|By Marketwired .||
|January 16, 2013 06:00 AM EST||
COLUMBIA, MD -- (Marketwire) -- 01/16/13 -- Aspect Security, a pioneer in application security, today announced that its researchers have discovered a significant security vulnerability in the Spring Framework. Exclusive data from Sonatype, the operator of the Central Repository, the industry's primary source for open-source components, shows that more than 1.3 million vulnerable instances of the Spring Framework has been downloaded by more than 22,000 organizations worldwide.
Spring is an open-source framework used by Java developers to build business-critical applications. The Expression Language (EL) vulnerability enables an attacker to use a remote code execution to invoke functionality and take over a machine or the organization's entire network. Once an attacker exploits this weakness, the enterprise loses control of the business systems built on the Spring Framework.
Dubbed Remote Code with Expression Language Injection by Arshan Dabirsiaghi, Director of Research, Aspect Security and Stefano DiPaola, CTO of Minded Security, this flaw was discovered nearly 20 months ago and resulted in a fix by VMware in the latest version of the Spring Framework. Further research conducted by Aspect Security engineer Dan Amodio has uncovered additional issues that elevate the severity of the flaw, and Aspect cautions that additional steps need to be taken in order to protect organizations from Expression Language Injection vulnerabilities.
"It's difficult to quantify the depth and breadth of this problem since not every application is vulnerable, but any organization using Spring 3.0.5 or earlier is still at risk as these versions do not support disabling the double EL resolution," said Amodio. "The vulnerability leads to remote code execution, which can be devastating to an entire infrastructure. Many organizations are still using outdated components, which don't provide added protections by disabling this functionality. Even more alarming is that these flawed components are still being used to build applications which can present long-term security risks if gone unmanaged."
To keep applications free from third-party attacks and performance issues, Aspect Security recommends IT managers and developers using Spring update their libraries and opt-out of enabling double EL resolution. To avoid similar security instances in the future, organizations should consider Component Lifecycle Management (CLM) products that ensure the integrity of component-based software by analyzing usage, enforcing policy during development and delivering fixes for flawed components.
The widespread use of insecure libraries and frameworks is not a new dilemma for the open source software community. In March 2012, Aspect Security in conjunction with Sonatype, released a study entitled, "The Unfortunate Reality of Insecure Libraries." The report documented 113 million downloads from the Central Repository of the 31 most popular Java frameworks and security libraries. Used by developers around the world, the Central Repository (operated by Sonatype) contains more than 400,000 components and receives eight billion requests per year. The report concluded that modern software relies heavily on open source, but users are not update aware - with one in three of the most popular components having older, vulnerable versions still being commonly downloaded, even when a newer version, with the security fix, was available. Other key findings from the report include:
- 29.8 million (26 percent) of library downloads have known vulnerabilities
- The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and Struts 1.x
- Security libraries are slightly more likely to have a known vulnerability than frameworks
- Based on typical vulnerability rates, the vast majority of library flaws remain undiscovered
- Neither presence nor absence of historical vulnerabilities is a useful security indicator
- Typical Java applications are likely to include at least one vulnerable library
"The Remote Code with Expression Language Injection discovered by Aspect Security illustrates the importance of understanding how software vulnerabilities affect the downstream development ecosystem," said Ryan Berg, CSO of Sonatype, the world leader in Component Lifecycle Management products. "Development teams need flexible, proactive solutions that help manage these risks throughout the development lifecycle, so that organizations can trust that the components being used to build mission-critical applications are up-to-date and free from security vulnerabilities."
About Aspect Security
Founded in 2002, Aspect Security is a consulting firm focused exclusively on application security, ensuring that the software that drives business is protected against hackers. Aspect Security's engineers analyze, test and validate an average of 5,000,000 lines of critical application code every month. The company unearths more than 10,000 vulnerabilities every year across a wide range of technologies and architectures, and the company's practical recommendations dramatically improve clients' security posture. Aspect Security has taught tens of thousands of people around the world how to build, test and deploy secure applications, making the company a leader in application security training. Flexible delivery options include instructor-led training either in-person, via webcast, or on-demand through an innovative eLearning curriculum. Aspect has made vast industry contributions through the Open Web Application Security Project (OWASP), including the OWASP Top Ten, Enterprise Security API (ESAPI), Application Security Verification Standard (ASVS), Risk Rating Methodology, and WebGoat. For more information, please visit www.aspectsecurity.com or follow @aspectsecurity.
