|By Larry Roshfeld||
|September 20, 2011 02:00 PM EDT||
It's a scenario with which many Java developers are all too familiar - and one which many fear. You log on to the network or arrive at the office to discover your Chief Security or Compliance Officer, Application Manager or even a VP of Sales and Marketing in a state of panic. A commonly used open source component has a serious security vulnerability that may expose your client-facing applications to attack. Even worse, the flaw was identified a few weeks ago, but your organization has just heard about it.
The questions and accusations fly: "Why are we using open source components for our critical business applications?!" "Why don't we just rip out this component and replace it with something more secure?" "Do you have any idea what will happen if people discover that our applications have a security flaw?!" "This could negatively impact revenue and our reputation!" And, of course, "What are you going to do to fix this - and ensure it never happens again?!"
How would you answer those questions? What would you be able to do in this situation? If you don't have immediate answers, or an established action plan, you are not alone. It's likely that you would have no easy way of knowing exactly where you have used that particular flawed software component during application development. And once you figure out which applications are using it, you'll have to re-create the development environment, find or write a new version of the component that is more secure, and then build, test and deploy the new version of the application - all of which could take weeks.
To avoid this scenario altogether, application developers need new ways to mitigate the risks of open source without disrupting current development processes. Thankfully, there are specific strategies and new tools available that can help Java developers leverage open source while establishing a more aware, less risky and more robust supply chain. But before we discuss those, let's take a moment to examine open source usage and its associated challenges.
The Rise and Risks of Open Source
Gartner estimates that by 2013, 90 percent of Global 2000 enterprises will include open source software (OSS) as business critical elements of their IT portfolios - and by 2016, that number will increase to 99 percent. It makes sense that open source use is on the rise. Java developers already know that open source offers unmatched flexibility, the power to control and easily modify code and optimize performance. The bottom line: using open source components for software development improves an organization's ability to deliver higher quality software faster at lower cost. However, most Java developers have limited ability to govern the selection, management and distribution of open source components, which can expose your organization to unforeseen technical and compliance risks, including potentially significant threats to software quality, stability, performance, security and intellectual property.
The Central Repository, the industry's leading repository for all major OSS projects, contains more than 300,000 Java artifacts and is accessed by developers nearly four billion times a year - making it one of the most visited sites on the Web today. As stewards of the Central Repository, Sonatype can access, mine and share insight on open source component usage of more than 40,000 software development organizations. We've discovered that many developers are downloading open source components without any reliable way to monitor or control usage, which can introduce significant security threats and licensing risks that can derail development processes and quickly undermine quality production values. In a 2011 Sonatype survey of 1,600 software developers, team leads and architects, 87 percent of respondents stated open source component use is ungoverned within their organization's development process. There are better ways to use open source components without exposing your organization to so much risk.
Mitigaging Risk Across the Application Lifecycle
To manage the use and risks of open source throughout the application development lifecycle, organizations must implement corporate standards for open source-based development. And Java developers need specific tools to manage risk and maximize business value of open-source components. There are tools available now that can help you maximize the ROI and minimize the risk of open source as you design, develop, build, test and move applications into production.
Choose the Best Components
First and foremost, you need a better way to select components to ensure that only the highest quality components are used in your builds. Obviously, with more than 300,000 components available in the Central Repository, it is difficult to ensure usage of the highest quality components, particularly as components are continually being updated. Of 12,389 open source artifacts updated in 2010, 63 percent were updated two or more times and 30 percent were updated four or more times. Fifty-eight percent of respondents to Sonatype's Software Development Infrastructure survey said that they search the web to find out about component changes and 28 percent said there is just no reliable way to find this information. However, there are tools designed to improve open source component quality from the start by helping you choose the best components from within the IDE. You can even search for and find components by category, license, quality and security information as well as receive alerts regarding component updates to ensure flawed components are not accidentally included in your applications.
Identify Security Vulnerabilities
It's not uncommon for vulnerabilities to be discovered in popular components. Even when security warnings are posted and easily accessible, they are often overlooked. In March 2009, the United States Computer Emergency Readiness Team and the National Institute of Standards and Technology (US-CERT/NIST) issued a warning that the Legion of the Bouncy Castle Java Cryptography API component was extremely vulnerable to remote attacks. In January 2011, almost two years later, 1,651 different organizations downloaded the vulnerable version of Bouncy Castle from the Central Repository within a single month. In January 2010, the US-CERT/NIST posted an alert via their National Vulnerability Database that Jetty had a critical security flaw, which might allow attackers to modify a window's title, execute arbitrary comments or overwrite files and allow unauthorized disclosure of information. Regardless of the warning, in December of 2010, nearly a year later, approximately 11,000 different organizations downloaded the vulnerable version of Jetty from the Central Repository in a single month.
