Did you know that open source software security reviews once took an average of 25 days just to sort and map the dependencies?
Now that we’re living in “future”? Try five minutes. BOOM!
Yes, it is true says Sonatypers Jerry Gergel and Melanie Latin. Their Nexus User Conference presentation — geared specifically for developers — looks at how Nexus Lifecycle functions like a high grade, magnifying-glass-meets-sunlight weapon to find and burn up bugs.*
85% Sure Your App Is Vulnerable
Some context is necessary. According to last year’s State of the Software Chain Report (new one dropping very soon), the average app is composed of 85% open source software. The average app has 106 oss components, 23 known vulnerabilities, and approximately 8 policies, legal or technical, to manage.
How do you, the developer, know if these parts are still good? What policies to enforce? What might break the build if you alter or remove components? Or — what if you didn’t even build the software to begin with, but now you’re in charge of it?
The fastest solution is to use Nexus Lifecycle which is powered by Sonatype’s IQ Server and perform a penetrating scan. In five minutes you’ll easily identify the components, know how to reduce risk, and begin to set the parameters that define “bad” components in your project.
Best Practices for Busting Vulnerabilities
Jerry and Melanie offer best practices once you’ve identified violations:
- Add a scan step to your CI build job. They (ahem) recommend you use Nexus Lifecycle because you’ll get an inventory of embedded components, and a software bill of materials (SBOM) that offers associated reports.
- Start with the highest threats. The vulnerabilities that rank highest represent components that are actively being exploited, offer the largest attack surface, or are a known vulnerability (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/developers-say-goodbye-to-vulnerabilities.-squash-those-bugs