Did you know that open source software security reviews once took an average of 25 days just to sort and map the dependencies?
Now that we’re living in “future”? Try five minutes. BOOM!
Yes, it is true says Sonatypers Jerry Gergel and Melanie Latin. Their Nexus User Conference presentation -- geared specifically for developers -- looks at how Nexus Lifecycle functions like a high grade, magnifying-glass-meets-sunlight weapon to find and burn up bugs.*
Some context is necessary. According to last year’s State of the Software Chain Report (new one dropping very soon), the average app is composed of 85% open source software. The average app has 106 oss components, 23 known vulnerabilities, and approximately 8 policies, legal or technical, to manage.
How do you, the developer, know if these parts are still good? What policies to enforce? What might break the build if you alter or remove components? Or -- what if you didn’t even build the software to begin with, but now you’re in charge of it?
The fastest solution is to use Nexus Lifecycle which is powered by Sonatype’s IQ Server and perform a penetrating scan. In five minutes you’ll easily identify the components, know how to reduce risk, and begin to set the parameters that define “bad” components in your project.
Jerry and Melanie offer best practices once you’ve identified violations:
For more details watch Jerry and Melanie’s presentation, below, starting at 01:59. Or scan your app to check for vulnerabilities, for free, with the Nexus Vulnerability Scanner here.
*No actual bugs were harmed with this analogy. Many real life bugs are apex predators fighting for good. Looking at you, ladybugs.