You can do more than simply search the Web or rely on word-of-mouth to find out about security flaws. In fact, it's possible to proactively manage open source component usage throughout the software design and development process. Look for tools that allow you to see quality, security and license details about components from within your development environment during the design phase and that will alert you to security vulnerabilities and catch flawed components during development, production and even after the application goes live.
Streamline Dependency Management
Using open source components makes it easy to build applications quickly. But for each component you include, there are often tens of other components it depends on in the application. Dependency management can quickly become a costly and time-consuming manual process as typical applications are comprised of dozens or even hundreds of open source components, and each of these in turn depends on additional components. Established open source usage controls and dependency management can help you minimize the quality, security and licensing problems that can result from the ungoverned use of open source software components.
To further streamline dependency management, implement tools that proactively monitor the entire dependency tree, including transitive dependencies (components that rely on other components). They can help you identify exactly which components are used in your applications by scanning complied applications and generating reports of the full dependency tree. You'll be able to easily identify components with known vulnerabilities, see the license types of all components and quickly address components with quality issues whether they are in the first level or deep within your dependency trees. Look for tools with customizable dashboards and automated alerts that will notify you of significant events, such as when a new vulnerability is discovered in a component on which your applications depend.
Address Licensing Issues
Java component-based development introduces unique licensing issues that must be addressed in order to avoid compliance issues that can result in legal and financial penalties. However, as many project owners do not submit correct licensing information to the Central Repository, it is often difficult to determine component licensing terms. And, due to multiple dependencies inherent to Java development, the components explicitly included in your application often rely on tens of additional components for which you need to address licensing obligations. It is critical to implement and follow licensing policies to ensure that you only include components with license obligations that your enterprise is willing to meet. You can also integrate solutions that improve compliance by identifying component licenses and ensure that unwanted licenses don't make it into your applications during development. Select solutions that will scan your existing applications, including all dependencies, to identify problematic licenses.
Step-by-Step Open Source Control
To ensure component integrity throughout the software supply chain and at every stage of the development process, look for integrated tools that provide insight across each step of the application development lifecycle. There are comprehensive solutions available that will help you manage open source usage in an efficient, non-invasive manner without disrupting your current processes. You want solutions that will provide actionable intelligence during each of the following phases of development:
Improve your initial component search and discovery capabilities with tools that identify components by category, license, quality and security attributes. Ideally, you want tools that allow you to see quality, security and license details about each component from within your development environment.
Implement solutions that notify you of security and licensing issues during development and provide assistance in managing multiple versions of components. Eliminate guesswork that can undermine development with tools that enhance visibility by providing detailed information that will assist you in making upgrade decisions as well as resolving potential license compatibility issues.
Select solutions that allow you to drill down and combine component data so that you can monitor and manage open source consumption as you build applications. You should be able to quickly identify quality, security and licensing criteria and use this information as build promotion criteria. Appropriate tools will show you how many and which versions of each component that you've downloaded, point out exactly where you've used it during your build process to help you manage dependencies and alert you to known security vulnerabilities as you build applications.
Look for solutions that allow you to use quality, license and security information as part of your pass/fail criteria as you build and test new applications. There are also tools available that generate application bills of materials during testing, including the full dependency tree to help you avoid known security vulnerabilities and unwanted licenses.
Eliminate error-prone and expensive manual production processes with automated tools that scan your complied applications and generate reports across your complete dependency tree. You'll want to see components with known vulnerabilities or any quality issues along with the license types of all components. The tools you select should also address any newly discovered security flaws in deployed applications.
With better open source policies and integrated management tools, you can manage the risks of open source and still derive the benefits throughout your development processes. Best of all, you can stop worrying about being blindsided by business colleagues should a security flaw or licensing issue be identified in a component you've included in an application. Should the scenario we described at the onset of this article arise, you'll be prepared to answer questions and address concerns immediately. Instead of scrambling for information, you'll be able to generate a report that tells you exactly where the questionable component is being used and recreate your development environment with ease. You'll just need to pull down a new release of the component that has a fix for the security vulnerability and build, test and deploy your new application in hours instead of weeks.
- Driver, Mark. "What Every IT Practitioner Needs to Know About Open Source." Gartner Group. (October 2010).
- Sonatype Software Development Infrastructure Survey. (January 2011).
