Resources Blog Skeleton Key

Skeleton Key

A skeleton key is capable of opening any lock regardless of make or type. Do you know anyone who has one? I do. Lots of them.

At the HP Protect conference last week in Washington DC, the theme of their conference was “think like a bad guy”. They introduced us to known hackers, their approaches to infiltrating organizations, and the trends in their behaviors. They also introduced us to the people who hunted down the hackers and successfully captured them.

For a moment, I started thinking like a bad guy. Then it hit me. The attackers have found their source of skeleton keys.

Want to decrypt someone’s private communications? The attackers have a skeleton key that unlocks the Bouncy Castle Cryptography API component. That key can unlock the API in over 11,000 organizations worldwide.

Want to stroll into someone’s Jetty web application server? There is a skeleton key for that too. It works for more than 36,000 organizations.

The rub: The skeleton keys work because we as industry have to do more to make vulnerable versions of open source components known to the masses. We need broader awareness for this avoidable risk we're all taking. The more these bad versions of components are used, the more locks your attackers can pick. Over the next several months, you'll see us and others joining the mission to 'Raise the B.A.R.R' - Ban Avoidable Risk and Rework. Start here and join the mission today!

The good news: Open source projects for Bouncy Castle and Jetty (and many other components that you likely use) have long ago released fixes to these vulnerabilities in new component versions. Your development teams have access to these components and with the right tools can easily update these vulnerabilities found in your applications.

By now, I hope you're asking...are there skeleton keys that could lead to a breach in my organization? Are there newer more secure versions of popular open source components that I could be using in software development today? An easy question to answer...

Take 5 minutes and do our Application Health Check. (This is the same tool HP has embedded in their Fortify on Demand offering). If you're using Nexus and you want to start by seeing the vulnerabilities in your repository, be sure you've turned on the Repository Health Check feature. Both are free services and are a great place to start when trying to Raise the B.A.R.R in your organization. Pass on the knowledge learned here, that's how the word is spread and the avoidable risk is reduced.

Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.