Heartbleed

Open Source OpenSSL vulnerability

Spotlight

Are we doing enough to prevent future
heartbleeds? Here is what you can do now.

As the Heartbleed bug wreaked havoc on the internet, we at Sonatype began thinking about the lessons learned from this recent security scare and how, collectively, we can develop a process for mitigating the next major exposure.

Was this OpenSSL vulnerability an oversight by system administrators installing unknown software? The simple answer is no. OpenSSL is the defacto SSL implementation used on most internet servers around the world. This is not an untested, unverified component that slipped by security audits.

How can this happen?

A critical question to ask after security incidents such as this: "Is the vulnerable version of OpenSSL still accessible and available for download, whether in a proxy repository or on a public download site?" This isn't as far-fetched as it initially sounds. Let’s take a look at other components that have had well-publicized vulnerabilities:

This popular open source web application framework was downloaded 80,000 times even after 30+ public vulnerability announcements.

In 2013 this cryptography API with a Level 10 critical vulnerability was downloaded 20,000 times—despite warnings given five years earlier.

A version of this component with broken SSL validation was downloaded 66,000 times one year after a critical security alert was issued.

Infographic: Heartbleed. Everything was fine until, suddenly, it wasn't.

What are components? What's the risk?

These days, developers are assembling the majority of applications using open source building blocks called "components" which are shared in a vast global developer network.

Yet, your organization probably doesn’t know what components are used, where they are used, or the current threat levels.

Sonatype created Component Lifecycle Management (CLM) to help you avoid unnecessary risk by providing complete visibility into component security, license and quality data.

How can Sonatype help you?

Sonatype Component Lifecycle Management (CLM) is the first solution to deliver component information, controls, and remediation options in a developer-friendly solution. You can:

Find and remediate
security problems early in development using the tools that your developers use everyday. No extra work or delays.

Automate policies
for open source security, license & quality with integration throughout your software development lifecycle.

Monitor continuously
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.

See a tour of Sonatype CLM

Not all vulnerable components make big news. But they should.

Sonatype CEO Wayne Jackson interviewed by Wall Street Journal, Fast Company, CNN Money..."

Read It Now

Minimizing risk while accelerating development of component-based applications

Read It Now

Assess your current application risk in 2 minutes – it’s confidential and free.

As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."

  • Confidentially and quickly analyze your java open source components
  • Create a "bill of materials" inventory of precisely which components are used and where
  • Identify specific security, quality and license risks
  • Analyze both internal and third party applications

Learn More & Start Your Analysis

I'm interested in Sonatype CLM. I want to...