- 2010 Central Repository Usage Data. Sonatype Inc. (January 2011).
- Vulnerability Summary for CVE-2007-6721. National Vulnerability Database Version 2.2 Sponsored by DHS National Cyber Security Division. (January 20, 2011).
- Vulnerability Summary for CVE-2009-4611. National Vulnerability Database Version 2.2 Sponsored by DHS National Cyber Security Division. (January 14, 2010).
Developing software for the Internet of Things (IoT) comes with its own set of challenges. Security, privacy, and unified standards are a few key issues. In addition, each IoT product is comprised of at least three separate application components: the software embedded in the device, the backend big-data service, and the mobile application for the end user's controls. Each component is developed by a different team, using different technologies and practices, and deployed to a different stack/target - this makes the integration of these separate pipelines and the coordination of software upd...
Oct. 7, 2015 08:00 AM EDT Reads: 138
NHK, Japan Broadcasting will feature upcoming @ThingsExpo Silicon Valley in a special IoT documentary which will be filmed on the expo floor November 3 to 5, 2015 in Santa Clara. NHK is the sole public TV network in Japan equivalent to BBC in UK and the largest in Asia with many award winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology covering @ThingsExpo Silicon Valley. The program will be aired during the highest viewership season of the year that it will have a high impact in the industry through this documentary in Japan. The film...
Oct. 7, 2015 07:45 AM EDT Reads: 104
WebRTC is about the data channel as much as about video and audio conferencing. However, basically all commercial WebRTC applications have been built with a focus on audio and video. The handling of “data” has been limited to text chat and file download – all other data sharing seems to end with screensharing. What is holding back a more intensive use of peer-to-peer data? In her session at @ThingsExpo, Dr Silvia Pfeiffer, WebRTC Applications Team Lead at National ICT Australia, will look at different existing uses of peer-to-peer data sharing and how it can become useful in a live session to...
Oct. 7, 2015 07:30 AM EDT Reads: 515
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Oct. 7, 2015 06:45 AM EDT Reads: 741
WebRTC converts the entire network into a ubiquitous communications cloud thereby connecting anytime, anywhere through any point. In his session at WebRTC Summit,, Mark Castleman, EIR at Bell Labs and Head of Future X Labs, will discuss how the transformational nature of communications is achieved through the democratizing force of WebRTC. WebRTC is doing for voice what HTML did for web content.
Oct. 7, 2015 06:15 AM EDT Reads: 1,336
SYS-CON Events announced today that Luxoft Holding, Inc., a leading provider of software development services and innovative IT solutions, has been named “Bronze Sponsor” of SYS-CON's @ThingsExpo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Luxoft’s software development services consist of core and mission-critical custom software development and support, product engineering and testing, and technology consulting.
Oct. 7, 2015 05:15 AM EDT Reads: 557
The broad selection of hardware, the rapid evolution of operating systems and the time-to-market for mobile apps has been so rapid that new challenges for developers and engineers arise every day. Security, testing, hosting, and other metrics have to be considered through the process. In his session at Big Data Expo, Walter Maguire, Chief Field Technologist, HP Big Data Group, at Hewlett-Packard, will discuss the challenges faced by developers and a composite Big Data applications builder, focusing on how to help solve the problems that developers are continuously battling.
Oct. 7, 2015 04:00 AM EDT Reads: 452
Nowadays, a large number of sensors and devices are connected to the network. Leading-edge IoT technologies integrate various types of sensor data to create a new value for several business decision scenarios. The transparent cloud is a model of a new IoT emergence service platform. Many service providers store and access various types of sensor data in order to create and find out new business values by integrating such data.
Oct. 7, 2015 03:30 AM EDT Reads: 457
SYS-CON Events announced today that IBM Cloud Data Services has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IBM Cloud Data Services offers a portfolio of integrated, best-of-breed cloud data services for developers focused on mobile computing and analytics use cases.
Oct. 6, 2015 10:00 PM EDT Reads: 663
In his session at @ThingsExpo, Tony Shan, Chief Architect at CTS, will explore the synergy of Big Data and IoT. First he will take a closer look at the Internet of Things and Big Data individually, in terms of what, which, why, where, when, who, how and how much. Then he will explore the relationship between IoT and Big Data. Specifically, he will drill down to how the 4Vs aspects intersect with IoT: Volume, Variety, Velocity and Value. In turn, Tony will analyze how the key components of IoT influence Big Data: Device, Connectivity, Context, and Intelligence. He will dive deep to the matrix...
