US Congress Intervenes to Address Cyber Security Crisis with Software Supply Chain Focus; Sonatype Introduces Free Application Health Check To Support Government Agencies And Software Providers

Developers Can Immediately Check Federal Software Applications for Open Source Vulnerabilities

FULTON, Md.--(BUSINESS WIRE)--Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application Health Check to immediately alert federal agencies and software suppliers about known vulnerable open source components and where they exist within an application.

While the use of open source components has dramatically accelerated application development and release schedules, poor knowledge of the risks coupled with a lack of governance processes has resulted in millions of 3rd party and open source components with known vulnerabilities being built into software each year.

To address this pressing cyber security threat, the Chairman of the House Committee on Foreign Affairs Rep. Ed Royce (R-CA) and Rep. Lynn Jenkins (R-KS) introduced the Cyber Supply Chain and Transparency Act of 2014.* The purpose of the act is to help defend the U.S. government cyber infrastructure, and to help the Department of Homeland Security and other agencies carry out their cyber defense mandate. This proposed legislation simply states that any supplier of software to the Federal government must identify which 3rd party and open source components are used, and they cannot include known vulnerabilities (per the NIST NVD) for which a less vulnerable alternative is available.

From Chairman Royce’s introductory remarks for the bill on the floor of the U.S. House of Representatives: “With around ninety percent of a modern software application made up of open source components, the problem of deployed software containing open source components with known vulnerabilities is one of great concern. The nation’s economy needs open source software development and applications built with it. It is precisely because of the importance of open source components to modern software development, that we need to ensure integrity in the open source supply chain, so vulnerabilities are not populated throughout the hundreds of thousands of software applications that use open source components.”

“We would not be willing to use a known bad airbag in our cars. We would not knowingly serve E.coli-tainted spinach in our salads. And we can not afford to include known exploitable software in our government infrastructure,” said Wayne Jackson, CEO, Sonatype, Inc. “We’re pleased that the U.S. Congress has taken this important first step. To help the agencies and their software suppliers quickly assess their impact, we are opening our Application Health Check to provide complementary analysis to document the components and known vulnerabilities that exist in their software.”

Added Josh Corman, CTO, Sonatype, “Every modern industry with the potential to impact public safety has graduated to a mature supply chain. Our dependence on software now also commands this rigor. With weak software being the preferred attack vector, and more than a breach a week, the supply chain focus of this congressional action could have a profound impact on national security.”

Sonatype’s Application Health Check is available free of charge effective today. Please see http://www.sonatype.com/application-health-check to learn more and download the tool.

For related information please see:

• Cyber Supply Chain Security | Article by Paul Rosenzweig

(http://www.lawfareblog.com/2014/12/cyber-supply-chain-security/)

• Reps. Royce, Jenkins to Shore Up Security of Government Used Software

(http://bit.ly/RoyceCyberSecurity)

• Code, Cars, and Congress: A Time for Cyber Supply Chain Management | Blog by Wayne Jackson

(http://bit.ly/CyberSupplyChainBlog)

• 2014 Application Security and Open Source Development Survey

(http://bit.ly/OpenSource14_Security)

About Sonatype:

Every day, developers rely on millions of third party and open source building blocks — known as components -- to build the software that runs our world. Sonatype provides Software Supply Chain Management to ensure that only the best components are used throughout the software development lifecycle so organizations don't have to make the tradeoff between going fast and being secure. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com.

*H.R. 5793, the "Cyber Supply Chain Management and Transparency Act of 2014”; Introduced on the floor of the U.S. House of Representatives on December 4, 2014 by Chairman of the House Committee on Foreign Affairs Ed Royce (R-CA) with Rep. Lynn Jenkins (R-KS). Congressional Record Excerpt: The purpose of the act is to help defend the U.S. government cyber infrastructure, and for DHS to carry out its mandate. On a going forward basis, we need all contractors of software, firmware or products to the U.S. Government to: 1) provide the procuring agency with a bill of materials of all third party and open source components used – along with their version numbers; 2) demonstrate that those component versions have no known vulnerabilities (NIST CVE’s) for which less vulnerable alternatives are available and where exceptions are required, a written justification must be provided and risk accepted by the agency granting the exception; 3) provide secure update mechanisms affording a prompt and agile response when new vulnerabilities are discovered in those products; and, 4) supply said fixes and remediation updates within a reasonable specified time frame.

Contacts
SS|PR for Sonatype
Tony Keller, 847-421-1477