Software Component Vulnerability Cited as Latest Application Security Threat in OWASP Top Ten List; Sonatype First to Provide Comprehensive Solution
Published: May 01, 2013 08:00
SILVER SPRING, Md. – May 1, 2013 – Sonatype, the leader in Component Lifecycle Management (CLM), today announced immediate ability to address risks related to “Using Components with Known Vulnerabilities,” as newly listed on the just released 2013 Open Web Application Security Project (OWASP) Top Ten, the industry’s definitive listing of the most important risk factors in application security. Known as A9, this risk factor highlights the potential problems associated with the widespread use of open-source components with known security vulnerabilities in modern-day application development. It is the first new threat to be added to the list in three years, driven by the explosive growth of component use by developers and a lack of component management by the industry. Sonatype CLM, announced on April 30, is the first and only solution to secure the entire component lifecycle – from design, development and deployment through production operations.
The use of software components as the building blocks of modern applications is now so common that more than eight billion components were downloaded from the Sonatype Central Repository in 2012, nearly doubling requests from the previous year. According to the 2013 Open Source Development Survey – the largest survey of open source developers, managers and architects with more than 3,500 participants – found that at least 80 percent of an application built today is open source with the remaining 20 percent custom components and code. Yet, an overwhelming 76 percent of organizations lack any component-management policies. In most instances, developers don’t even know all the components they are using, let alone versions. An astonishing 65 percent of those surveyed don’t maintain an inventory of components used in production applications.
“The performance, time and cost advantages of agile, open-source development comes at a price – you have to ensure the components you use are up-to-date and secure,” said Jeff Williams, CEO of Aspect Security and founding member of OWASP. “Unfortunately, it’s not trivial to figure out what components your applications are using, and even harder to figure out which vulnerabilities apply to those components. The new OWASP Top Ten has detailed recommendations for locking down your software supply chain, and Sonatype’s tools make them much easier.”
Open source components represent a rich attack vector for hackers due to their commonality across applications. Moreover, component vulnerabilities are exceedingly common and difficult to pinpoint and fix. This is largely due to the lack of a centralized update notification infrastructure for open-source components, the complexity of the software supply chain and a lack of focus on security by developers.
OWASP points to the fact that vulnerability reports don’t always specify exactly which versions of a component are vulnerable in a standard, searchable way; not all libraries use an understandable version numbering system; and not all vulnerabilities are reported to a central clearinghouse that is easy to search. As a results components with known vulnerabilities creep into mission-critical applications at an alarming rate. Research from Aspect Security found that half of the world’s largest organizations used vulnerable components in their builds in 2012 and the probability of having at least one vulnerability in an application due to a known insecure library is 95 percent.
Sonatype CLM is the first solution to deliver component information, controls, and remediation options directly into the tools that developers use every day. By uniquely identifying components, making it easy to fix flaws early, and enforcing policy at every phase of the software development lifecycle, Sonatype CLM eliminates security and other risks in open source software. Offering the first practical way to automate governance of open-source component usage throughout the software lifecycle and eradicate flawed components from production applications, Sonatype CLM addresses each of the OWASP A9 recommendations for avoiding the use of insecure components head-on. These include:
- Identify the components and their versions you are using, including all dependencies. (e.g., the versions plugin).
- Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
- Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable license
“Sonatype CLM is designed for flexible implementation that can be adapted to the priorities of any organization - enabling enforceable open-source risk management, flaw discovery early in the development cycle, and straight-forward paths to flaw remediation,” said Wayne Jackson, CEO of Sonatype. “With Sonatype CLM, we are breaking down the traditional tensions between the software development and security organizations, addressing risk in component usage while also promoting innovation, productivity and pace of delivery.”
Sonatype is leading the component revolution. The company’s innovative Component Lifecycle Management (CLM) products enable organizations to realize the promise of agile, component-based software development while avoiding security, quality and licensing risks. Sonatype operates the Central Repository, the industry's primary source for open-source components, serving more than eight billion requests per year from more than 70,000 organizations. The company has been a pioneer in component-based software development since its founding by Jason van Zyl, the creator of the Apache Maven build management system and the Sonatype Central Repository. Since that time, Sonatype has been a leader in core open-source software development ecosystem projects used by more than nine million developers including Nexus, m2eclipse, and Hudson. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com or follow Sonatype on Twitter @SonatypeCM
PR for Sonatype