Sonatype is leading the component revolution. The company's innovative component lifecycle management products enable organizations to realize the promise of agile, component-based software development while avoiding security, quality and licensing risks. Sonatype operates the Central Repository, the industry's primary source for open-source components, housing more than 400,000 components and serving nearly eight billion requests per year from more than 70,000 organizations. The company has been a pioneer in component-based software development since its founding by Jason van Zyl, the creator of the Apache Maven build management system and the Central Repository. Since that time, Sonatype has been a leader in core open-source software development ecosystem projects used by more than nine million developers including Nexus, m2eclipse, and Hudson. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com or follow Sonatype on Twitter @SonatypeCM
Cloud Expo, Inc. has announced today that Andi Mann returns to 'DevOps at Cloud Expo 2016' as Conference Chair The @DevOpsSummit at Cloud Expo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is set to be one of the most profound disruptions to hit IT in decades," said Andi Mann. "It is a natural extension of cloud computing, and I have seen both firsthand and in independent research the fantastic results DevOps delivers. So I am excited t...
Jul. 1, 2016 12:00 AM EDT Reads: 524
IoT offers a value of almost $4 trillion to the manufacturing industry through platforms that can improve margins, optimize operations & drive high performance work teams. By using IoT technologies as a foundation, manufacturing customers are integrating worker safety with manufacturing systems, driving deep collaboration and utilizing analytics to exponentially increased per-unit margins. However, as Benoit Lheureux, the VP for Research at Gartner points out, “IoT project implementers often ...
Jun. 30, 2016 07:30 PM EDT Reads: 689
"We work in the area of Big Data analytics and Big Data analytics is a very crowded space - you have Hadoop, ETL, warehousing, visualization and there's a lot of effort trying to get these tools to talk to each other," explained Mukund Deshpande, head of the Analytics practice at Accelerite, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jun. 30, 2016 07:00 PM EDT Reads: 616
The cloud promises new levels of agility and cost-savings for Big Data, data warehousing and analytics. But it’s challenging to understand all the options – from IaaS and PaaS to newer services like HaaS (Hadoop as a Service) and BDaaS (Big Data as a Service). In her session at @BigDataExpo at @ThingsExpo, Hannah Smalltree, a director at Cazena, provided an educational overview of emerging “as-a-service” options for Big Data in the cloud. This is critical background for IT and data profession...
Jun. 30, 2016 04:00 PM EDT Reads: 451
Machine Learning helps make complex systems more efficient. By applying advanced Machine Learning techniques such as Cognitive Fingerprinting, wind project operators can utilize these tools to learn from collected data, detect regular patterns, and optimize their own operations. In his session at 18th Cloud Expo, Stuart Gillen, Director of Business Development at SparkCognition, discussed how research has demonstrated the value of Machine Learning in delivering next generation analytics to imp...
Jun. 30, 2016 04:00 PM EDT Reads: 1,013
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, wh...
Jun. 30, 2016 03:00 PM EDT Reads: 1,275
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
Jun. 30, 2016 02:45 PM EDT Reads: 335
When people aren’t talking about VMs and containers, they’re talking about serverless architecture. Serverless is about no maintenance. It means you are not worried about low-level infrastructural and operational details. An event-driven serverless platform is a great use case for IoT. In his session at @ThingsExpo, Animesh Singh, an STSM and Lead for IBM Cloud Platform and Infrastructure, will detail how to build a distributed serverless, polyglot, microservices framework using open source tec...
Jun. 30, 2016 02:00 PM EDT Reads: 692
Connected devices and the industrial internet are growing exponentially every year with Cisco expecting 50 billion devices to be in operation by 2020. In this period of growth, location-based insights are becoming invaluable to many businesses as they adopt new connected technologies. Knowing when and where these devices connect from is critical for a number of scenarios in supply chain management, disaster management, emergency response, M2M, location marketing and more. In his session at @Th...
