My Firewall Is Smarter Than Your Firewall
Firewalls – my dad was a mechanic and always talked about routing wires through a car firewall. This is not that type of firewall, but think back to security firewalls and the basic rulesets used at some companies dating back to the early 1990s. They were followed by next-generation firewalls (NGFW) and those were certainly smarter, right? They were able to deeply analyze traffic and integrate with complementary security solutions. Today our needs are more complex, however, with a 742% increase in software supply chain attacks over the past three years. Sonatype Nexus Firewall has been paying attention and thinks its firewall product is smarter about these attacks.
Some brief background on who Sonatype is: It was founded in 2008 by Jayson Piccini and Stephen O’Grady. The company is currently headquartered in Austin, Texas, but has a global presence with offices in the United States, Europe, and Asia. Sonatype focuses on providing software development solutions that help organizations manage the security and quality of their open-source software. Currently the CEO of Sonatype is Jayson Piccini; he’s a recognized expert in open-source software security and has spoken at numerous conferences and events on the topic.
Sonatype is a privately held company, so its financial information isn’t publicly available. However, the company is estimated to be worth over $1 billion. It has raised over $200 million in funding from investors such as Accel Partners, Greylock Partners, and Insight Venture Partners. Sonatype is not a rookie company – its products are used by Fortune 500 companies, government agencies, and educational institutions.
The wait is over: Sonatype Nexus Firewall is here to help with these complex problems we face today. It does this by automatically detecting and preventing malicious supply chain attacks. Couple this with its tightly integrated suite of software security products and you should take a significant step forward in your zero trust or application security initiatives.
Sonatype Nexus Firewall works by:
- Waiting for a new component to arrive, then putting it in a pending state.
- Evaluating the components based on your policies.
- Evaluates standard data fields.
- Provides complete and accurate inventory of all first- and third-party components.
- Includes all direct and transitive components and dependency relationships.
- Interoperable across ecosystems (name space convention).
- Following a basic workflow after evaluating:
- If the component is a known and critically malicious component, it enters and stays in the quarantine.
- If it’s suspicious, it enters the quarantine.
- If it’s known to be safe, it enters the pipeline.
The quarantine area houses not only components that are found to be critically malicious but also suspicious components that require further review. The Sonatype security research team then reviews the components to determine accuracy and next steps. If components are found to be safe, they can be automatically released back into the pipeline based on your policies.
If this solution is of interest to you, then its ecosystem can be even more compelling. Presented with the paradigm that manual governance does not scale, Sonatype has focused its products on solving common obstacles for all involved: developers, security teams, Operations, and legal teams.
- Developers – Get the right info at the right time in the right place.
- Security – With an end-to-end policy control plane and innovative firewall, prevent known and unknown open-source software risk from entering the software development lifecycle (SDLC).
- Operations – Benefit from a precise software bill of materials (SBOM), continuous application monitoring, and rapid response to zero-day threats.
- Legal – Enforce licensing policy at scale, understand license obligations with ease, and simplify and automate attribution reporting.
Sonatype’s product suite can fully automate software supply chains with these complementary components:
- Nexus Lifecycle – Continuously identify risk, enforce policy, and remediate vulnerabilities across an entire SDLC.
- Nexus Repository – Manage libraries, artifacts, and release candidates across an SDLC.
- Nexus Container – Secure and protect containers at dev time and run time.
- Sonatype Lift – Receive actionable feedback with low false positives, delivered during code review.
Our Take
If you are in the market for a solution that can help solve supply chain attack risk, this solution is fully capable. If you don’t feel this is an area that requires your focus today, I’ll let the statistics speak for themselves. Six out of every seven project vulnerabilities come from transitive dependencies, 96% of known vulnerable source downloads are avoidable, and 1.2 billion vulnerable dependencies are downloaded each month.
These numbers are staggering when you think about the risk. They provide a more compelling case to find a suitable solution that can secure your applications and workloads today and also protect you from the inevitable vulnerabilities of tomorrow.
Want to Know More?
- Threat Intelligence & Incident Response | Security Technology & Operations, Info-Tech Research Group
- Embed Security Into the DevOps Pipeline, Info-Tech Research Group
Sources:
- Sonatype Repository Firewall - Cloud Supply Chain Security Software, Sonatype
- 8th Annual State of the Software Supply Chain report, Sonatype
- “Accelerate Innovation with Automated Security,” Sonatype