Whatever, we’ve got security people for that…
As part of our launch of Nexus 2.0 and the Repository Health Check, we’re telling some stories about security and how security affects working developers. As developers we’re not always focused on security, but as attacks grow more complex, more aware of platforms like Java and .NET, and more capable of affecting custom application code, security is going to play an increasingly important role in development. In this post, I talk about a security incident I watched unfold last year and identify some of the lessons I walked away from the experience with.
But first, a message from our sponsor: Sonatype’s Nexus 2.0 offers a Repository Health Check. It’s not an answer to security by itself, but it can play a critical part in a larger, organization-wide approach to security. If you are developing applications with Tomcat, Spring, and other well-known components you’d be surprised at the kinds of vulnerabilities that are floating around in production. Once you have this capability to run a detailed RHC report in Nexus Professional, you can remove these components from applications, iterate, and get rid of known vulnerabilities. Click here to learn more about Nexus 2.0. (more…)
Missed the Nexus 2.0 Webinar? Don’t worry. We recorded it just for you.
We understand. You’ve got a busy schedule, maybe you manage a large team of developers who all had to talk to you at once about some emergency. Maybe you were working on some interesting problem and got into “the zone”. Well, if you missed it, don’t worry, we recorded Jason’s presentation in its full glory. Here, watch it.
Advanced Nexus Diagnostics with the Nexus 2.0 “describe” Flag
On Tuesday, I wrote a blog about How your build is leaking internal data and how you can prevent this using Nexus Routes. Our Engineering team chimed in on Tuesday and suggested that it would be a good time to introduce a valuable, undocumented debugging tool that you can use to gain some insight into how Nexus is resolving artifacts.
Try this in a browser that knows how to render JSON (like Google Chrome):
- Make a request for an artifact, let’s use Apache Tomcat 6.0.29 from http://repository.sonatype.org as an example. This artifact is available from this link: https://repository.sonatype.org/content/groups/forge/org/apache/tomcat/apache-tomcat/6.0.29/apache-tomcat-6.0.29-bundle.tar.gz
- Next, just add “?describe” to the end of the URL. Using https://repository.sonatype.org/content/groups/forge/org/apache/tomcat/apache-tomcat/6.0.29/apache-tomcat-6.0.29-bundle.tar.gz?describe
What do cartoons have to do with build systems?
You know who this guy is? Probably not, he’s Rube Goldberg.
I’m surprised by how few engineers know his work. Rube Goldberg was a cartoonist who lived from 1883-1970, he’s famous for drawing cartoons of ridiculous and inconceivably complex machines. His work was important during a time in which the world was becoming increasingly mechanized and automated providing a sort of cultural “steam vent” – a way for people to poke fun at machines and industry. I’d embed his work here, but none of it is public domain, so see for yourself or search Google Images. (Be warned, you can spend hours looking at these cartoons.)
I learned about Rube Goldberg from an Engineering professor who, at the time, said, “Rube Goldberg is the most important thing you’ll learn over the next four years”. Back then, we all thought he was joking, but it turns out that he wasn’t. In fact, I wish more people, especially “build engineers” had some exposure to these cartoons. If they had, they’d take a step back and realize that there has to be a better way.
Nexus 2.0 supports .NET: “Building a more Secure and Effective Development Environment”
While we released Nexus Professional 2.0 last week, today we’re officially announcing our support for .NET. Here’s a key excerpt from today’s press release:
Sonatype, the company that is transforming software development, today announced that software developers using the .NET Framework can now utilize the Sonatype Nexus Professional repository manager to store, access and manage .NET components. Nexus is already the industry’s most widely used repository manager for Java components. By extending support to .NET, Sonatype now offers an ideal solution for Microsoft development teams, as well as heterogeneous development organizations.
