Uncategorized

Rethinking Open Source Security

viviandufour, , Leave a comment

Essential Steps for Leaders Before the Next Supply Chain Attack

Author: Rod Cobain • 4 min read

An illustration representing strategic leadership, featuring a businessman pointing and discussing strategy, alongside chess pieces, a light bulb symbolizing ideas, and a graph indicating growth.

A Storm Is Brewing

We live in an age of unprecedented digital dependency. From agile startups to global enterprises, modern organizations rely on interconnected software systems, primarily driven by open source software (OSS). While OSS is powerful, flexible, and cost-effective, it increasingly represents a critical cybersecurity risk.

Cyber attackers are aggressively exploiting open source vulnerabilities, targeting the tools and libraries that power global innovation. The question isn’t whether your organization uses open source software—it undoubtedly does. The critical question is: How effectively are you securing it?

This article will explore:

  • Why open source vulnerabilities attract cyber attacks.
  • The evolving nature of these threats.
  • The crucial role of cybersecurity thought leadership.
  • Strategic actions leaders must take immediately.

Open Source Software: The Expanding Attack Surface

The Prevalence of Open Source

  • 80-90% of modern applications incorporate OSS components.
  • OSS underpins critical infrastructure including finance, AI, and cloud services.
  • OSS adoption is accelerating within IoT and edge computing environments.

Why Attackers Target Open Source

  • A single vulnerability can impact thousands or millions of systems.
  • Attackers view the software supply chain as an attractive, often poorly defended target.
  • Many organizations lack visibility into OSS dependencies.

Recent High-Profile Incidents

  • Log4Shell (Log4j): A critical vulnerability in a widely used Java library triggered global disruption.
  • SolarWinds: Attackers infiltrated software updates, compromising numerous downstream systems.
  • MOVEit: Exploitation of a vulnerability in file-transfer software resulted in extensive data breaches.

These events signify a broader trend: cyber attacks exploiting OSS vulnerabilities are increasing in frequency and impact.

The Need for Thought Leadership

Challenging False Security Assumptions

Executives often mistakenly assume:

  • OSS security is someone else’s responsibility.
  • Commercial vendors adequately secure dependencies.
  • Development teams alone can manage open source risks effectively.

In reality:

  • OSS projects are often maintained by small volunteer teams.
  • Security debt accumulates rapidly.
  • Strategic oversight cannot be replaced by tools alone.

The Critical Role of Cybersecurity Thought Leadership

1. Driving Organizational Awareness

  • Treat software risk as a business risk.
  • Discuss OSS vulnerabilities regularly at board meetings.
  • Implement continuous monitoring and risk management strategies.

2. Building Industry Collaboration

  • Foster industry-wide partnerships to strengthen OSS security.
  • Support and participate in initiatives such as the Open Source Security Foundation (OpenSSF).

3. Influencing Public Policy

  • Advocate for clear software liability frameworks.
  • Promote mandatory Software Bill of Materials (SBOM) use for transparency and traceability.

4. Leading by Example

  • Adopt secure open source practices internally.
  • Showcase effective practices to peers and partners.
  • Contribute actively to open source communities.

Proactive Leadership Actions: Steps You Should Take Now

For CISOs, CEOs, and Security Officers:

  • Deploy comprehensive Software Composition Analysis (SCA) solutions.
  • Maintain a complete, continuously updated inventory of OSS components.
  • Embed security earlier into the development lifecycle (shift-left approach).
  • Accelerate patching of OSS vulnerabilities through automated remediation.
  • Engage with and support OSS communities financially and operationally.

For Executives and Board Members:

  • Request regular software supply chain risk assessments.
  • Allocate resources to enhance OSS security measures.
  • Support cross-industry initiatives and SBOM adoption.
  • Promote a culture where software security is central to business strategy.

The Broader Impact: Securing a Global Commons

Open source software represents a global digital commons. Poor security practices risk widespread systemic failure, not just isolated breaches. Robust thought leadership from security and business executives can act as a force multiplier by:

  • Driving critical awareness and urgency.
  • Shaping industry standards and best practices.
  • Influencing proactive, collaborative security cultures.

Without proactive leadership, organizations face continuous cycles of reactive firefighting. With it, we can build resilience and trust in the digital future.

Conclusion: Your Leadership Legacy

The stakes have never been higher:

  • Attackers are innovating rapidly.
  • OSS vulnerabilities will continue to surface and be exploited.
  • Regulatory landscapes and liability expectations are evolving quickly.

Now is the time for bold cybersecurity leadership that transcends organizational silos, engages across industries, and shapes global security practices. As a leader, ask yourself:

  • Is your organization prepared for the next OSS attack?
  • Are you shaping the conversation or merely reacting?
  • What legacy will you leave in securing the software that powers the world?

