This article is another in a series of articles associated with our Executive Brief. To access the executive brief, “Addressing Security Concerns in Open-Source Components,” visit www.sonatype.com/securitybrief. You can follow the conversation on Twitter using the hashtag #OSSsecurity.

I just wanted to reiterate the key point of yesterday’s security brief which is: “You and everyone else in the world are likely downloading vulnerable components.” If you don’t believe me, then take a look at this graph:

First, note the logarithmic scale – downloads over an entire year. Then, take a look at the left-side of the chart. See anything familiar? GWT, Spring, Struts, CXF, Xerces? If you use these components, you should try to identify which versions are affected by widely known CVE vulnerabilities. It’s that simple, if you use these components it would be a good idea to browse the CVE database, or to take a look at Nexus Professional’s Repository Health Check.

Really, attackers aren’t going to go to the trouble…

Developers, you might be thinking, “an insecurity in GWT or Xerces, who’s going to trouble of doing that much research? Who’s really going to hack into Megabank via some obscure AJP vulnerability in a Tomcat connector?” And if you are asking these questions as a way to shuffle this all under the rug, I understand. There’s enough work in the pipeline already and you don’t need another thing to worry about. As developers we’re not going to turn into security professionals overnight, but we can start using tools like Nexus Professional to help identify vulnerable components and isolate us from deploying known security problems to production.

It isn’t the likelihood that someone will hack GWT that is the issue, it is the idea that deploying any code with a known security vulnerability needs to be identified as a disqualifier. The idea that if you get compromised and someone realizes that it was a known vulnerability (for years): developers need to be motivated to avoid this embarrasing situation. The point I’ve tried to make on this blog is that we (developers) are not really paying attention to this problem because we just assume that it is someone else’s problem.

Ignoring Security: It isn’t a question of if you’ll get hacked, it’s when

The issue of data and systems security has repeatedly been front-page news time and time again over the past year. Groups like Anonymous and Lulzsec made a public sport in 2011 of hacking into serious organizations and making every effort to embarrass and ridicule them for lax security. The last few years have been pretty embarrassing years for a lot of security departments at large corporations and a few governments. 2012 promises to be even more active with McAfee predicting the reorganization of Anonymous, but focusing on these high-profile, news-generating events ignores the scope of the problem. It isn’t about volume, it is about your exposure to this risk.

I’ve seen some recent attacks in action. Attacks on both Java-based web architectures and PHP-based architectures. While it’s true that PHP-based applications present a much larger and more insecure surface area to attack, it has to be said that Java-based web applications and .NET present a much more lucrative target. An attacker can compromise all the two-bit Drupal instances in the world without stumbling upon anything worth intruding, or they can focus on a multi-month strategy of social engineering and direct attacks to compromise one the Global 100 financial institutions that are downloading insecure dependencies every day.

Welcome to the Security Theater

If you are banking on the fact that attacking Struts 2 or Log4J is just too esoteric for most hackers to do, you are participating in something Bruce Schneier calls Security Theater, and that’s really what I’m taking away from this study. Some of these institutions are so invested in presenting an image of trust and security that they will spend millions on Super Bowl ads and marketing efforts to purchase customer trust. But, at the end of that day they continue to download vulnerabilities. It doesn’t match up, we need a change of culture in development and security needs to be top of mind.

It’s time for developers to start taking security seriously. You could choose to be proactive about the problem and use tools like Nexus Professional to automatically correlate CVE vulnerabilities from CERT with your artifacts, or you can wait until someone replaces your company website with a funny picture and lose the ability to download artifacts from Central altogether. The choice is yours.

Bouncy Castle.   Do those words mean anything to you?   If you are a Java developer, you might know that Bouncy Castle is an encryption library often used to generate secure hash codes and encrypt data.  In other words, it is a silly project name for a serious purpose. Do you any know that old, released versions of Bouncy Castle have known security vulnerabilities?   I’m not writing this to cast a shadow of doubt on the project.  Bouncy Castle is an awesome open source library, as is the Spring framework, Commons HttpClient, Tomcat, and Jetty.   What Bouncy Castle has in common with all of these other open source components is that old versions of each project have known security vulnerabilities.

There’s a good chance that you might not be focused on this problem.   You might not be constantly evaluating your project’s dependencies to analyze the risks.

