Maven works by using a central repository for storing verified Java artifacts. That means all the popular libraries, projects, frameworks and code stores are generally available in the Maven Central repository for anyone in the world to use for their builds.
This places Maven at the top of the Java food chain, and van Zyl said that Sonatype is in a unique position to observe all security updates for the entirety of Java. Thus, he said, Sonatype can serve as a security Sherpa for enterprises that use open-source Java components.
“We’re purely focused on the third-party open-source component consumption. We’ve had to make something pretty sophisticated to look into a JAR file or classes,” said van Zyl. He said that not only is Sonatype tracking major security vulnerabilities in Java projects, the company has also released scanning tools to check for open-source code embedded or modified in other programs. This ensures that existing vulnerabilities aren’t missed when they exist inside other code.
How does Sonatype stack up against traditional security-scanning companies? “They’re focused on scanning your code, we are focused on working with the third-party open-source binaries we download,” said van Zyl. “As far as we can tell, our customers’ application development has essentially become component assembly, we’ve seen [that] upward of 80% of it is open-source components, or higher. Then there’s the small bit of business code you’re writing that adds value.”
While Sonatype is focused on ensuring the security of existing open-source components, and alerting users when they need to update a vulnerable library, SaaS code-scanning company Veracode is taking on matters from the other side of the fence. While Veracode cut its teeth scanning binaries for security holes, it’s now offering to scan third-party applications for a fee as well.
Ed Jennings, executive vice president of sales, marketing and services at Veracode, said that this new approach is quite vast compared to straight code scanning.
“The program we’re enabling is vendor application security testing,” he said. “This is a fully outsourced program. Our application security experts come in and define the policies you want for third-party applications—what they’re going to have to do for compliance, and such. We get the list of all application partners and their contact info, and we’ll take responsibility for reaching out to those partners scanning the applications. We’re helping them scan the output and to perform other forms of mitigation. Then we work them through to comply to the enterprise policy.”
This approach takes the security compliance burden off the end users, said Jennings. “We would be testing 100 out of 10,000 applications for a bank. They pay for us to go scan third-party vendor applications. They had to prioritize the 100 highest-risk vendors. They’ll keep paying for those, but for the thousands of other vendors, they give us the list of contacts and applications, and then we go contact them directly for our new mandate. This allows for enterprises to scale thousands of applications, while diffusing the cost to the supply-chain partners themselves.”
But no matter the solution, it would seem that security is not just something that can be fixed by pointing an in-IDE tool at the developer and throwing alerts when coding policies are violated. With so many applications coming from so many different sources, simple code scanning and in-IDE compliance tools aren’t enough to ensure security in this dangerous new world.