The future of digital trust depends on your answers.

Rethinking Open Source Security

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

viviandufour, , , Leave a comment

Today’s Reality Check: Vulnerability Management is Non-Negotiable

With the MITRE CVE system being the backbone of global vulnerability identification, it’s alarming to see discussions about funding cuts that could jeopardize this critical resource. If the industry loses its shared language for describing digital flaws, we’re all in trouble. This could stifle innovation in vulnerability management and mitigation, leaving organizations scrambling for reliable data in the U.S. and globally.

The industry needs to rally. We must collaborate on alternative funding models, invest in open-source initiatives, and forge partnerships that keep vital resources like CVE alive and thriving. Let’s ensure that our defenses remain robust, even in the face of disruption.

Meterian: The Power Database and Invisible Security Platform You Need

While others may falter, Meterian is charging ahead. Our vulnerability database is not just comprehensive; it’s a powerhouse, tracking over 400,000+ vulnerabilities and receiving daily automatic updates from a multitude of sources. We pull data from the National Vulnerability Database, GitHub Security Advisories, and 15 other unique feeds. But we don’t stop there. Our AI-generated insights, combined with meticulous manual curation, deliver a done-for-you service that your security and engineering teams can depend on.

In short, we provide your enterprise with a pair of automated eagle eyes, ensuring you have full visibility into potential software weaknesses in your third-party software supply chain.

Quality and Volume

Our commitment to excellence means you get the best tools to manage vulnerabilities effectively, for your team’s tech stack and workflow.  We have a multitude of integrations and our OpenAPI architecture means we can collaborate to create more value together.

Join the Revolution

It’s time to elevate your cybersecurity strategy with the best solution for your team. Ready to take your cybersecurity to the next level?  Check out our product page infographic to see how our database stacks up against the competition.

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

Big News for Flutter Fans: Meterian Now Supports Dart!

bbossola, , , , , Leave a comment

Great news for all you mobile developers out there! Meterian, a leading Software Composition Analysis (SCA) platform, has just rolled out support for Dart, the programming language that’s become super popular for building Flutter apps. If you’re crafting mobile apps with Flutter, this update is specially tailored for you. Let’s dive into what this means and why it’s a game changer for Flutter developers.

Why Dart and Flutter are a big Deal

Developed by Google, Dart is all about building smooth and stunning mobile and web applications, and it’s the powerhouse behind Flutter—Google’s UI toolkit for crafting beautiful, natively compiled applications from a single codebase. Flutter’s ability to deliver apps that feel great on both Android and iOS has made it a hot favorite. With Dart now getting the spotlight it deserves, security and efficiency in app development are set to reach new heights.

Meterian embraces Dart

With Dart on its radar, Meterian is making sure that your development toolkit is not just powerful but also secure. This inclusion means Meterian can now safeguard your Flutter projects right from the get-go, catching potential security slip-ups before they become real headaches.

Meterian’s leap to include Dart is more than just an update—it’s setting a new standard for mobile app security. By embracing the needs of the Flutter community, Meterian is not only beefing up the security of apps but is also paving the way for projects that scale smoothly and stay robust under pressure.

What’s in it for Flutter developers?

We believe Flutter will eventually get a dominant position in the mobile development scene, so it’s essential to have tools that ensure that your applications are rock-solid safe. Meterian’s support for Dart brings you a suite of benefits:

  • Boosted Security: Spot vulnerabilities early in the development cycle with Meterian’s SCA tools, keeping your apps safe from security threats.
  • Stay on the Right Side of Compliance: Keep up with the latest security standards easily, ensuring your app complies with legal and regulatory requirements.
  • Seamless Development Flow: Meterian fits right into your existing workflows, helping you patch up security issues without slowing you down.
  • Scale with Confidence: As your app grows, Meterian grows with it, making sure that even the most complex projects stay manageable and secure.

I want to use Meterian: what should I do?

Meterian is free for open source projects! If you have a GitHub OSS project, you can easily integrate Meterian using the GitHub Action following this step-by-step guide or you can checkout this live example on GitHub. We do have also native integrations with BitBucket and Azure Devops, and also integrations with other CI/CD platforms.

Meterian is here to help!

With Dart in Meterian’s toolkit, it’s an exciting time to be building apps with Flutter. This move shows Meterian’s commitment to supporting the latest and greatest in app development, making it easier for you to build apps that aren’t just awesome but are also secure and compliant. To learn more about Meterian’s support for Dart/Flutter and how it can help improve the security of your projects, visit Meterian’s website at www.meterian.io.

Big News for Flutter Fans: Meterian Now Supports Dart!

