It's a well-recognized fact that the earlier a security exposure is found, the less it costs to fix. Sonatype CTO Jason van Zyl wants to carry that finding out to its logical conclusion and detect and fix vulnerabilities during development.
Van Zyl is the author (with assistance from Bob McWhirter) of Apache open source code Maven. The Java build tool, which assembles source code into a compiled application, is used by about 76% of Java developers. He went on to found Sonatype, a company that produces a set of products around Maven and the Maven Repository, the code management system that stores Maven application builds.
Van Zyl was happy to exit the noisy exhibit hall of the JavaOne show going on this week in the Hilton Hotel off San Francisco's Union Square as a part of Oracle OpenWorld. Taking a seat in the quieter, inviting hotel lobby, van Zyl was happy to talk about where producing tools around the Maven Repository has led. His parents, he noted, were an architect and a city planner. It was drilled into him that if you don't build the infrastructure right and maintain it, the city is a less effective environment than it might be for creating wealth. "The same goes for code," he concluded.
Sonatype in 2005 offered a Java component repository online that was quickly recognized by Java developers as a central source of reliable code. Enterprise applications are typically built using 75-80% open source components, with custom code comprising the rest. Sonatype tries to make a complete library of known components available.
But what van Zyl has found is that several versions of components often exist. If one has been found to contain a vulnerability, it will get fixed and updated by open source developers in the repository, but there's still thousands of unfixed older copies in use in enterprise applications. One of the leading examples is Java Struts 2, the Java framework for building interactive Web applications. First produced 10 years ago, it was instantly popular with Java developers as a way to get Web applications that needed to interact with databases up and running more rapidly.
But a white paper on the Sonatype website says in 2010 a weakness was discovered that lets attackers execute arbitrary code they insert in place of the expected Struts parameters. The corrected version was downloaded one million times by 18,000 organizations in 2011, but van Zyl doubts every Web application using Struts has been updated.
"We started cataloging vulnerabilities in applications that can make them remotely exploitable," said van Zyl. Sonatype partners with Aspect Security, which researches vulnerabilities in Java code. Sonatype makes the findings available through its online Insight service. The service is also available as a service behind the firewall in its Nexus product, an on-site Maven repository. Insight scans each new component of code, looking for known vulnerabilities, and it alerts the developer if it finds one. Those scans prevent bugs being built into applications that have to be found and corrected later.
[ Another check on open source code vulnerability was done by Coverity, which found Linux, the Apache Web Server, and other open source code had the same or fewer bugs than commercial code. See Open Source Quality Improving, But Development Assumptions Need Revising. ]
Likewise, the APIs of a Nexus repository can be exposed to the Eclipse integrated development environment, used by about two-thirds of the estimated nine million Java developers. Through a plug-in to Eclipse, developers can ask the Insight service to scan a component they're considering using. At some point in the future, there will be an addition for the Spring Framework to allow the same check, said van Zyl.
Sonatype started out trying to catalogue and make available all the open source Java components. It's succeeded at that well enough that van Zyl has lost some of the enthusiasm he had as a younger programmer for the sheer output of components enabling new functions. He's come to see the existing code base, including older and the latest components, as part of the overall programmer's ecosystem, and the health of that ecosystem will depend on how effectively it can reduce its known vulnerabilities and protect its users.
"Some Java developers think of it as securing the supply chain," the supply chain that produces new enterprise applications from components. Speeding up production will be less of an accomplishment if the open source components used carry vulnerabilities into the application.
Large banks are often big uses of Java. One that van Zyl knows of runs 14,000 in-house applications. Knowing whether a bug once existed in one of the components used in one of those applications is a herculean task. But a bank that allows a malware intrusion, thanks to known exposure that it failed to act upon, is risking its ability to comply with regulations and is vulnerable to lawsuits.
"Some banks employ 20,000 or 30,000 developers. It's crazy the amount of software they're creating," says van Zyl. When the Struts exposure was aired, van Zyl didn't quite believe something that he had been frequently using was vulnerable, so he tried inserting a bit of malware himself and found that it worked. No special intruder know-how or tricks were needed; only the knowledge that the 2010 version of Struts had no defense against an intentional substitution of code in the parameters fields. Such an exposure would allow a programmer to launch a shell program that would allow him to snoop around the rest of the application.
"After that, I started to worry," he said.
"Developers are under constant pressure to produce more features. If a safeguard isn't built into the development workflow, it won't happen," van Zyl concluded.
Sonatype's Insight service is priced at $500 per application scan, or customers may purchase a package of scans that start at $10,000.
Maven and the Maven Central Repository, like Linux, the Apache Web Server, and Tomcat application server, are widely adopted open source code, licensed by the Apache Software Foundation.