Click here to close now.

Welcome!

Java Authors: Liz McMillan, William Schmarzo, Carmen Gonzalez, Roger Strukhoff, Jason Bloomberg

Related Topics: Java, Open Source

Java: Article

Open Source ROI with Less Risk

How to leverage the benefits while reducing the risks of open source across the development lifecycle

It's a scenario with which many Java developers are all too familiar - and one which many fear. You log on to the network or arrive at the office to discover your Chief Security or Compliance Officer, Application Manager or even a VP of Sales and Marketing in a state of panic. A commonly used open source component has a serious security vulnerability that may expose your client-facing applications to attack. Even worse, the flaw was identified a few weeks ago, but your organization has just heard about it.

The questions and accusations fly: "Why are we using open source components for our critical business applications?!" "Why don't we just rip out this component and replace it with something more secure?" "Do you have any idea what will happen if people discover that our applications have a security flaw?!" "This could negatively impact revenue and our reputation!" And, of course, "What are you going to do to fix this - and ensure it never happens again?!"

How would you answer those questions? What would you be able to do in this situation? If you don't have immediate answers, or an established action plan, you are not alone. It's likely that you would have no easy way of knowing exactly where you have used that particular flawed software component during application development. And once you figure out which applications are using it, you'll have to re-create the development environment, find or write a new version of the component that is more secure, and then build, test and deploy the new version of the application - all of which could take weeks.

To avoid this scenario altogether, application developers need new ways to mitigate the risks of open source without disrupting current development processes. Thankfully, there are specific strategies and new tools available that can help Java developers leverage open source while establishing a more aware, less risky and more robust supply chain. But before we discuss those, let's take a moment to examine open source usage and its associated challenges.

The Rise and Risks of Open Source
Gartner estimates that by 2013, 90 percent of Global 2000 enterprises will include open source software (OSS) as business critical elements of their IT portfolios - and by 2016, that number will increase to 99 percent.[1] It makes sense that open source use is on the rise. Java developers already know that open source offers unmatched flexibility, the power to control and easily modify code and optimize performance. The bottom line: using open source components for software development improves an organization's ability to deliver higher quality software faster at lower cost. However, most Java developers have limited ability to govern the selection, management and distribution of open source components, which can expose your organization to unforeseen technical and compliance risks, including potentially significant threats to software quality, stability, performance, security and intellectual property.

The Central Repository, the industry's leading repository for all major OSS projects, contains more than 300,000 Java artifacts and is accessed by developers nearly four billion times a year - making it one of the most visited sites on the Web today. As stewards of the Central Repository, Sonatype can access, mine and share insight on open source component usage of more than 40,000 software development organizations. We've discovered that many developers are downloading open source components without any reliable way to monitor or control usage, which can introduce significant security threats and licensing risks that can derail development processes and quickly undermine quality production values. In a 2011 Sonatype survey of 1,600 software developers, team leads and architects, 87 percent of respondents stated open source component use is ungoverned within their organization's development process.[2] There are better ways to use open source components without exposing your organization to so much risk.

Mitigaging Risk Across the Application Lifecycle
To manage the use and risks of open source throughout the application development lifecycle, organizations must implement corporate standards for open source-based development. And Java developers need specific tools to manage risk and maximize business value of open-source components.  There are tools available now that can help you maximize the ROI and minimize the risk of open source as you design, develop, build, test and move applications into production.

Choose the Best Components
First and foremost, you need a better way to select components to ensure that only the highest quality components are used in your builds. Obviously, with more than 300,000 components available in the Central Repository, it is difficult to ensure usage of the highest quality components, particularly as components are continually being updated. Of 12,389 open source artifacts updated in 2010, 63 percent were updated two or more times and 30 percent were updated four or more times.[3] Fifty-eight percent of respondents to Sonatype's Software Development Infrastructure survey said that they search the web to find out about component changes and 28 percent said there is just no reliable way to find this information. However, there are tools designed to improve open source component quality from the start by helping you choose the best components from within the IDE. You can even search for and find components by category, license, quality and security information as well as receive alerts regarding component updates to ensure flawed components are not accidentally included in your applications.

Identify Security Vulnerabilities
It's not uncommon for vulnerabilities to be discovered in popular components.  Even when security warnings are posted and easily accessible, they are often overlooked. In March 2009, the United States Computer Emergency Readiness Team and the National Institute of Standards and Technology (US-CERT/NIST) issued a warning that the Legion of the Bouncy Castle Java Cryptography API component was extremely vulnerable to remote attacks. In January 2011, almost two years later, 1,651 different organizations downloaded the vulnerable version of Bouncy Castle from the Central Repository within a single month.[4] In January 2010, the US-CERT/NIST posted an alert via their National Vulnerability Database that Jetty had a critical security flaw, which might allow attackers to modify a window's title, execute arbitrary comments or overwrite files and allow unauthorized disclosure of information.  Regardless of the warning, in December of 2010, nearly a year later, approximately 11,000 different organizations downloaded the vulnerable version of Jetty from the Central Repository in a single month.[5]

You can do more than simply search the Web or rely on word-of-mouth to find out about security flaws. In fact, it's possible to proactively manage open source component usage throughout the software design and development process. Look for tools that allow you to see quality, security and license details about components from within your development environment during the design phase and that will alert you to security vulnerabilities and catch flawed components during development, production and even after the application goes live.