Ensuring Data Integrity and Security in Healthcare: The Crucial Role of Application Security

bbossola, , , , , , , , , Leave a comment

In the digital age, healthcare companies are guardians of vast amounts of sensitive user data, ranging from personal health records to financial information. With this responsibility comes the challenge of ensuring data integrity and security against the growing threats of cyberattacks and data breaches. Meterian, a leader in application security, is at the forefront of providing solutions that safeguard this critical data.

Healthcare providers harnessing open-source software face unique security risks that require vigilant management and protection strategies. Meterian’s innovative tools actively scan and identify vulnerabilities within applications, ensuring that all components are up to date and secure against potential threats. By leveraging Meterian’s capabilities, healthcare companies can not only protect their patient data but also enhance their overall cybersecurity posture.

Protecting patient records.

In collaboration with Emis Group, a well-established brand in healthcare technology, Meterian has demonstrated its value in real-world applications. Emis has utilised Meterian’s solutions to bolster their applications’ defences, thereby protecting millions of patient records. While our partnership with Emis illustrates Meterian’s capability to handle the complex cybersecurity needs of large enterprises, it’s important to recognise that our solutions are equally effective and accessible for SMEs and startups. Meterian understands the unique challenges faced by smaller organisations, including tighter budgets and limited resources, as our platform is designed to be flexible and scalable.

For healthcare organisations, the fear of missing out on the highest level of security should be a significant concern. Meterian provides an essential layer of security that automates and streamlines the detection and management of vulnerabilities—tasks that would otherwise consume valuable development resources. As legislation evolves and compliance becomes even more stringent, Meterian’s tools help healthcare companies stay ahead, ensuring they meet all regulatory requirements while securing user data against emerging threats.

A successful case study.

To see first – hand how Meterian is enhancing cybersecurity in the healthcare industry, we invite you to explore our success story with Emis Group. This case study provides a detailed look at how Emis leveraged Meterian’s cutting-edge solutions to fortify their application security, ensuring compliance with stringent regulations and protecting sensitive patient data. 

Visit Meterian today!

Ensuring Data Integrity and Security in Healthcare: The Crucial Role of Application Security

Discover Meterian at CyberUK 2024

bbossola, , , , , , , , , Leave a comment

The UK government’s flagship cyber security event, CyberUK 2024. is just around the corner! Hosted by the National Cyber Security Centre (NCSC), this annual gathering brings together over 2,000 cyber security leaders and professionals for networking, knowledge exchange, and collaboration.

Deputy Prime Minister Oliver Dowden recently announced the theme for CYBERUK 2024 during a speech at techUK. The focus will be on how the cyber community can harness the societal benefits of emerging technologies while ensuring their security for the future. This theme is particularly relevant as we navigate the ever-evolving landscape of cyber threats and opportunities.

What to Expect

Where to find us

We will be exhibiting at CyberUK 2024. Loved by SMEs and CNI, our secure-by-design agile approach to software development delights developers and compliance teams. Come and learn how Meterian protects the Open Source Software Supply Chain.

Visit us Stand IZ3 at the Birmingham ICC, May 13-15th.

Discover Meterian at CyberUK 2024

NVD Update Delays: What’s Happening at the National Vulnerability Database?

bbossola, , , , , Leave a comment

Introduction

Since its inception in 2005, the National Vulnerability Database (NVD) has been a vital resource for security professionals, providing details about common vulnerabilities and exposures (CVEs) discovered by researchers worldwide. However, in recent months, the NVD has faced significant challenges, resulting in delays and incomplete data. In this blog post, we explore the current state of the NVD and its implications for enterprise security.

The Mysterious Freeze

In February, the NVD underwent an unexpected transformation. A cryptic announcement appeared on its website, stating that users would “temporarily see delays in [our] analysis efforts” while the National Institute of Standards and Technology (NIST) implemented improved tools and methods. Unfortunately, no further explanation accompanied this message. The freeze affected the timely documentation of CVEs, leaving security managers in a bind.

The CVE Model and Missing Details

The NVD relies on a network of 365 partners—both US-based and international—who contribute threat data. These partners include software vendors, bug bounty operators, and private research firms. Each participant adheres to a schema to ensure unique and accurate entries. However, since the beginning of the year, over 6,000 new CVEs have been posted, with nearly half lacking essential details in the NVD.

What’s Missing?

  • Metadata: The latest CVE entries lack critical metadata, such as information about affected software. Without this context, security managers struggle to assess the severity of vulnerabilities and prioritize patching efforts.
  • CVSS Scores: The Common Vulnerability Scoring System (CVSS) scores, which indicate vulnerability severity, are absent for many CVEs.
  • Product Information: Enterprises rely on NVD data to identify which applications and operating systems are at risk. Unfortunately, the missing details hinder this crucial aspect.

