Hands On with the Nexus Platform: A Software Supply Chain Demo

“Every company is now a software company — whether they like it or not,” says Ilkka Turunen in his recent talk at the Nexus User Conference. Ilkka, who serves as our Global Head of Solutions Architecture, presented a technical overview for audiences interested in using our Nexus Platform.

Before starting he reviewed the basic steps developers often take to produce software today:

  1. Start with a template, such as Apache Struts
  2. Learn the framework as you go along
  3. Containerize it — “stick it in a server and you’re good to go!”

This modularity offers significant advantages to the finished software. Today, 80-90% of all software is comprised of open source components. This allows for rapid releases and greater innovation. “Today’s winners release great software faster and more securely than their competitors,” he explains.

Getting Started with the Nexus Platform

“Do try this at home,” Ilkka says, pointing audiences to struts2-rce, a Sonatype community repository on Github. You’ll need Docker or Jenkins to get started. Feel free to fork it for yourself.

The anatomy of the project is a fairly simple pipeline. It clones a REST API example from the original Apache struts. Then, it uses Maven to create a runnable web application. Finally, it uses a standard tomcat container to run the server. He also demonstrates how to produce a software bill of materials.

Watch Ilkka’s presentation for the step-by-step, below.

You’ll notice that Ilkka finds two vulnerabilities in the process. (Spoiler alert: in an application, and in a container.) He shows you how to quickly and successfully remediate both. “This is a tough spot, unless you have the right tools,” he says.

Ilkka goes on to explain how a developer with a Nexus license can use the Chrome extension for Nexus IQ. The free plugin helps (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/hands-on-with-the-nexus-platform-a-software-supply-chain-demo