I’ve been developing enterprise software for years, and it just isn’t something most companies worry too much about.   While a company might spend a great deal of money on systems and personnel to keep operating systems patched and networks secured, that same company is likely using an older version of Commons HttpClient 3.1 that presents a denial of service (DoS) vulnerability.    In other words, we appreciate the vulnerability of machines and operating systems while simultaneously ignore the security characteristics of the software that runs on these platforms.

As open source becomes more important to the modern enterprise this exposure will only increase.    The critical question to ask yourself given the increasing rate of change in open source is “can you keep up?”.

It just so happens that we recently launched Sonatype Insight to help with this very issue. Watch this short video to see how Sonatype Insight. can help you keep up.

Learn more about Sonatype Insight.

We’ve added a new webinar to the Sonatype series: Enterprise Repository Management.

Do you develop Java applications using open source software artifacts from Maven Central? If so, and you aren’t yet using a local repository manager, you need to attend this webinar. In this session you’ll learn how an enterprise repository manager can reduce development time, improve quality, enable greater internal collaboration, and reduce risk. Register now to learn how repository management can help your organization.

• Date: Tuesday, April 19, 2011
• Time: 1:00PM EDT (GMT – 04:00)
• Duration: 30 minutes
• Presenter: Brian Fox, Sonatype Vice President of Engineering
• To register, please click here

Sonatype books are the essential references for anyone working with Apache Maven, repository management, and integrating Maven with Eclipse.

Learn best practices, central concepts, and complete integration for Maven, Nexus Professional, and m2eclipse. Sonatype books offer the latest content for the software development tools you depend on.

The fourth book in our series of books available for downloading is Developing with Eclipse and Maven.

In this book you will learn how to fully integrate Maven with Eclipse, the world’s most widely used IDE for Java development.

Why Maven?

Maven is a software build tool, but it is much more than that. Maven is also a project management tool. It is designed to be flexible, easy, and intuitive – to be a more efficient and comprehensive build tool.

Why Eclipse?

Eclipse is the most widely used IDE for Java development today. Eclipse has a huge amount of plugins and an innumerable amount of organizations developing their own software on top of it. Quite simply, Eclipse is ubiquitous. The m2eclipse project provides full integration for Maven within the Eclipse IDE.

Maven Central contains over 260,000 artifacts and serves over 70 million downloads every week. It has become the principal resource for exchanging Java artifacts with demand doubling year over year. Getting artifacts into Central is the most effective way to get your software to developers since every build tool that can download Java libraries knows where to look for a world of libraries and dependencies, and that single, authoritative place is Maven Central.

Earlier this year, we announced the availability of official repositories in the UK to improve performance for the users in Europe. Today we are making the artifact download statistics available to the projects whose artifacts are served by Central. This has been one of the most frequently requested features by project teams. Since the raw Central logs are larger than seven gigabytes every day, processing this data is no small undertaking.

The statistics are available to all projects hosted using Nexus at http://oss.sonatype.org, http://repository.apache.org and http://nexus.codehaus.org. These three avenues represent the majority of projects actively contributing artifacts. Nexus’ security mechanism already in place on these instances provides a mapping of repository path to project which allowed us to easily roll up the counts for each team. Read more to find out how to access your project’s statistics.

Accessing Your Project’s Statistics

Current OSSRH, Apache and Codehaus users don’t need to do anything to gain access to these statistics. If you have deployer permissions for your project, you should already be able to see the Central Statistics link in the Views/Repositories section in the left-hand menu area. NOTE: In some cases, users with early access to the plugin have reported needing to click the web browser’s Refresh button before seeing the link.

Clicking on the Central Statistics link will open a tab showing you:

• a line chart depicting the volume of raw downloads of your artifacts from Central over the past 12 months
• a pie chart breaking down the last month’s worth of downloads of your project by artifactId
• a sortable grid containing the counts that generated the pie chart

If you only have access to a single project with a single groupId, the page will be fully populated upon opening the tab. If you have access to multiple projects or a project encompassing multiple groupIds, you will need to select a project and groupId on which to report. You can also use artifactId and version combo boxes to further narrow down the reporting scope for the timeline, the pie chart, and the grid.

The pie chart and grid can be further constrained by a date range combo box that defaults to the last month, but can be used to report on the last 3, 6, 9, or even 12 months or to select a single month for reporting.

