News and Notes from the Makers of Nexus | Sonatype Blog

Activate Your Shield Against Open Source Invasions

Written by Katie McCaskey | August 09, 2019

What are infinity stones, and where are they located in the Nexus platform?

Mike Van Doren has some ideas. He’s a fan of the Avengers, a Marvel comic universe where infinity stones grant superpowers. He explains the connection in his Nexus User Conference presentation, OSS Endgame: Nexus Firewall as Your Shield Against Open Source Invasions.

Nexus Firewall helps all of our customers on a regular basis,” says Mike. “It shields them from open source challenges and from bringing in software components with vulnerabilities.”

Expanding Your Superpowers

He continues, explaining through the lens of superpowers infinity stones are said to control:

  • Space - Nexus Firewall expands your universe of pipeline protection.

Example: Firewall connects with many popular tools. This gives you a comprehensive view of your software supply chain. We can layer JFrog’s Artifactory into Firewall, connect it to Nexus IQ, and protect you from all angles.

  • Reality - Nexus Firewall helps you understand all elements of your repository’s health, offering ongoing feedback for ultimate control.

    Example: Firewall runs regular audit reports. Use it to take unwanted components out of distribution, automatically.

  • Power - Nexus Firewall allows you to quickly quarantines policy violating components. This grants you power over adversaries who wish to cause trouble.

    Example: Firewall automatically moves questionable components into quarantine, before they can do harm. Gartner research predicts that 99% of future attacks will come from a known vulnerability by 2020. Policy automation is key.

  • Mind - Nexus Firewall allows you to leverage the minds of 65 world-class data researchers, allowing you to “automate faster than evil.”

Example: Nexus Firewall goes beyond the NVD data. Instead, Sonatype hashes (fingerprints) every individual component. Sonatype has identified 1.5 million unique vulnerabilities, and adds more daily. (An example is the Jackson-databind.) Active researchers, plus precision, prevents bad parts from entering the software supply chain.

  • Time - Nexus Firewall establishes policies to tackle threats -- including auto-remediation -- giving your more time to respond.

Example: All emerging threats...

Invasion Tactics are Evolving

Sonatype’s tools help organizations identify, locate, and remediate security issues. Yet, adversaries are growing more sophisticated in their attacks. “Now we’re seeing poaching npm credentials, ingesting python or pypi publishing credentials,” says Mike, “or people getting involved in open source projects, and injecting malicious dependencies or other backdoor code.”

Nexus Firewall addresses this through policy level automation. Use it to automate what is allowed into the developer’s repository. By inspecting specific coordinates or libraries, Firewall places restrictions on band license, AGPL, known security vulnerabilities, or architecture. Block it at the proxy or firewall stage.

For example, we can create a policy that blocks newly updated or newly created components. This way, the community can validate it first. Used in combination, Nexus tools address different attack styles.

“If we know a component is a problem, we want to stop them before it’s used in development,” explains Mike. “The most expensive time to rework/remediate an application is if you wait until the end, with a ‘scan and scold’ approach at the end of the development pipeline.”

He concludes: “We want to arm development teams, and arm everyone else, to understand security early.” The best superpower? “Simply do not use components that are known to be vulnerable.”

Watch Mike’s entire presentation here:

 
View full post