Tracking Security with Sonatype Insight





The interactive transcript could not be loaded.



Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Uploaded on Sep 23, 2011

Bouncy Castle. Do those words mean anything to you? If you are a Java developer, you might know that Bouncy Castle is an encryption library often used to generate secure hash codes and encrypt data. In other words, it is a silly project name for a serious purpose.

Do you any know that old, released versions of Bouncy Castle have known security vulnerabilities? I'm not writing this to cast a shadow of doubt on the project. Bouncy Castle is an awesome open source library, as is the Springframework, Commons HttpClient, Tomcat, and Jetty. What Bouncy Castle has in common with all of these other open source components is that old versions of each project have known security vulnerabilities.

There's a good chance that you might not be focused on this problem. You might not be constantly evaluating your project's dependencies to analyze the risks.

I've been developing enterprise software for years, and it just isn't something most companies worry too much about. While a company might spend a great deal of money on systems and personnel to keep operating systems patched and networks secured, that same company is likely using an older version of Commons HttpClient 3.1 that presents a denial of service (DoS) vulnerability. In other words, we appreciate the vulnerability of machines and operating systems while simultaneously ignore the security characteristics of the software that runs on these platforms.

As open source becomes more important to the modern enterprise, this exposure will only increase. If you are committed to security you have two choices to manage this risk. You can invest in the necessary staff to review a steady stream of bug reports and security updates, or you can integrate Sonatype Insight into your software development lifecycle. Insight analyzes and continuously monitors your applications, automatically alerting you to newly discovered issues.

The critical questions to ask yourself given the increasing rate of change in open source is "can you keep up?"


When autoplay is enabled, a suggested video will automatically play next.

Up next

to add this to Watch Later

Add to

Loading playlists...