Streamline Dependency Management
Using open source components makes it easy to build applications quickly. But for each component you include, there are often tens of other components it depends on in the application. Dependency management can quickly become a costly and time-consuming manual process as typical applications are comprised of dozens or even hundreds of open source components, and each of these in turn depends on additional components. Established open source usage controls and dependency management can help you minimize the quality, security and licensing problems that can result from the ungoverned use of open source software components.

To further streamline dependency management, implement tools that proactively monitor the entire dependency tree, including transitive dependencies (components that rely on other components). They can help you identify exactly which components are used in your applications by scanning complied applications and generating reports of the full dependency tree. You'll be able to easily identify components with known vulnerabilities, see the license types of all components and quickly address components with quality issues whether they are in the first level or deep within your dependency trees. Look for tools with customizable dashboards and automated alerts that will notify you of significant events, such as when a new vulnerability is discovered in a component on which your applications depend.

Address Licensing Issues
Java component-based development introduces unique licensing issues that must be addressed in order to avoid compliance issues that can result in legal and financial penalties. However, as many project owners do not submit correct licensing information to the Central Repository, it is often difficult to determine component licensing terms. And, due to multiple dependencies inherent to Java development, the components explicitly included in your application often rely on tens of additional components for which you need to address licensing obligations. It is critical to implement and follow licensing policies to ensure that you only include components with license obligations that your enterprise is willing to meet. You can also integrate solutions that improve compliance by identifying component licenses and ensure that unwanted licenses don't make it into your applications during development. Select solutions that will scan your existing applications, including all dependencies, to identify problematic licenses.

Step-by-Step Open Source Control
To ensure component integrity throughout the software supply chain and at every stage of the development process, look for integrated tools that provide insight across each step of the application development lifecycle. There are comprehensive solutions available that will help you manage open source usage in an efficient, non-invasive manner without disrupting your current processes. You want solutions that will provide actionable intelligence during each of the following phases of development:

Design
Improve your initial component search and discovery capabilities with tools that identify components by category, license, quality and security attributes. Ideally, you want tools that allow you to see quality, security and license details about each component from within your development environment.

Development
Implement solutions that notify you of security and licensing issues during development and provide assistance in managing multiple versions of components.  Eliminate guesswork that can undermine development with tools that enhance visibility by providing detailed information that will assist you in making upgrade decisions as well as resolving potential license compatibility issues.

Build
Select solutions that allow you to drill down and combine component data so that you can monitor and manage open source consumption as you build applications.  You should be able to quickly identify quality, security and licensing criteria and use this information as build promotion criteria.  Appropriate tools will show you how many and which versions of each component that you've downloaded, point out exactly where you've used it during your build process to help you manage dependencies and alert you to known security vulnerabilities as you build applications.

Testing
Look for solutions that allow you to use quality, license and security information as part of your pass/fail criteria as you build and test new applications.  There are also tools available that generate application bills of materials during testing, including the full dependency tree to help you avoid known security vulnerabilities and unwanted licenses.

Production
Eliminate error-prone and expensive manual production processes with automated tools that scan your complied applications and generate reports across your complete dependency tree.  You'll want to see components with known vulnerabilities or any quality issues along with the license types of all components.  The tools you select should also address any newly discovered security flaws in deployed applications.

With better open source policies and integrated management tools, you can manage the risks of open source and still derive the benefits throughout your development processes.  Best of all, you can stop worrying about being blindsided by business colleagues should a security flaw or licensing issue be identified in a component you've included in an application.  Should the scenario we described at the onset of this article arise, you'll be prepared to answer questions and address concerns immediately.  Instead of scrambling for information, you'll be able to generate a report that tells you exactly where the questionable component is being used and recreate your development environment with ease.  You'll just need to pull down a new release of the component that has a fix for the security vulnerability and build, test and deploy your new application in hours instead of weeks.

Resources:

  1. Driver, Mark.  "What Every IT Practitioner Needs to Know About Open Source."  Gartner Group.  (October 2010).
  2. Sonatype Software Development Infrastructure Survey.  (January 2011).
  3. 2010 Central Repository Usage Data.  Sonatype Inc.  (January 2011).
  4. Vulnerability Summary for CVE-2007-6721.  National Vulnerability Database Version 2.2 Sponsored by DHS National Cyber Security Division.  (January 20, 2011).
  5. Vulnerability Summary for CVE-2009-4611.  National Vulnerability Database Version 2.2 Sponsored by DHS National Cyber Security Division.  (January 14, 2010).

