Forem: Katie McCaskey

Ryan Lockard Names the Seven Deadly Sins of DevSecOps

Katie McCaskey — Thu, 02 Apr 2020 13:45:00 +0000

_ Editor's Note: _ Ryan's story is included in "Epic Failures in DevSecOps, Volume 2", available for free download.

"It is said in Roman Catholicism that each of the seven deadly sins is uniquely bad. Any time one of these sins are committed, we must confess them and do all that we can to not transgress again. Applying the DevSecOps context, each of the failures discussed in this chapter are an opportunity to reflect, inspect and improve our own DevSecOps practices every day." -- Ryan Lockard, Epic Failures in DevSecOps, Chapter 7.

Watch his interview with host Justin Miller, on the Sonatype blog

SAML/SSO Authentication and Conan in Nexus Repository 3.22

Katie McCaskey — Wed, 01 Apr 2020 19:16:54 +0000

By Brent Kostak

Introducing the release of Nexus Repository 3.22. Our product teams are excited to announce SAML/SSO authentication for Nexus Repository Pro. In addition to SAML/SSO, this release includes proxy support for Conan native format in both Nexus Repository Pro users and our free version, Nexus Repository OSS. Conan is the decentralized, portable, and extensible package manager for C/C++ projects.

Amidst much anticipation, Nexus Repository Pro now provides users the ability to authenticate with Security Assertion Markup Language (SAML) identity providers. Using SAML, users can now experience single sign-on (SSO) when logging into the Nexus ecosystem. In the reading ahead, we will ‘pop the hood’ on SAML to learn how it works with Nexus Repository Pro, what benefits users can gain setting up the SAML integration, and key highlights for both Nexus Repository admins and developers.

Read more on the Sonatype blog

Developers Gain Contextual Feedback with Automated Pull Request Commenting

Katie McCaskey — Tue, 31 Mar 2020 15:14:09 +0000

At Sonatype, we work continuously to increase awareness of open source risk, and decrease the time it takes you to make your applications safe. It is our never ending quest to shift security left. We’ve rolled out even more granular and automated policy feedback with pull request comments directly in GitHub.

Developers need to know where potential policy violations or security vulnerabilities are introduced so that they can address and fix the issues efficiently and effectively. This reduces time to remediation and minimizes manual work. Our new PR commenting feature for GitHub notifies a developer when the code they commit introduces risk or breaks a build, and why.

Read more on the Sonatype blog

Department of Defense DevSecOps Journey

Katie McCaskey — Mon, 30 Mar 2020 14:15:25 +0000

By Sylvia Fronczak

_ Editors Note: _ We recently discussed why the federal government should adopt DevSecOps. Here, a look at DevSecOps efforts at the Department of Defense presented at All Day DevOps. Sign up now for the upcoming All Day DevOps | Spring Break Edition happening April 17.

The U.S. Department of Defense (DoD) has a unique DevSecOps journey, and we'll discuss that today thanks to a presentation by Hasan Yasar and Nicolas Chaillan (@NicolasChaillan).

But first, here’s some background on the DoD.

The DoD depends on software, but it doesn’t always control development. Instead, they must maintain software written elsewhere. Difficulties arise when the entire lifecycle is out of their hands.

Read more on the Sonatype blog

Sonatype Nexus Repository 3.20 Installation, Admin Login, and Port Change [VIDEO]

Katie McCaskey — Fri, 27 Mar 2020 13:45:00 +0000

There are often times in agile teams where DevOps is constrained by bandwidth.

This tutorial is aimed at developers to help them get things up and running without hassle. This will give them confidence to try out things on a working instance rather than just learning theory.

Watch the video at the Sonatype blog

Nexus Vulnerability Scanner: Getting Started with Vulnerability Analysis

Katie McCaskey — Thu, 26 Mar 2020 13:45:00 +0000

As a developer, you know the importance of building a robust application. With cyberattacks increasing every day, you should make sure your application is safe from the attacks and isn’t vulnerable.

To assess your application for security and to help you find vulnerabilities in your application so you can fix them, Nexus Vulnerability Scanner would be of great help!

So, in this post, I’ll be telling you what this tool is and how to use it.

Read more on the Sonatype blog

Top 6 Reasons the Time is Now for DevSecOps in the Federal Government

Katie McCaskey — Wed, 25 Mar 2020 13:45:00 +0000

Underpinning all modern technology - software and hardware - is a supply chain. However, even as “software eats the world,” or we could argue “ate the world,” there is still too little understanding of the software supply chain, with continued focus on hardware. The reality, however, is that software is much easier to pollute than hardware. While there has been an increase in awareness around the need for a coordinated application security strategy, the federal government has historically focused on playing strong defense, putting up walls at the perimeter, and at the end of the digital supply chain.

It’s time to shift more security resources further left. In this way, the government can play better offense at the beginning of the digital supply chain so that federal agencies can better protect themselves and the American citizenry.

Microsoft Acquires npm

Katie McCaskey — Mon, 16 Mar 2020 19:44:03 +0000

Today, news broke that GitHub and its parent company Microsoft, acquired npm and its public repository of open source JavaScript packages.

Sonatype CTO Brian Fox shares his reaction in this post, Microsoft Acquires npm: A Healthy Move for Critical Public Infrastructure.

Nexus Intelligence Insights: What's in a Ghostcat? CVE-2020-1938 Apache Tomcat - Local File Inclusion Potentially Leads to RCE

Katie McCaskey — Mon, 09 Mar 2020 13:45:00 +0000

By Ax Sharma

For this month’s Nexus Intelligence Insights, let’s dive deep into the popular Ghostcat vulnerability making headlines recently.

This vulnerability deserves attention as it impacts the widely used Apache Tomcat web server, has at least 5 exploits publicly available on GitHub and ExploitDB, and has a rather simple, yet overlooked, root cause. In fact,no version of Tomcat released in the last 13 years is immune to Ghostcat, unless properly patched.

The vulnerability, left unresolved, could pave an easy way for attackers to access arbitrary files on the server. The files may very well divulge sensitive information such as proprietary source code, stored passwords, API tokens, etc. More advanced PoCs can let malicious actors cause even further damage by remotely executing code on the system and planting backdoors, if they are able to get their hands on juicy bits of information.

What’s more? “Mass scanning activity targeting this vulnerability has already begun,” according to Bad Packets and evident from Shodan, thereby prompting immediate attention and a speedy remediation of this issue.