DevOps Security Firewall Tracks Open-Source Software
Greater use of open-source software also is increasing security risks. According to the developer of a new DevOps firewall technology, one in 16 third-party components downloaded from public repositories brings with it a known vulnerability. Since open-source software development shows no signs of slowing, something has to give.
Enter Sonatype, a Maryland-based startup with a public software repository firewall that leverages software supply chain automation to block obsolete or malicious open-source code and other third-party components during application development. Automated policy enforcement is integrated with the repository manager, among the first stages of enterprise software development, Sonatype CEO Wayne Jackson noted in a statement.
Building on the supply chain innovations developed by auto and other manufacturers, the open-source security tool acts much like a network firewall. In the DevOps realm, the tool dubbed "Nexus Firewall" automatically applies defined security rules to reduce exposure to compromised code. That, the company claims, will reduce wasted resources during application development while avoiding avoidable rework by either blocking or quarantining open-source software components that do no meet defined security policies.
The security tool also is billed as preventing applications with known vulnerabilities or unwanted components from being released into production.
Sonatype also stressed the growing need for an automated tool like the Nexus Firewall as the pace of application development and delivery speeds up. Indeed, the transition of emerging technologies like application containers to production environments has been slowed by persistent worries about security and the need to isolate business critical apps delivered in containers hosted on virtual machines.
The firewall approach also debuts amid the ongoing debate within the open-source community over security. Linux pioneer Linus Torvalds acknowledged during an industry conference in August that he is often at odds with the security community that tends to view the issue as black and white.
"Security is bugs," Torvalds told the LinuxCon event in Seattle. "Most of the security issues we've had in the kernel have been just completely stupid bugs that nobody really would have thought of as security issues normally, except that some clever person is able to take advantage of it."
While stressing that buggy software is inevitable, Torvalds also noted that those overseeing Linux development, for example, are strict about what code ends up in the Linux kernel. Multiple security layers can be used to catch bugs "so if you have a hole in one component the next layer will catch the issue," Torvalds asserted.
"Anyone who thinks that we'll be entirely secure is just not realistic," he added.
With large enterprises embracing open-source development, investors are beginning to pour venture funds into startups like Sonatype, which has so far raised nearly $45 million in funding, including a $25 million round led by large East Coast technology investor New Enterprise Associates.
The result is the Nexus Firewall, another layer of security that Sonatype is positioning as a way for enterprises to use policy automation along with greater visibility and control of open-source components throughout the application development process.