More Stories By Larry Roshfeld

Larry Roshfeld is EVP at Sonatype, a company that is transforming software development with tools, information and services that enable organizations to build better software, faster,using open-source components. To learn how you can gain complete visibility into and control over the components that make up your critical applications – both during development and while in production, visit www.sonatype.com/Insight.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at @ThingsExpo, Robin Raymond, Chief Architect at Hookflash, will walk through the shifting landscape of traditional telephone and voice services ...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at Internet of @ThingsExpo, James Kirkland, Chief Architect for the Internet of Things and Intelligent Systems at Red Hat, described how to revolutioniz...
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner is Product Manager of the Omega DevCloud with KORE Telematics Inc., will discuss the evolving requirements for developers as IoT matures and conduct a live demonstration of how quickly application development can happen when the need to comply...
Container frameworks, such as Docker, provide a variety of benefits, including density of deployment across infrastructure, convenience for application developers to push updates with low operational hand-holding, and a fairly well-defined deployment workflow that can be orchestrated. Container frameworks also enable a DevOps approach to application development by cleanly separating concerns between operations and development teams. But running multi-container, multi-server apps with containers is very hard. You have to learn five new and different technologies and best practices (libswarm, sy...
SYS-CON Events announced today that DragonGlass, an enterprise search platform, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. After eleven years of designing and building custom applications, OpenCrowd has launched DragonGlass, a cloud-based platform that enables the development of search-based applications. These are a new breed of applications that utilize a search index as their backbone for data retrieval. They can easily adapt to new data sets and provide access to both structured and unstruc...
Converging digital disruptions is creating a major sea change - Cisco calls this the Internet of Everything (IoE). IoE is the network connection of People, Process, Data and Things, fueled by Cloud, Mobile, Social, Analytics and Security, and it represents a $19Trillion value-at-stake over the next 10 years. In her keynote at @ThingsExpo, Manjula Talreja, VP of Cisco Consulting Services, will discuss IoE and the enormous opportunities it provides to public and private firms alike. She will share what businesses must do to thrive in the IoE economy, citing examples from several industry sector...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal an...
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, and physical persons. In the IoT vision, every new "thing" - sensor, actuator, data source, data con...
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize supplier management. Learn about enterprise architecture strategies for designing connected systems tha...
There's Big Data, then there's really Big Data from the Internet of Things. IoT is evolving to include many data possibilities like new types of event, log and network data. The volumes are enormous, generating tens of billions of logs per day, which raise data challenges. Early IoT deployments are relying heavily on both the cloud and managed service providers to navigate these challenges. In her session at Big Data Expo®, Hannah Smalltree, Director at Treasure Data, discussed how IoT, Big Data and deployments are processing massive data volumes from wearables, utilities and other machines...
SYS-CON Events announced today that the "First Containers & Microservices Conference" will take place June 9-11, 2015, at the Javits Center in New York City. The “Second Containers & Microservices Conference” will take place November 3-5, 2015, at Santa Clara Convention Center, Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud environment, and we must architect and code accordingly. At the very least, you'll have no problem fil...
SYS-CON Events announced today that MetraTech, now part of Ericsson, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Ericsson is the driving force behind the Networked Society- a world leader in communications infrastructure, software and services. Some 40% of the world’s mobile traffic runs through networks Ericsson has supplied, serving more than 2.5 billion subscribers.
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
Since 2008 and for the first time in history, more than half of humans live in urban areas, urging cities to become “smart.” Today, cities can leverage the wide availability of smartphones combined with new technologies such as Beacons or NFC to connect their urban furniture and environment to create citizen-first services that improve transportation, way-finding and information delivery. In her session at @ThingsExpo, Laetitia Gazel-Anthoine, CEO of Connecthings, will focus on successful use cases.
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
The recent trends like cloud computing, social, mobile and Internet of Things are forcing enterprises to modernize in order to compete in the competitive globalized markets. However, enterprises are approaching newer technologies with a more silo-ed way, gaining only sub optimal benefits. The Modern Enterprise model is presented as a newer way to think of enterprise IT, which takes a more holistic approach to embracing modern technologies.
One of the biggest impacts of the Internet of Things is and will continue to be on data; specifically data volume, management and usage. Companies are scrambling to adapt to this new and unpredictable data reality with legacy infrastructure that cannot handle the speed and volume of data. In his session at @ThingsExpo, Don DeLoach, CEO and president of Infobright, will discuss how companies need to rethink their data infrastructure to participate in the IoT, including: Data storage: Understanding the kinds of data: structured, unstructured, big/small? Analytics: What kinds and how responsiv...