Is Analyzing Open Source Projects by Contributors a Valid Metric?
ReadWriteWeb’s Joe Brockmeier has an interesting piece analyzing OpenStack Essex, while this isn’t an exact overlap with the kind of analysis we’re working on for Insight and Nexus, it’s a view into the social and open source dynamics of a project.
Brockmeier’s article is a summary of some analysis that OpenStack contributor Mark McLoughlin assembled from commits and Gerrit code reviews. It’s a breakdown of activity by organization, as with many open source projects that have corporate involvement, there’s always one or two companies that tend to dominate the commit breakdown.
Where the article is a little off-base is in the assessment of community health, you can’t judge the “health” of an open source project by the mix of companies represented in a commit breakdown alone. It’s an interesting statistic, but there’s so much more to open source than code commits including documentation efforts, marketing spend by companies invested in a project, and financial support for essential efforts not directly related to code (legal, infrastructure, etc.). Open source isn’t about code alone, and while it is an ideal for open source projects with corporate involvement to have balance, this balance can shift over time.
Oracle Issues Critical Security Bug Fixes for Databases, Glassfish, and more.
If you are watching our security feed, you may have noticed this IDG News Service story reporting on a critical security patch from Oracle. Since many of our customers are directly affected by this vulnerability, we thought this announcement was important enough to feature. From the story:
“The upcoming patch batch includes six fixes for Oracle’s database, three of which can be exploited remotely without a username and password. Common Vulnerability Scoring System (CVSS) base score for the database bugs is 9 on the system’s 10-point scale. Another 11 patches cover Oracle Fusion Middleware, with 9 being remotely exploitable without authentication.”
Three important take-aways from this announcement:
- This patch contains some Level 9s on the CVSS. Level 9′s are a “big deal”, if you are not convinced just try playing around with this CVSS calculator from NIST or read this Complete Guide to the Common Vulnerability Scoring System Version 2.0 if you need convincing.
- Many of the vulnerabilities are exploitable without credentials. Attackers don’t need to compromise your database or application server credentials, if someone finds a way into your network, you may be vulnerable. Couple this with the fact that almost everyone is running either MySQL and Oracle and you have factors that bump up that CVSS score.
- Glassfish, a very popular OSS application server, and MySQL, a ubiquitous OSS database, are also affected.
Here’s a quote from the Oracle Critical Security Patch:
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 88 new security fixes across the product families listed below.
If you are affected by this vulnerability, go get this Critical Security Patch Update from Oracle today.
Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.
Is your phone possessed? Or is it Android Malware?
Hackers aren’t content enough to infect your laptop, they want your phone. There’s an article over on SecurityNewsDaily that talks about some new Android malware that can take over your phone. Here’s the fun quote:
“The new Android malware disguises itself in fully functional copies of apps, including ―Angry Birds Space,∥ and hides its malicious payload in the string of code at the end of an otherwise genuine JPEG file, Lookout said. This rogue code exploits the GingerBreak vulnerability, a flaw that enables it to gain control of the phone and trick the victim into purchasing apps from illegitimate app stores.”
It looks like Android developers need to start paying more attention to security in general now that Android has exceeded 50% market share in the US market. While this vulnerability isn’t something that is directly addressable with Insight at the moment, but it reminds us that we need to start focusing more on mobile. Since Android development is Java-based, you can immediately benefit from downloading Nexus Professional 2.0 today and making sure that all of your application dependencies are free of known vulnerabilities.
Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.
Start Proxying .NET Packages NuGet Gallery with Nexus Professional
We announced that Nexus Professional added support for .NET and NuGet repositories, but I wanted to reiterate that message by supplying some very detailed instructions to walk you through the process. NuGet has quickly become the defacto way to install libraries in Visual Studio, and, in some ways, the IDE integration between Visual Studio and NuGet Gallery puts integration between Maven and Eclipse or IntelliJ to shame. The Outercurve Foundation and Microsoft have created a really compelling GUI for discovering and integrating new OSS components.
If you’ve downloaded Nexus Professional 2.0 to start using or evaluating support for .NET and NuGet packages. Here are the steps you need to take to get started. (Don’t have Visual Studio, but you are still interested in exploring this feature? You can download Visual Web Developer 2010 Express and get started).
First, know that Nexus Professional doesn’t ship with any NuGet repositories pre-configured. The overall process for starting to proxy NuGet Gallery is to configure the required repositories on Nexus, group them into a single repository group, and then configure Visual Studio to read from Nexus. To start proxying NuGet Gallery follow these How-tos in order:
- Step 1. Create a Proxy for .NET components in NuGet Gallery
- Step 2. Create a Hosted Repository for .NET Components in Nexus Pro
- Step 3. Create a Repository Group for .NET Components in Nexus Pro
- Step 4. Install NuGet in Visual Studio
- Step 5. Configure Visual Studio to Download NuGet Libraries from Nexus
This process is also captured in a shareable Bit.ly Link Bundle walking you through the same collection of related How-tos.
Most Application Vulnerabilities are “Forever Day” Vulnerabilities
Zero Day threats are the kinds of things that keep security people up at night. The idea behind a zero day threat is that no one knows about a particular vulnerability until it happens.
This Ars Technica article captures a new term: “Forever Day”. Software and hardware developers that identify vulnerabilities but fail to fix them. Maybe a product is reaching end-of-life, or maybe no one is paying attention. Here’s a quote from the article that resonates with some of what we’ve been saying about application security:
“They’re just not going to get patched,” said Terry McCorkle, an independent security researcher who specializes in ICS devices used to control equipment on factory floors, dams, and in other industrial settings. “The big question is how many of their clients are actually set up to take those advisories and take action upon them?”
We mentioned this last week: unless you pay attention to security, you are essentially living with “Forever Day” exploits in production. The alternative would be to start paying attention, Download Nexus Professional 2.0, and keep track of known vulnerabilities.
Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.