Finally, the plugin offers two types of reports. Downloads is the default and simply reports on the number of successful downloads of your artifacts. Unique Ips is the second report type and gives an idea of how many unique users are downloading your artifacts. It is also possible to export the raw data to CSV so that you can analyze it using your own favorite tool.

Frequency of Update

Currently we generate the statistics to a granularity of a single month, so you can expect to see the new results appear within a few days of each new month.

Send us Suggestions and Feedback

This is just the first release of this plugin, and we invite your feedback and recommendations, not just on how to improve the look and feel of the plugin but also for new reports you’d like to see in the future. You are welcome to create issues in the following JIRA project:

https://issues.sonatype.org/browse/CENTRALSRV

When creating issues, please assign them to the “Central Statistics Plugin” component.

The NYJavaSIG will be holding their monthly meeting this week, and Sonatype founder Jason van Zyl is attending to present on Next Generation Development Infrastructure.  The NYJavaSIG is a technical community comprised of Java software engineers, Java application designers, technical managers and new media Java developers that have a common interest in all aspects of Java Technology. They currently have over 6,500 members.

Event details:

• Location: Credit Suisse – 11 Madison Avenue, New York, New York (see map below)
• Date: November 18, 2010
• Time: 6:30pm-8:30pm
• Event Website: http://www.javasig.com/meeting/show/35

View Larger Map

On Thursday November 18 Sonatype founder Jason van Zyl will be attending the NYJavaSIG Java user group meeting.

The NYJavaSIG is a technical community comprised of Java software engineers, Java application designers, technical managers and new media Java developers that have a common interest in all aspects of Java Technology. They currently have over 6,500 members and meet once a month.

van Zyl will be giving a presentation on Next Generation Development Infrastructure with Maven, m2eclipse, Nexus and Hudson.

Event details:

• Location: Credit Suisse – 11 Madison Avenue, New York, New York 
• Date: November 18, 2010 
• Time: 6:30pm-8:30pm
• Event Website: http://www.javasig.com/meeting/show/35

This week Sonatype will be at JavaOne 2010 in San Francisco, California.  JavaOne is an annual conference to discuss Java technologies among Java developers. JavaOne is being held at the Moscone Center in San Francisco and is co-located with Oracle OpenWorld from September 19-23.

Technical sessions on a variety of topics will be held each day from leading experts in the Java, PL/SQL, rich internet application development, SOA communities.

If you’re attending JavaOne, be sure to pop by the Sonatype booth (5509) to learn more about our latest projects!

This year, the Sonatype team will be giving three presentations at JavaOne.  If you can’t be there in person, follow Sonatype on Twitter for the latest updates!

If you already use Maven, developing a Android application isn’t going to be a stretch. There’s a very active community of open source projects for maven-droid development, and the Android SDK artifacts are available on Central.

You’ve probably noticed increased advertising for Google’s Android platform over the past few months. The mobile wars are heating up with the release of iPhone 4 and Android-based phones seem to be gaining market share at a rapid pace. Even if you don’t already develop for a mobile platform, you, your company, the organization you are a part of has started to have discussions about developing applications for these smart phones.

If you are thinking about mobile development with Maven, Here are some pointers to some great resources to get you started:

• Android SDK artifacts are now available in Central. This means that you can create a project and get started without having to manually install artifacts.
• Manfred Moser has some free sample code and Maven projects
• There is an active and rapidly developing m2eclipse Android plugin from Hugo Josefson and Ricardo Gladwell which adds Android support to m2eclipse.

If you are looking at mobile development, you’ve got two big choices: Apple’s iOS 4 or the Android platform. I’ve used both, I’m impressed with Apple’s tools: they have great APIs, XCode is a really capable tool, but learning a whole new set of tools does seem to be a high barrier for most developers. Droid does Maven, and because of that, there is a much lower barrier to experimentation.

When a technology connects with a tool like Maven, it opens up new possibilities for developers.

Chariot Solutions, a leading technology consulting firm specializing in software development with Java and open source, is now a Sonatype Certified Training Partner.  Sonatype chose Chariot Solutions as a partner because of their deep understanding of Java training.

We are excited to have Chariot Solutions as a Certified Training partner…Organizations can rely on Chariot Solutions to provide a quality learning experience that will help them gain the most business value from their investment in Sonatype.

To learn more about Chariot Solutions, visit their website at www.chariotsolutions.com.  For more on Sonatype’s partnership with Chariot Solutions, click here.