The status of things (April 2024)

In this recent update from the NVD team they discuss the importance of the National Vulnerability Database (NVD) and the challenges it faces. The NVD is a repository of information on software and hardware flaws that can compromise computer security. There is a growing backlog of vulnerabilities submitted to the NVD, and NIST is working to address this challenge. NIST is committed to its continued support and management of the NVD, but at this time it seems to be lagging behind.

How Meterian can help

Enter Meterian, a comprehensive application security solution that offers unique advantages over traditional databases. Meterian has an extremely robust security database that implements:

  1. Automated Daily Updates: Unlike the NVD, which has experienced recent delays, Meterian’s security database is updated at least every 4 hours. This automated process ensures that you receive the most current threat intelligence promptly.
  2. Diverse Data Sources: Meterian aggregates data from more than 15 unique sources, including both public and private feeds. These sources contribute to a comprehensive repository of vulnerability information, covering a wide range of software components. This is also enriched by Meterian AI and internally curated databases.
  3. Monitoring 350K Vulnerabilities: At present, Meterian actively monitors around 350,000 vulnerabilities across various ecosystems, from Perl to Rust. If you’re building applications and dealing with open-source libraries or frameworks, Meterian has you covered.

Conclusion

As the NVD grapples with its challenges, consider integrating Meterian into your security toolkit. Stay informed, stay proactive, and safeguard your digital assets effectively. Alternatively, you can simply start receiving timely notification through our alerting system: please check out our previous article that explains how to do just that!

References:

  1. NIST’s Vuln Database Downshifts, Prompting Questions About Its Future
  2. National Vulnerability Database (NVD) Update Delays
  3. The National Vulnerability Database Crisis: Defend Against Unpatched Vulnerabilities
  4. National Vulnerability Database: Opaque changes & unanswered questions
  5. NIST’s NVD has encountered a problem


NVD Update Delays: What’s Happening at the National Vulnerability Database?

Supply Chain Shock: Backdoor in liblzma Highlights Third-Party Package Risks

bbossola, , , , , , , , Leave a comment

The open-source software (OSS) ecosystem thrives on the principles of transparency and collaborative development. However, a recent critical vulnerability discovered in the core library, liblzma, has cast a shadow on this trust. The vulnerability, which was disguised as a bug fix, contained malicious code that could have potentially granted attackers access to users’ systems through SSH servers. This unsettling incident serves as a sobering reminder of the tangible risks inherent in relying on third-party software packages, even within the seemingly open and collaborative realm of OSS.

What happened?

liblzma, a critical library used for compression in many Linux distributions, was compromised by a backdoor hidden within its source code. This backdoor, attributed to a contributor named Jia T75, remained undetected for two years. During the build process, the backdoor would infect the system, specifically targeting x86_64 Linux systems. This vulnerability could have allowed attackers to compromise SSH servers, potentially granting them unauthorized access to a user’s system.

Why third-party packages are a risk

While OSS thrives on collaboration, it also introduces vulnerabilities. We rely on the good faith of developers contributing code. Malicious actors can exploit this trust by injecting backdoors or other harmful code into seemingly legitimate libraries like liblzma.

What can you Do?

To mitigate the risks associated with third-party software packages, it is imperative to stay vigilant and proactive. Patching software promptly by updating your system regularly ensures you have the latest security fixes in place. Furthermore, exercising caution when obtaining software updates and packages by exclusively utilizing official or trusted sources is of utmost importance. Thoroughly researching the maintainers of the software packages you rely upon can shed light on their track record of responsible updates and reputation within the community. Whenever feasible, exploring alternatives to widely used libraries can be a prudent strategy, as diversifying your software portfolio can reduce the potential impact of a single vulnerability. By adopting these measures, you can bolster the security posture of your systems and minimize the risks posed by third-party software dependencies.

How Meterian can help

The liblzma backdoor incident serves as a wake-up call, and it highlights the need for constant vigilance. By understanding the risks and taking preventative measures, we can build a more secure software ecosystem. Remember, security is an ongoing process, not a one-time fix .

Security solutions like Meterian can be powerful allies in mitigating the risks of third-party packages. Meterian’s notification system keeps you informed about the latest vulnerabilities impacting your software ecosystem, including critical flaws like the recently discovered liblzma backdoor. Through timely alerts and detailed reporting, Meterian ensures you stay on top of potential threats before they can be exploited]. Additionally, Meterian’s Software Composition Analysis (SCA) solution goes a step further by scanning your codebase for known vulnerabilities within dependencies like liblzma. By proactively identifying these risks, SCA allows you to take early action and prioritize patching vulnerable components, ultimately safeguarding your systems and data.

Don’t wait for the next major vulnerability to compromise your systems. Take control of your software security today. Try Meterian for free and experience the power of proactive vulnerability detection and management.

