SBN

New Nexus Firewall Release with Developer-First Enhancements

Due to an increase in large-scale attacks focused on developers, it’s crucial for businesses to secure their software development lifecycle.

Addressing risk

Companies are waking up to software supply chain issues. With the SolarWinds breach for example, malicious code was inserted along the build process for their Orion product. This resulted in deploying malicious, trojanized updates to roughly 18,000 SolarWinds customers. This update was carried downstream to impact a significantly larger attack surface than anyone anticipated. Being able to combat these modern-day attacks is becoming increasingly difficult, as bad actors are getting more sophisticated and targeting developers now more than ever.

Similarly, bad actors are targeting vulnerable packages that developers bring into their organization. As a result, it’s important to understand how often this risk occurs. It is common in the npm ecosystem for developers to specify a range of versions that is resolved to the latest one within the version range. Malware authors depend on this, knowing that their harmful software will be downloaded almost immediately.

Another frequent offense is the dependency confusion attack, AKA “namespace confusion attack.” In it, a developer is tricked into pulling malicious packages from an open source public repository, like npm or Maven Central, rather than the intended file with the similar or same name from their local repository. The package could have the same exact name, but when presented with the option to pick between two identical package names, package installers will pick the one with the highest version number. Thus, downloading the “newer,” malicious package from the bad actor, and consequently putting their entire organization at risk.

To help combat these issues and more, Sonatype added Release Integrity to Nexus Firewall earlier this year. The Release Integrity (RI) Score is a concept generated from our Artificial Intelligence / Machine Learning (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Chris Good. Read the original post at: https://blog.sonatype.com/new-nexus-firewall-release-with-developer-first-enhancements