Tuesday, July 31, 2012

Insight Application Health Check


Sonatype's Insight Application Health Check is a small utility that scans Java applications for any security vulnerabilities and license issues.? The tool gives organizations a detailed look into the components being used within Java applications to determine whether any packages or libraries being used are out of date or contain any known vulnerabilities. Users can run the application and get a summary of the results for free. To get the full details, however, the user will have to purchase the tool for $499. For a limited time, Sonatype is offering the full reports for only $99.

The Application Check can be used by both businesses building their own applications as well as those who bought or downloaded a third-party software for use. Businesses can make sure that the application they are using won't somehow act as a backdoor to the network because of an exploitable vulnerability.

Why Check Apps?
Statistics provided by Sonatype paint a bleak picture. More than 80 percent of a typical Java application consists of existing open-source libraries and frameworks. Over 70 percent of developers tend to find reusable code snippets and dependencies by searching online, but it's a challenge to keep up with update announcements for each component. Only a third of companies are aware of what reusable code and dependences are being used in their applications in the first place. If there is a security vulnerability in one of these code snippets, it gets integrated into the application.

This isn't just a theoretical problem. There were more than 46 million downloads of insecure versions of the 31 most popular open-source security libraries and Web frameworks in one year, Sonatype told me. For example, Google Web Toolkit, a popular software development framework that allows web developers to create and maintain complex JavaScript front-end applications in Java, is downloaded 17.7 million times a year, despite having known vulnerabilities.

Setup
Setup is a matter of downloading and running the Java application from the Sonatype website. The scanner can handle JAR, WAR and ZIP files. The application asks for an email address to which it can send the completed report and the directory path to the Java application. After I ran the scan, the report was sent to my inbox. The application offers only a summary report with the free version. Paid users receive a token that is entered into the application. With the code in place, all the reports contain full information.

Report
The report has four tabs, Summary, Security Issues, License Analysis, and Unidentified Artifacts. The summary page has visual graphics and statistics about the scan, such as the number of security vulnerabilities and license alerts found, as well as the number of components used in the application.

The Security Issues page is a long list of vulnerabilities that were found. Threat Level is a scale of one through 10 the application uses to indicate the severity of the issues detected. Each entry lists the universal identifier from sources such as Common Vulnerability Errors or the Open Source Vulnerability Database to indicate what vulnerability was found, and the actual file or component the vulnerability was found in.

License Analysis is yet another list, this one showing all the licenses being used by various libraries and components. The scanner looks for conflicts between the multiple licenses. Like the threat level for the previous page, each entry has a scale for License Threat and the file or component protected by that license.

Clicking on the entry on either Security Issues or License Analysis pages displays some more information about the detected item. On the security page, clicking on the actual vulnerability code takes the user to the appropriate lookup page for CVE or OSVDB. The detail view also lists in which version the particular vulnerability was fixed.

The final Unknown Artifacts page contains items the scanner couldn't recognize that would require manual investigation.

Source: http://feedproxy.google.com/~r/ziffdavis/pcmag/~3/J8OHnboxPJ0/0,2817,2407806,00.asp

kobe bryant wife bonjovi dead sam shepard sam shepard johnny knox johnny knox monday night football

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.