An important note!

The xz/liblzma packages are sometimes included in major Linux distributions, and much of the focus is now there, also because this vulnerability can be exploited to execute remote commands over SSH. However, please be aware that this vulnerability may affect also your application code, either because it may be linking directly liblzma in your C/C++ applications or because, via conan, you previously used the package xz_utils in one of the vulnerable versions (5.6.0, 5.6.1). Furthermore, other wrappers such as xz.ex (elixir), xz.net (dotnet), ruby-xz (ruby) and similar packages may indirectly pull the affected package.

Update – 15 April 2024

This is a novel situation, and there is still much uncertainty. We are aware of only a single known exploit path at this time, but there may be additional scenarios that have not yet been identified.

In detail, so far, it looks like the payload activates if the running program has the process name /usr/sbin/sshd, however, based on ongoing analysis, it may activate also in other scenarios too, unrelated to SSH. This matter is still investigated, you can keep an eye at this page to follow the active investigation.


References

  1. Backdoor in the xz source code: https://www.openwall.com/lists/oss-security/2024/03/29/4
  2. Backdoor in upstream xz/liblzma leading to SSH server compromise: https://news.ycombinator.com/item?id=39868673
  3. NVD reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3094
  4. A live analysis of the backdoor: https://gist.github.com/smx-smx/a6112d54777845d389bd7126d6e9f504
  5. Ongoing investigation: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Supply Chain Shock: Backdoor in liblzma Highlights Third-Party Package Risks

Understanding SBOMs: A Crucial Aspect of the EU Cyber Resilience Act (CRA)

bbossola, , , Leave a comment

The EU Cyber Resilience Act

The European Union Cyber Resilience Act (CRA), which was proposed on September 15, 2022, is the first EU-wide legislation addressing cybersecurity requirements for software and hardware manufacturers. Unlike the U.S. Executive Order, the CRA extends to all vendors who create products with digital components that connect to the internet. It will become enforceable in early 2027, three years after its ratification.

SBOM Requirements of the CRA

One of its key requirements focuses on Software Bill of Materials (SBOMs). An SBOM is essentially a comprehensive inventory of all software components used in a product. It provides transparency by listing out the dependencies, libraries, and third-party code that make up a software application. Think of it as a “recipe” for your software – it tells you exactly what ingredients (components) are included.

The key points related to Software Bill of Materials (SBOM) requirements under the EU Cyber Resilience Act are:

  • Manufacturers must identify and document product components and vulnerabilities, including the creation of a SBOM of at least the top-level dependencies of the product
  • The SBOM does not have to be made publicly available
  • The SBOM should be included in the technical documentation and, upon request, provided to market surveillance authorities

The EU Cyber Resilience Act mandates SBOM adoption to enhance cybersecurity and ensure transparency in software and hardware supply chains. Manufacturers need to create SBOMs for their products, while public availability is not required.

Why SBOMs are essential

SBOMs are a sensible tool to manage your supply chain transparency. With the increasing complexity of software supply chains, understanding what goes into your product is crucial. SBOMs allow manufacturers to trace the origins of each component, identify vulnerabilities, and assess risks.

By having an SBOM, organisations can proactively address security vulnerabilities. When a known vulnerability is discovered in a library or component, manufacturers can quickly assess which products are affected and take necessary remediation steps.

They are also required for compliance and legal requirements. Specifically, the CRA mandates that manufacturers create SBOMs for their products. Compliance ensures that products meet cybersecurity standards and reduces legal risks.

Why SBOMs are complicated

Creating and maintaining Software Bill of Materials (SBOMs) is a time-consuming process due to the intricate nature of modern software. Applications are no longer simple; they consist of interconnected components, libraries, and dependencies. The prevalence of open-source software further complicates matters. Each component introduces its own set of dependencies, licences, and potential vulnerabilities. Identifying and tracking all these elements manually is a daunting task. Ensuring accuracy, compliance, and security within this complex landscape inevitably consumes significant time and effort.

That’s the reason why it’s a good idea to adopt an automated solution that takes this problem away.

Meterian: your automated SBOM solution

Using automated analysis, Meterian continuously scans your codebase, identifies the whole network of dependencies, and generates an SBOM automatically. No manual effort required, as SBOMS can be created and stored during the analysis, or later on demand. This will save a substantial amount of time to your developers, who can say goodbye to weeks of research at each release. Everything happens directly on your pipelines or at the touch of a button.

With the help of his powerful vulnerability scanner, Meterian provides you all relevant vulnerability Insights. The Meterian vulnerability database tracks more than 340k vulnerabilities across more than 20 different OSINT sources. You will also automatically receive real-time alerts about vulnerabilities in your components, even if you do not actively analyse them: Meterian will do it for you.

