The Open Web Application Security Project (OWASP) has updated their top ten list of application security threats to now include A9, which advises against "using components with known vulnerabilities." These days, applications are 90% comprised of open source or third party components which are shared by developers worldwide. However, most traditional application security methods don’t effectively identify component vulnerabilities.
Open source fuels innovation and is vital to accelerate the pace of development, however lack of visibility into component vulnerabilities and associated fixes means that vulnerable components stay in use years after alerts are issued.
This popular open source web application framework was downloaded 80,000 times even after 30+ public vulnerability announcements.
In 2013 this cryptography API with a Level 10 critical vulnerability was downloaded 20,000 times—despite warnings given five years earlier.
A version of this component with broken SSL validation was downloaded 66,000 times one year after a critical security alert was issued.
Despite exploding usage, most organizations can’t answer basic questions, such as:
Our research shows that 71% of applications contain at least one critical or severe open source vulnerability.
Nexus Lifecycle (formerly Component Lifecycle Management) is the first solution to deliver component information, controls, and remediation options in a developer-friendly solution. You can:
Find and remediate
problems early in development using the tools that your developers use everyday. No extra work or delays.
for open source security, license & quality with integration throughout your software development lifecycle.
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.
Unfortunately, our dependence on components is growing faster than our ability to secure them.
While important, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) do not effectively address component-level security.
A foundation of component governance coupled with SAST and DAST provide a holistic view of your applications risk, including not only the source code that is written and compiled but also the components that are downloaded and assembled.
Learn more about gaps in traditional application security approaches in this paper on the “7 Security Gaps in the Neglected 90% of Your Application.”
As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."