Federal Software Supply Chains are Most Susceptible
A series of high profile and devastating cyber attacks have demonstrated that adversaries have the intent and ability to exploit security vulnerabilities in the software supply chain . Never was that so apparent than in the massive breach at Equifax . But , Equifax was not alone . Hackers quickly attempted to exploit the Struts vulnerability elsewhere . According to David Hogue , a senior technical director for the NSA ’ s Cybersecurity Threat Operations Center ( NCTOC ), “ We had a nation-state actor within 24 hours of scanning for unpatched [ Struts ] servers within the DoD .” The government is not immune to these issues , and may often be a great target for adversaries .
The 2019 DevSecOps Community Survey , taken by thousands of IT professionals , found that 20 % of respondents from government agencies believed they had a breach stemming from the use of vulnerable open source components in the past 12 months . That ’ s an alarming number when you consider what those attempted breaches may have been trying to uncover .
As government developers and contractors work towards digital modernization goals , they are consuming hundreds of billions of open source components and containerized applications to improve processes and catch up with their commercial counterparts . The good news : they help create efficiencies and enhance innovation within the government . The bad news : many of the components and containers they are using are fraught with defects including critical security vulnerabilities .
In today ’ s world , understanding what ’ s in your supply chain , as supported by the Mitre ’ s Deliver Uncompromised report , is critical to national security .
Using the Sonatype Nexus Platform , aligns security professionals and developers on the same team and empowers organizations and agencies to continuously identify and remediate open source risk , at all points in the software supply chain .
“ [ Nexus ] has given us visibility into security issues and made us more proactive . It scans and gives you a low false-positive count .”
— EDWIN K . ( IT CENTRAL STATION REVIEW )
NEXUS REPOSITORY : Analyze the quality of components inside your parts warehouse .
NEXUS LIFECYCLE : Automate open source governance at scale with precise and actionable intelligence .
NEXUS FIREWALL : Confidently quarantine bad parts from entering your software supply chain .
NEXUS AUDITOR : Efficiently monitor production and third-party apps for open source security .
NEXUS INTELLIGENCE : Precisely identify open source components to accurately classify security vulnerabilities , licensing risks , and versions .
We are laser focused on helping federal agencies and contractors continuously harness all of the good that open source has to offer , without any of the risk . Those equipped with Nexus products make better decisions , innovate faster at scale , and rest comfortably knowing that their applications always consist of the highest quality open source components .
Visit sonatype . com / government to learn more about Open Source Security .
Watch this video to learn more about the Nexus Platform :