As the Heartbleed bug wreaked havoc on the internet, we at Sonatype began thinking about the lessons learned from this recent security scare and how, collectively, we can develop a process for mitigating the next major exposure. Was this OpenSSL vulnerability an oversight by system administrators installing unknown software? The simple answer is no. OpenSSL is the defacto SSL implementation used on most internet servers around the world. This is not an untested, unverified component that slipped by security audits.
A critical question to ask after security incidents such as this: "Is the vulnerable version of OpenSSL still accessible and available for download, whether in a proxy repository or on a public download site?" This isn't as far-fetched as it initially sounds. Let’s take a look at other components that have had well-publicized vulnerabilities:
This popular open source web application framework was downloaded 80,000 times even after 30+ public vulnerability announcements.
In 2013 this cryptography API with a Level 10 critical vulnerability was downloaded 20,000 times—despite warnings given five years earlier.
A version of this component with broken SSL validation was downloaded 66,000 times one year after a critical security alert was issued.
These days, developers are assembling the majority of applications using open source building blocks called "components" which are shared in a vast global developer network. Yet, your organization probably doesn’t know what components are used, where they are used, or the current threat levels. Sonatype created Nexus Lifecycle (formerly Component Lifecycle Management) to help you avoid unnecessary risk by providing complete visibility into component security, license and quality data.
Nexus Lifecycle is the first solution to deliver component information, controls, and remediation options in a developer-friendly solution. You can:
Find and remediate
security problems early in development using the tools that your developers use everyday. No extra work or delays.
for open source security, license & quality with integration throughout your software development lifecycle.
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.
As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."