Jun. 30, 2016 01:30 PM EDT Reads: 1,359
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life sett...
Jun. 30, 2016 01:00 PM EDT Reads: 1,520
"delaPlex is a software development company. We do team-based outsourcing development," explained Mark Rivers, COO and Co-founder of delaPlex Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Jun. 30, 2016 11:45 AM EDT Reads: 618
IoT is rapidly changing the way enterprises are using data to improve business decision-making. In order to derive business value, organizations must unlock insights from the data gathered and then act on these. In their session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, and Peter Shashkin, Head of Development Department at EastBanc Technologies, discussed how one organization leveraged IoT, cloud technology and data analysis to improve customer experiences and effi...
Jun. 30, 2016 11:30 AM EDT Reads: 648
Basho Technologies has announced the latest release of Basho Riak TS, version 1.3. Riak TS is an enterprise-grade NoSQL database optimized for Internet of Things (IoT). The open source version enables developers to download the software for free and use it in production as well as make contributions to the code and develop applications around Riak TS. Enhancements to Riak TS make it quick, easy and cost-effective to spin up an instance to test new ideas and build IoT applications. In addition to...
Jun. 30, 2016 11:15 AM EDT Reads: 738
The idea of comparing data in motion (at the sensor level) to data at rest (in a Big Data server warehouse) with predictive analytics in the cloud is very appealing to the industrial IoT sector. The problem Big Data vendors have, however, is access to that data in motion at the sensor location. In his session at @ThingsExpo, Scott Allen, CMO of FreeWave, discussed how as IoT is increasingly adopted by industrial markets, there is going to be an increased demand for sensor data from the outermos...
Jun. 30, 2016 11:00 AM EDT Reads: 475
CenturyLink has announced that application server solutions from GENBAND are now available as part of CenturyLink’s Networx contracts. The General Services Administration (GSA)’s Networx program includes the largest telecommunications contract vehicles ever awarded by the federal government. CenturyLink recently secured an extension through spring 2020 of its offerings available to federal government agencies via GSA’s Networx Universal and Enterprise contracts. GENBAND’s EXPERiUS™ Application...
Jun. 30, 2016 11:00 AM EDT Reads: 496
The cloud market growth today is largely in public clouds. While there is a lot of spend in IT departments in virtualization, these aren’t yet translating into a true “cloud” experience within the enterprise. What is stopping the growth of the “private cloud” market? In his general session at 18th Cloud Expo, Nara Rajagopalan, CEO of Accelerite, explored the challenges in deploying, managing, and getting adoption for a private cloud within an enterprise. What are the key differences between wh...
Jun. 30, 2016 11:00 AM EDT Reads: 1,117
Presidio has received the 2015 EMC Partner Services Quality Award from EMC Corporation for achieving outstanding service excellence and customer satisfaction as measured by the EMC Partner Services Quality (PSQ) program. Presidio was also honored as the 2015 EMC Americas Marketing Excellence Partner of the Year and 2015 Mid-Market East Partner of the Year. The EMC PSQ program is a project-specific survey program designed for partners with Service Partner designations to solicit customer feedbac...
Jun. 30, 2016 10:45 AM EDT Reads: 701
The IoT is changing the way enterprises conduct business. In his session at @ThingsExpo, Eric Hoffman, Vice President at EastBanc Technologies, discussed how businesses can gain an edge over competitors by empowering consumers to take control through IoT. He cited examples such as a Washington, D.C.-based sports club that leveraged IoT and the cloud to develop a comprehensive booking system. He also highlighted how IoT can revitalize and restore outdated business models, making them profitable ...
Jun. 30, 2016 10:30 AM EDT Reads: 590
There are several IoTs: the Industrial Internet, Consumer Wearables, Wearables and Healthcare, Supply Chains, and the movement toward Smart Grids, Cities, Regions, and Nations. There are competing communications standards every step of the way, a bewildering array of sensors and devices, and an entire world of competing data analytics platforms. To some this appears to be chaos. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, Bradley Holt, Developer Advocate a...
Jun. 30, 2016 10:15 AM EDT Reads: 995
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...
Jun. 30, 2016 10:00 AM EDT Reads: 576