Most application scans take hours, days, possibly even a week to return results, so when we say the Application Health Check software (AHC) can display usable, actionable analysis of open source vulnerabilities, license obligations and more for your applications in a matter of minutes, I know it’s pretty hard to believe. The purpose of this video is to show the scanning and results from an AHC, in real time. In this case, we’ll be using the OWASP WebGoat application. This is a 55 megabyte application with over 13,000 files.
After viewing the walk-through, you can run a scan of your applications and view your own, customized results in the time it takes to watch this video.
A Critical Question
Before you get started running the Application Health Check, the first question your security team should ask is “What is being sent to the Sonatype servers? Do they have access to our applications?” Nope, we don’t want, or need access to your applications from our end. Here’s the way it works.
Application Health Check uses short hashes for component identification. In order to best protect your intellectual property, only these limited signatures of your application’s components will be exchanged with the Sonatype Data Service — i.e. no source or binary code is ever exposed, uploaded, or sent to Sonatype. These component signatures are then matched against a database of security, quality, and licensing information in order to generate your comprehensive Application Health Check report.
Resources for finding components with known vulnerabilities
- Application Health Check Software (free download)
- Not sure what to scan as a test? Try these sample applications.
- OWASP WebGoat Project on OWASP
- Nexus: What’s in your repo?
- What is Hiding in your Open Source “Bill of Materials”?
Latest posts by Mark Miller (see all)
- AppSec EU 2017, Belfast – Keynote Preview with Jaya Baloo - March 22, 2017
- OWASP 24/7 Podcast: Struts 2 Vulnerability Analysis - March 10, 2017
- Apache Struts Vulnerability: Live Updates - March 9, 2017
- AppSec EU 2017 Belfast – What to Expect - February 18, 2017
- Full Program for DevOps Connect: DevSecOps Track at RSAC 2017 - February 9, 2017