Meterian is easy to integrate in your processes, as it seamlessly integrates with your development pipelines, ensuring continuous monitoring without any extra activity. A simple click, some lines of YAML, one or two lines of script, is all it takes. You get protection against vulnerabilities and compliance at the same time, without any extra effort.

Conclusion

As the EU Cyber Resilience Act comes into effect, manufacturers are required to embrace SBOMs to ensure transparency, enhance risk management, and achieve compliance. The Meterian platform simplifies the generation of SBOMs, enabling you to concentrate on developing secure and resilient software.

Remember: An SBOM isn’t just a regulatory requirement; it’s a powerful tool for safeguarding your digital products. Start creating your SBOMs today!

Understanding SBOMs: A Crucial Aspect of the EU Cyber Resilience Act (CRA)

Enhancing Application Security with Meterian: A Powerful SonarQube Integration

bbossolaLeave a comment

In the fast-paced world of software development, ensuring code security is paramount. Vulnerabilities can lurk in unexpected places, and addressing them swiftly is crucial to safeguarding your applications and your users. That’s where Static Application Security Testing (SAST) and Software Composition Analysis (SCA) come into play. Today, we’re excited to announce a game-changing integration between Meterian, a leading cloud SCA solution, and SonarQube, a renowned SAST platform. In this blog post, we’ll explore the advantages of combining these two powerful tools and dive into the specifics of the Meterian and SonarQube integration.

Advantages of SAST with SCA: A Dynamic Duo for Code Security

Before delving into the integration, let’s understand why the combination of SAST and SCA is a game-changer for code security.

1. Comprehensive Vulnerability Detection: SAST analyzes your source code for security issues, identifying vulnerabilities from the code’s perspective. SCA, on the other hand, scans your dependencies for known vulnerabilities. Together, they provide comprehensive coverage, helping you identify and address issues across your codebase.

2. Early Detection: SAST and SCA work in different phases of the development lifecycle. SAST scans your code during development, while SCA monitors dependencies throughout the software’s lifetime. This early detection ensures that vulnerabilities are identified and remedied promptly, reducing the cost and effort of fixing issues in later stages.

3. Precise Remediation: By pinpointing vulnerabilities in both your code and dependencies, you gain precise information on what needs to be fixed. This helps developers focus their efforts on high-priority issues, improving efficiency and reducing false positives.

4. Improved Compliance: Many industries have strict compliance requirements. The combination of SAST and SCA aids in meeting these regulations by providing a robust security framework for your applications.

5. Enhanced Security Posture: Together, SAST and SCA help you build a stronger security posture, which is especially important in today’s threat landscape. By addressing vulnerabilities early and comprehensively, you reduce the attack surface and mitigate security risks effectively.


Meterian and SonarQube Integration: A Closer Look

Let’s now take a more detailed look at the most important aspects of the Meterian and SonarQube integration

1. Streamlined Workflow: The integration seamlessly incorporates Meterian’s SCA results into your SonarQube environment. This means that you can access SCA insights right where you already manage your code analysis, streamlining your workflow. View problems directly within the SonarQube interface while retaining the ability to drill down into the full Meterian report for a comprehensive view of vulnerabilities and dependencies.

2. Real-time Feedback with Custom Notifications: Receive real-time feedback on your code’s security status, and stay informed about any new vulnerabilities affecting your dependencies. Meterian takes it a step further by offering customizable notification options. You can receive alerts via Slack, Email, or WebHook, ensuring that your team stays instantly updated and can take immediate action to address any issues.

3. Remediation Guidance with Safe Dependency Versions: The integration provides detailed remediation guidance, helping developers understand and resolve vulnerabilities effectively. When vulnerabilities are detected, Meterian goes a step beyond by not only identifying the issues but also providing safe versions of the dependencies to use in order to mitigate these vulnerabilities effectively. This valuable guidance streamlines the remediation process, ensuring that developers have access to trusted solutions for code security..

4. Enhanced Quality beyonde code: Achieve higher code quality and security standards by leveraging Meterian’s comprehensive vulnerability database and SonarQube’s powerful analysis capabilities. The integration not only identifies vulnerabilities but also extends its benefits by detecting out-of-date dependencies within your codebase. This ensures that your applications not only remain secure but also stay up-to-date with the latest libraries and components.

5. Strengthened Compliance with License Reporting and SBOM: In addition to its robust security features, the Meterian and SonarQube integration significantly strengthens compliance efforts. Meterian goes beyond security by reporting licenses for all dependencies used in your software projects. This comprehensive license reporting ensures that your organization remains compliant with licensing requirements, reducing the risk of legal and financial liabilities. Furthermore, Meterian provides a full Software Bill of Materials (SBOM), offering transparency into all the components and libraries used in your applications. By combining security and compliance in one integrated solution, you can achieve a higher level of confidence in your code while minimizing legal risks.

