How to Find Known Vulnerabilities in Open Source Components within your Applications

Most application scans take hours, days, possibly even a week to return results, so when we say the Application Health Check software (AHC) can display usable, actionable analysis of open source vulnerabilities, license obligations and more for your applications in a matter of minutes, I know it’s pretty hard to believe. The purpose of this video is to show the scanning and results from an AHC, in real time. In this case, we’ll be using the OWASP WebGoat application. This is a 55 megabyte application with over 13,000 files.

After viewing the walk-through, you can run a scan of your applications and view your own, customized results in the time it takes to watch this video.

View the 6 Minute Walkthrough Video

A Critical Question

Before you get started running the Application Health Check, the first question your security team should ask  is “What is being sent to the Sonatype servers? Do they have access to our applications?” Nope, we don’t want, or need access to your applications from our end.  Here’s the way it works.

 Application Health Check uses short hashes for component identification. In order to best protect your intellectual property, only these limited signatures of your application’s components will be exchanged with the Sonatype Data Service — i.e. no source or binary code is ever exposed, uploaded, or sent to Sonatype. These component signatures are then matched against a database of security, quality, and licensing information in order to generate your comprehensive Application Health Check report.

Resources for finding components with known vulnerabilities





The following two tabs change content below.

Mark Miller

Senior Storyteller and Community Advocate at Sonatype
Mark Miller is Senior Storyteller and DevOps Advocate for TheNEXUS. His expertise is in the creation and growth of online communities. Mark is Executive Producer of the OWASP 24/7 Podcast Series and is co-producer of the world's largest online DevOps conference, All Day DevOps. You can follow him on Twitter: @AllDayDevOps. You can also find him as the moderator of the LinkedIn DevOps Group.

Related posts