Alternative tools are prone to false positives and negatives because they scan apps “as declared” and trust developers to disclose the truth about dependencies embedded in software.
Nexus scans apps “as deployed” utilizing Advanced Binary Fingerprinting (ABF). The result is a precise read on embedded dependencies and a Software Bill of Materials (SBOM) that reflects the truth about third-party risk. ABF identification utilizes cryptographic hash for binaries, structural similarity, derived coordinate, and file name. It can even identify renamed or modified components whether they were declared or not, misnamed, or added to the code base manually.
The recent Octopus Scanner is a great example of why scanning the manifest is not "good enough" to identify malicious components being injected into our software supply chains.
Public databases like NVD provide a relatively small and typically outdated view of open source security vulnerabilities.
Nexus Intelligence however, delivers a universal and timely understanding of open source security risk. It has ingested and analyzed more than 65 million components and it never stops learning, using natural language processing to dynamically monitor every GitHub commit to every open source project, advisory websites, Google search alerts, OSS Index, and a plethora of vulnerability sites. Additionally, new vulnerabilities are regularly discovered by our own researchers and added to our proprietary knowledge base.
Nexus Intelligence also see things that others simply can't, continuously gaining insight from more than 4 million instances of Nexus Repository Manager, and from 146 billion components requested annually from The Central Repository.
Whenever new vulnerabilities are disclosed or discovered our team immediately validates the exploit path, identifies the root cause, and creates actionable information to help organizations (and development teams) evaluate, triage, and remediate threats faster than adversaries can attack. Guidance is carefully curated and written for easy consumption by frontline software developers. Instead of cryptic security alerts that are difficult to decipher, Nexus Intelligence provides developers step-by-step instructions on how to detect and remediate the vulnerability, including upgrade path and the root cause, relative risk of other component versions, and workarounds to avoid refactoring code.
Nexus Intelligence is the only security research service that actively practices “secondary expansion,” an extra level of investigation to determine if newly discovered vulnerabilities are also present and exploitable in other components. It’s important to go the extra mile because it's common for open source projects to borrow code from other projects. Simply stated, if a single vulnerability exists in multiple libraries, we automatically let you know. Over the past 5 years, we've associated vulnerabilities to 3 million more components than public databases. Learn more about the npm event stream attack and how we identified additional vulnerable components via secondary expansion.
Whenever new open source vulnerabilities are disclosed, criminals immediately begin looking for opportunities to exploit them in the wild. As a result, it’s literally a race between “bad guys” and “good guys” to see who acts first. Companies lose when bad actors are able to exploit open source vulnerabilities faster than they can remediate them.
When it comes to managing the constantly evolving security threats within open source, speed is absolutely critical. That’s why Nexus Intelligence works 24x7x365 to stay abreast of the changing threat landscape and publishes detailed information on new vulnerabilities 10X faster than NVD.
Over the past two years, more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories were recorded. Open source projects impacted by malicious injections have been difficult to detect because, on the surface, they look no different than other open source code contributions.
To combat this new type of attack, Sonatype developed patent-pending technology to monitor millions of open source projects in real-time to identify abnormal development behavior and suspicious patterns as new component versions are released. Now developers and security teams alike can see within Nexus Intelligence when a component version has been detected as malicious code.
From our humble beginning as core contributors to Apache Maven, to supporting and maintaining the Central Repository, OSSIndex, and the Central Security Project, we’ve long played a meaningful role in helping the global community of software developers embrace the power of open innovation. We're passionate about the community and we're dedicated to providing premium security research to help owners and consumers of open source projects minimize risk and maximize value.