Security isn't just about defending against application-level attacks; it's also about making sure applications aren't using out-of-date and at-risk software components.
Software development vendor Sonatype is tacking this issue with its updated component lifecycle management (CLM) 1.8 release. The basic idea behind CLM is to make sure that the components used in application development and deployment are up to date, which helps limit the risk of exploitation from known and already-patched software defects. With its CLM 1.8 release Sonatype tweaked the software to make it more transparent for an organization to determine risk as well as to determine options for swapping out a risky component with a better one.
"Most fundamentally we're about helping organizations develop better software," Sonatype CEO Wayne Jackson told eSecurity Planet. "Last year we served something on the order of 13 billion open-source components."
Sonatype operates the Central Repository, which is a storehouse for open-source code components used by developers to build applications.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Open-source code components, like any other type of software, can be revealed to have defects and security vulnerabilities over time," Jackson said. "Building awareness and helping developers to become aware of new security discoveries turns out to be a real challenge for the industry."
That's where Sonatype's CLM comes into play. A key feature of CLM is its ability to help organizations keep track of the components that have been deployed. The idea is, if a vulnerability in a component is discovered, with CLM an enterprise can take appropriate steps to update and reduce the risk.
Jackson sees CLM as a tool for managing the application development supply chain and its integrity. Much like an automotive vendor can manage its supply chain and notify consumers in the event of a recall, the same mechanisms should be in place for applications in Jackson's view.
Jackson is no stranger to the security industry, having served as CEO of IPS vendor Sourcefire when it went public in 2007. Cisco acquired Sourcefire in 2013 for $2.7 billion.
Sonatype's history is rooted in the Java programming language, though its solutions now also work with .NET applications. By the end of the third quarter of 2013, the plan is for Sonatype to support all of the mainstream open source languages, Jackson said.
Looking ahead, Jackson said that Sonatype has an announcement coming this year that will tie his company's technology together with static analysis scanning for software defects.
"We need to make it easy to make it easy to integrate with other sources of metadata," Jackson said.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.