Software components are a vital aspect of app development. They are the pieces of code that make the software what it is, and they can come from thousands of sources. But they can be subject to tampering. For example, last summer, Chinese hackers exploited vulnerabilities in Struts, an open-source framework for developing Java-based web applications. Struts has been managed under the umbrella of the Apache Foundation. It was recently announced that Struts had reached its “end-of-life” and will no longer be supported.
To help address this issue, Sonatype has updated its component lifecycle management (CLM) technology to protect software developers from using rogue open-source components that could be used to attack any kind of software, including an app for your phone or even your car or heart monitor. The technology then automates the process for enforcing policies that help provide assurances to the software developer that the components are okay to use.
Sonatype allows for components to be fixed through the software development cycle to help identify flaws such as those that surfaced when Struts was hacked.
Features in the new version include an inventory that notifies developers about the potential issues of the components that might include security risks and what components are out of date or might have potential licensing liabilities. It also includes the ability to replace unsafe components with the appropriate version. It’s that ability to identify components that becomes important as software integrates into everyday things, said CEO Wayne Jackson in a recent phone interview.
Sonatype also announced that it has hired well-known security expert Josh Corman as its chief technology officer. Corman, who is known for his work at 451 Research, Akamai and IBM, tells me in an email that the work at Sonatype correlates to his focus on defensible infrastructure, application security and how to make the Internet of Things less vulnerable to attack. A preventive approach is needed with the spread of connected things. In many respects IT is growing faster than the ability to secure it, as he discussed in a TED talk this past December.
So does the risk of open-source software components unleash an unhealthy dose of FUD? No. Instead, it’s a good reason to give thought about how to prevent security exploits instead of just continuing reacting to crises as they inevitably arise.