Sonatype today launched an Advanced Development Pack service that highlights the dependencies between open source components in a way that makes it easier for developers to know which to use to build the most secure application possible and which components offer the best. easiest upgrade path.
Company CTO Brian Fox said the Advanced Development Pack service is an extension of the Nexus Lifecycle platform that the company is currently making available to identify vulnerabilities in open source code.
The advanced service pack was created after studying the development and cybersecurity practices of 30,000 software teams that Sonatype was able to analyze in its Maven repository, Fox said. The goal is to eliminate a vicious cycle that emerges when organizations develop applications that use components that too often need to be replaced or updated based on security and quality issues discovered later in the development cycle. By making it easy to identify the highest quality modules available, the Advanced Development Pack serves to increase developer confidence in the quality of the open source components extracted as they develop their application.
A component selection tool, currently in beta and slated for availability next year, will also allow the use of project health assessments based on safety and license compliance, as well as identify where this component can already be used.
The Advanced Service Pack allows open source components to be evaluated based on factors such as project quality, ease of upgrade, and advanced knowledge of abnormal commiter behavior, Fox said. Other factors assessed include the cost of migrating to a newer or more secure version of a module and whether it is possible to do so without breaking the code, frequency of versions, rate of dependency updates, the size of the development team and popularity.
The Advanced Development Pack also promotes the adoption of DevSecOps best practices by identifying dependencies that have become vulnerable and fixed, as well as suspicious behavior involving project code validations that may indicate a malicious injection attack. It also applies machine and deep learning algorithms to automatically identify and block software supply chain attacks based on typosquatting and malicious code injection. In the last 90 days alone, malicious code detection bots created by Sonatype have discovered 43 new malicious packages, including electorn and loadyaml.
Sonatype has also included a transitive resolver capability which provides comprehensive remediation advice to resolve direct and transitive dependencies without violating policies or failing builds.
Fox said that while the focus these days is on the security of individual application components, it has also become apparent that cybercriminals are now targeting application development platforms as part of a effort to compromise the entire software supply chain. As such, DevOps teams must now focus on securing both the components they use and the platforms used to build their applications.
Until then, there may never be absolutely secure open source code. However, it becomes possible to greatly minimize the associated risks.