Getting Started with the Integration

Getting started with the Meterian and SonarQube integration is straightforward. Simply follow these steps, as described in Meterian’s documentation page:

  1. Install the Meterian Plugin: Begin by installing the Meterian plugin for SonarQube in your local installation: it should be as easy as dropping the jarfile in the plugins folder (docs)

  2. Configure the Integration: Adjust the plugin properties if needed: the defaults should be already a fair fit. (docs)

  3. Add Meterian to your pipelines and enjoy seamless SCA Insights: With the integration set up, and Meterian in your pipelines, you’ll start receiving valuable SCA insights within your SonarQube environment. (docs)

The plugin supports at the moment NodeJS on NPM, and Java/Kotlin on Maven and Gradle. Support for .NET is planned by the end of this month, then Swift and Go will follow shortly. It can run on SonarQube v9.x, support for 10.x and cloud is coming later this year (roadmap).


Conclusion

Code security is a top priority for every software development team. The integration between Meterian, a leading cloud SCA solution, and SonarQube, a renowned SAST platform, offers a powerful combination to enhance your code security efforts. By leveraging the advantages of SAST and SCA, you can achieve comprehensive vulnerability detection, early issue identification, precise remediation, improved compliance, and an enhanced security posture. The Meterian and SonarQube integration streamlines your workflow, provides real-time feedback, offers remediation guidance, reduces false positives, and enhances code quality, making it an invaluable asset for any development team.

To get started with this integration and improve your application security, visit Meterian’s documentation page today. Elevate your security game and build robust, secure applications with Meterian and SonarQube.

Stay secure, stay confident!

Meterian Logo

All trademarks are the property of respective owners

Enhancing Application Security with Meterian: A Powerful SonarQube Integration

Cyber resilience is critical for innovation and economic sustainability

viviandufour, , , , Leave a comment

The events of the last few years have highlighted the world’s vulnerabilities and shown the importance of building resilience into organisations, supply chains and the global economy. COVID-19 and the war in Ukraine have exposed issues we’d chosen to ignore, thought we’d fixed forever or hadn’t even considered before. Growth is no longer guaranteed. The global economy’s increasing reliance on technology to enable the world to function extends the attack surface and opens up new cyber security threats.

The need for cyber security to protect sustainable growth

Governments are struggling with plans for sustainable economic growth against a background of conflict, continuing supply chain problems, climate change, rising prices and interest rate increases. Typical sustainable development goals include; economic growth measured by GDP; business innovation and infrastructure renewal; creating sustainable cities and communities; and responsible consumption of products.

From smart cities, to renewable energy, financial infrastructures and driverless transport, cutting-edge technology is at the heart of our drive for sustainable growth. This provides exciting opportunities but has also exposed existing systems’ weaknesses and created new vulnerabilities to malicious actors. Sustainable development goals are all put at risk by the increased threat from cyber attacks.

Organisations have become familiar with safety and security measures which protect their physical environment such as installing early warning sensors, security cameras, fire safety equipment and intruder alarms. There’s a need for a cultural shift for executives, investors, employees and regulators to recognise the increasing importance of cyber security. The war in Ukraine has brought into sharp relief the importance of having both strong physical and cyber defences. Cyber resilience is absolutely necessary for modern civilisation to survive and flourish. 

How big is the cyber threat?

Recent research and headlines point to cyber crime being very big business indeed. One study showed cyber criminals raking in $1.5 trillion every year. To put that in context that’s exactly the same amount proposed for the US Congress’ bipartisan package to help Ukraine and finance federal agencies for the second half of 2022. Another study from Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025. This led Steve Morgan, Editor-in-Chief at Cybercrime Magazine to comment, “This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.”

Innovation is a growing target for cyber criminals

Innovation and invention are seen as good things for businesses and the wider economy. They power economic growth and prosperity around the world but by their very nature they can open the door to cyber criminals. Innovation is all about new technologies, products and ways of working. The cloud gaming sector is a prime example of an industry that has attracted the attentions of hackers, due to its  constant growth, developing new platforms and introducing new products almost daily. As the industry transitions to cloud infrastructures, the market size was estimated at $609.67 million in 2021, and is expected to grow to $7.382 billion by the end of 2028 according to research by Brandessence. Change, as in this case, often comes at dizzying speed. This means that procedures, controls, security and monitoring may lag behind. Ripping up the rule book to innovate can have huge positives but organisations need to watch for the negatives too. Indeed, some of the largest cyber security incidents in 2022 were targeted at the gaming sector, with breaches reported by such behemoths as Rockstar, Roblox and NVIDIA, to name just a few. 

