After developing enterprise applications for a number of years, I’ve noticed one common thread. An application’s open source dependencies tend to stabilize over time. An application with stable dependencies requires less ongoing support, but it also introduces an often unacknowledged risk. This article describes how Sonatype Insight can be used to constantly monitor deployed applications for new security risks.
As an application matures, it essentially becomes frozen in time. As stability and production support become primary requirements, it is no longer a realistic option to upgrade to a new version of a critical framework. Upgrading to a newer version of the Spring Framework or Hibernate become impractical when weighed against the need to reduce risk and reduce ongoing support costs for an application that has been deployed to production.
A large-scale project often selects a series of open source dependencies at the initial stages of application development. Imagine you are working on an important customer service interface for a large company. This system is developed over the course of a number of years, and the first few months are characterized by large architectural changes. At the start of the project, the team experiments with newer versions of open source components and essentially “proves” an architecture. As the project’s focus shifts toward business requirements and away from technology, management is less likely to give the go ahead for a critical technology upgrade.
In other words, that five year old web application that powers a core part of your business is probably using a five year old version of Hibernate or Spring. Why? For stability’s sake. Why perform an upgrade if the system is still running?
What’s missing in these scenarios is an appreciation of the risks of standing still. If you develop software using open source components, you are dealing with a steady stream of new releases and a constantly evolving set of relevant projects. If you depend on an active project like ActiveMQ, Spring, or Hibernate, your development teams are dealing with a steady stream of releases, bug fixes, and bug reports. Good developers pay attention to these events and upgrade components with security risks as they are identified.
The problem arises when an application transitions from active development to production deployment. When this happens, developers start to play a less important role in the day-to-day operation of the project. While you might have very quickly identified a critical security risk in an encryption library during the peak of the development lifecycle, a mature application doesn’t have as much attention from developers and there’s no good way to merge the steady stream of open source “events” with applications in production.
To address this issue, Sonatype created Application Insight. Application Insight takes a production application and generates a bill of materials. This bill of materials is cross-checked against a stream of open source events and activity. You will be notified immediately If a security vulnerability is identified in a component your application depends upon.
In other words, Sonatype’s Application Insight keeps a vigilant watch over applications that might not be getting as much developer attention. It can identify previously unknown risks so that you can address the issue before it can be exploited.