FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Java

 
 
LinkBack Thread Tools
 
Old 05-02-2012, 01:22 PM
Thomas Koch
 
Default Why it makes sense to package Java libraries

Hi,

there are people that don't understand, why it makes sense to package Java
stuff in Debian. The below study points out how many organizations still
download ancient, vulnerable libraries from Macen central:

https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-
Unfortunate-Reality-of-Insecure-Libraries.pdf
or shortened: http://bit.ly/GX4jGi
found via:
http://branchandbound.net/blog/security/2012/03/crossbuild-injection-how-safe-
is-your-build/

Quote:

In partnership with Sonatype, researchers from Aspect Security analyzed 113
million downloads from the Central Repository (“Central”) of the 31 most
popular Java frameworks and security libraries [...]. We analyzed [...]
downloads of these libraries from more than 60,000 commercial, government, and
non-profit organizations.

Our analysis revealed several interesting findings, including:

• 29.8 million (26%) of library downloads have known vulnerabilities
• The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and
Struts 1.x
• Security libraries are slightly more likely to have a known vulnerability
than frameworks
• Based on typical vulnerability rates, the vast majority of library flaws
remain undiscovered
• Neither presence nor absence of historical vulnerabilities is a useful
security indicator
• Typical Java applications are likely to include at least one vulnerable
library

The data show that most organizations do not appear to have a strong process
in place for ensuring that the libraries they rely upon are up-to-date and
free from known vulnerabilities. We conclude that there are no shortcuts to a
secure application infrastructure and that the only useful indicator of
library security is a broad and rigorous review that finds minimal
vulnerability.

Thomas Koch, http://www.koch.ro


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201205021522.37923.thomas@koch.ro">http://lists.debian.org/201205021522.37923.thomas@koch.ro
 

Thread Tools




All times are GMT. The time now is 05:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org