Rapidly expanding sectors and businesses naturally also attract huge investment. This makes them even more attractive for wily cyber criminals as the rewards from attacks can be particularly lucrative. Another pertinent example is the renewable energy sector. This growing industry promises great things for our hopes of preserving the world we live in. Massive investment means it is also shaping up to be a very attractive market for cyber criminals. 

Jim Guinn, global managing director for cyber security in energy, chemicals, utilities and mining at Accenture has noted, “The cybersecurity conversation in the renewable energy engineering and construction business is almost nonexistent today.” It is imperative that such industries underpin their expansion with the appropriate focus on defence against cyber attacks.

Protecting your software stack

The way today’s technology solutions are created using a jigsaw puzzle of multiple pieces including published APIs, integration with proprietary products, cloud applications from different vendors, open source components all combined with in-house developments means that many organisations are unsure about their complete Software Bills of Materials (SBOMs). This means vulnerabilities are literally built into critical systems introducing undocumented threat vectors which can be used by hackers to gain access to proprietary systems and data.

This lack of knowledge about an organisation’s SBOMs means that even when a bug or vulnerability is identified in the open source community and patches created, the business can be completely unaware  of the fact that it needs to take remedial action. There are many examples of this type of oversight resulting in huge costs and disruption for business.

Secure by default – building resilience

In 2023, developers and publishers of software must focus on Secure by Default principles if systems are to avoid the kind of failures due to poor security posture and an over reliance on end-users to act in a secure manner. The user experience is an integral part of the security features of a system, because if security makes software inconvenient to use, end-users will simply find a workaround. If security isn’t second nature then it’s no security at all.  The UK Government has introduced tough new regulations in the Telecommunications (Security) Act which includes the requirement to have a deep understanding of security risks, including those within the supply chain. This builds on the premise that ‘edge’ devices such as radio masts, internet equipment, or wifi routers supplied to customers should be protected from cyber attack. 

NCSC Technical Director Dr Ian Levy made the point: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”

Online risks spill over into the physical world

Increasingly, online services are impacting people in the real world.  A high profile example is the fall out from the 2017 Equifax data breach, which it is estimated to have cost the company at least $1.38 billion, with some sources suggesting the final bill could be closer to $2 billion. The root cause of the data breach was the failure to patch a known open source web application security flaw. This left the cyber doorway open for criminals to enter and cause havoc. Over 140 million U.S. consumers’ data was affected, putting them at risk of future financial instability—being unable to rent housing, being denied a loan, having to pay higher interest rates on credit cards or mortgages, and greater difficulty in getting a job, not to mention the distress and anxiety identity theft causes.

A more recent example, described as the biggest hack in history that affected telco Optus, led to one in three Australians at risk of identity theft or fraud. As a result, 10,000 victims have had their personal details published online and millions of people are scrambling to change their online driving licenses.  T-Mobile data breach that affected 37 million accounts was detected in January 2023 but the weakness in the API had been exploited since November 2022.

Automating Development & Security Operations (DevSecOps)

As software development accelerates and the attacks of malicious actors continue to increase in speed and intensity, organisations must ensure their security operations are equipped to respond equally fast. Preventative strategies can be built into the development workflow to ensure that DevSecOps processes are efficient and maintain the appropriate vigilance without wasting human resources.  Such processes become operationally effective if for every critical patch released, the security and development teams are ready with normal business practice to identify the threat, confirm its presence in their application software estate and remediate as quickly as possible as part of business as usual.  Without DevSecOps, such operations can take days to weeks, but forward thinking teams will have worked this out so such incidents take minutes to hours, thus preventing unauthorised access or infiltration of malware via an open source vulnerability.

With some 64% of companies impacted in 2021 by supply chain attacks, mostly due to increased reliance on open source software components, organisations must be scrupulous about checking that underlying dependencies are safe from vulnerabilities. A further study showed such attacks were up 300% compared to the preceding year.  Businesses that prepare thoroughly against such risks will be well rewarded.  Not only are they underpinning their own operations, ensuring that their business can continue to grow and innovate without hindrance from malicious attacks, they protect their reputation by providing reliable products and services to their customers. In turn, customers know that they can trust their supplier, building loyalty in the business that transcends a purely transactional relationship. 

Ensuring that technology works as it should has long been a given. Now it is an expectation that tech works securely, protecting personally identifiable information, while still providing a great user experience, so that people can get on with their lives, knowing that their trusted suppliers are looking after their data securely. It is a challenge for the entire technology industry, but one on which our very way of life depends.

Visit www.meterian.io to learn how Meterian can help secure your businesses’ open source components to reduce the threats of cyber attacks.

Cyber resilience is critical for innovation and economic sustainability