Oct. 6, 2015 08:00 PM EDT Reads: 316
When it comes to IoT in the enterprise, namely the commercial building and hospitality markets, a benefit not getting the attention it deserves is energy efficiency, and IoT’s direct impact on a cleaner, greener environment when installed in smart buildings. Until now clean technology was offered piecemeal and led with point solutions that require significant systems integration to orchestrate and deploy. There didn't exist a 'top down' approach that can manage and monitor the way a Smart Building actually breathes - immediately flagging overheating in a closet or over cooling in unoccupied ho...
Oct. 6, 2015 05:00 PM EDT Reads: 260
SYS-CON Events announced today that Cloud Raxak has been named “Media & Session Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Raxak Protect automates security compliance across private and public clouds. Using the SaaS tool or managed service, developers can deploy cloud apps quickly, cost-effectively, and without error.
Oct. 6, 2015 04:40 PM EDT Reads: 116
Scott Guthrie's keynote presentation "Journey to the intelligent cloud" is a must view video. This is from AzureCon 2015, September 29, 2015 I have reproduced some screen shots in case you are unable to view this long video for one reason or another. One of the highlights is 3 datacenters coming on line in India.
Oct. 6, 2015 02:00 PM EDT Reads: 237
“The Internet of Things transforms the way organizations leverage machine data and gain insights from it,” noted Splunk’s CTO Snehal Antani, as Splunk announced accelerated momentum in Industrial Data and the IoT. The trend is driven by Splunk’s continued investment in its products and partner ecosystem as well as the creativity of customers and the flexibility to deploy Splunk IoT solutions as software, cloud services or in a hybrid environment. Customers are using Splunk® solutions to collect and correlate data from control systems, sensors, mobile devices and IT systems for a variety of Ind...
Oct. 6, 2015 01:00 PM EDT Reads: 584
SYS-CON Events announced today that ProfitBricks, the provider of painless cloud infrastructure, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool for visual control over the cloud and the best price/performance value available. ProfitBricks was named one of the coolest Clo...
Oct. 6, 2015 01:00 PM EDT Reads: 742
You have your devices and your data, but what about the rest of your Internet of Things story? Two popular classes of technologies that nicely handle the Big Data analytics for Internet of Things are Apache Hadoop and NoSQL. Hadoop is designed for parallelizing analytical work across many servers and is ideal for the massive data volumes you create with IoT devices. NoSQL databases such as Apache HBase are ideal for storing and retrieving IoT data as “time series data.”
Oct. 6, 2015 12:45 PM EDT Reads: 461
Clearly the way forward is to move to cloud be it bare metal, VMs or containers. One aspect of the current public clouds that is slowing this cloud migration is cloud lock-in. Every cloud vendor is trying to make it very difficult to move out once a customer has chosen their cloud. In his session at 17th Cloud Expo, Naveen Nimmu, CEO of Clouber, Inc., will advocate that making the inter-cloud migration as simple as changing airlines would help the entire industry to quickly adopt the cloud without worrying about any lock-in fears. In fact by having standard APIs for IaaS would help PaaS expl...
Oct. 6, 2015 12:30 PM EDT Reads: 590
Organizations already struggle with the simple collection of data resulting from the proliferation of IoT, lacking the right infrastructure to manage it. They can't only rely on the cloud to collect and utilize this data because many applications still require dedicated infrastructure for security, redundancy, performance, etc. In his session at 17th Cloud Expo, Emil Sayegh, CEO of Codero Hosting, will discuss how in order to resolve the inherent issues, companies need to combine dedicated and cloud solutions through hybrid hosting – a sustainable solution for the data required to manage I...
Oct. 6, 2015 12:00 PM EDT Reads: 445
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Bradley Holt, Developer Advocate at IBM Cloud Data Services, will demonstrate techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user experience, both offline and online. The focus of this talk will be on IBM Cloudant, Apa...
Oct. 6, 2015 10:45 AM EDT Reads: 456
Mobile messaging has been a popular communication channel for more than 20 years. Finnish engineer Matti Makkonen invented the idea for SMS (Short Message Service) in 1984, making his vision a reality on December 3, 1992 by sending the first message ("Happy Christmas") from a PC to a cell phone. Since then, the technology has evolved immensely, from both a technology standpoint, and in our everyday uses for it. Originally used for person-to-person (P2P) communication, i.e., Sally sends a text message to Betty – mobile messaging now offers tremendous value to businesses for customer and empl...
Oct. 6, 2015 10:45 AM EDT Reads: 185