnerabilities from happening to your projects.
Sonatype has announced that the Nexus Firewall is now available to support the more than 10 million developers currently using the open source version of Nexus Repository. Previously only available to commercial users of Nexus Repository Pro, the newest version of Nexus Firewall gives all Nexus Repo users the ability to automatically stop vulnerable open source components from entering a DevOps pipeline.
The State of the Software Supply Chain Report revealed that in 2016 7.2% (1 in 14) of open source components downloaded to repository managers contained a known security vulnerability. Companies with non-existent or manual governance processes are prone to vulnerable open source components making their way into production web applications, dramatically increasing the risk of data breaches.
“All developers love using open source components to accelerate innovation - but none of them want to unwittingly introduce security vulnerabilities into their application”, said Brian Fox, CTO of Sonatype. “Nexus Firewall automatically stops defective open source components from reaching developers - which eliminates risk at the earliest stage of the development life cycle. The results have been incredible. Within the first 90 days of using Nexus Firewall, one customer automatically prevented 1,500 vulnerable components from entering their development lifecycle and eliminated 34,000 hours of manual reviews.”
“Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components (and in cases of serious vulnerabilities, block the download)?”, wrote Gartner analysts Neil MacDonald and Ian Head in their 3 October 2017 report, 10 Things to Get Right for Successful DevSecOps. “To address this issue, some providers offer an ‘OSS firewall’ (Sonatype Nexus Firewall) to expose the security posture of libraries to developers to make educated decisions about which versions to use. Using this approach, the developer can explicitly block downloads of components and libraries with known severe vulnerabilities (for example, based on the severity of the CVE assigned).”
The State of the Software Supply Chain Report revealed that in 2016 7.2% (1 in 14) of open source components downloaded to repository managers contained a known security vulnerability. Companies with non-existent or manual governance processes are prone to vulnerable open source components making their way into production web applications, dramatically increasing the risk of data breaches.
“All developers love using open source components to accelerate innovation - but none of them want to unwittingly introduce security vulnerabilities into their application”, said Brian Fox, CTO of Sonatype. “Nexus Firewall automatically stops defective open source components from reaching developers - which eliminates risk at the earliest stage of the development life cycle. The results have been incredible. Within the first 90 days of using Nexus Firewall, one customer automatically prevented 1,500 vulnerable components from entering their development lifecycle and eliminated 34,000 hours of manual reviews.”
“Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components (and in cases of serious vulnerabilities, block the download)?”, wrote Gartner analysts Neil MacDonald and Ian Head in their 3 October 2017 report, 10 Things to Get Right for Successful DevSecOps. “To address this issue, some providers offer an ‘OSS firewall’ (Sonatype Nexus Firewall) to expose the security posture of libraries to developers to make educated decisions about which versions to use. Using this approach, the developer can explicitly block downloads of components and libraries with known severe vulnerabilities (for example, based on the severity of the CVE assigned).”
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here