Reach full protection from day-zero attacks by performing these five checks

Did you know that in a typical week, Sonatype’s Research team discovers 50+ malicious packages, including ransomware scripts?

This gets the current tally up to 88217 malicious packages that Sonatype has discovered and, as a Sonatype Nexus Firewall customer, you’re fully protected from. That is, if you configured your system the correct way.

There are five checks to complete to automate protection from day-zero attacks for your npm and PyPI proxy repositories (the two formats currently supported by Release Integrity within Nexus Firewall):

  1. Create and enable the Audit and Quarantine capabilities for the npm and PyPI proxy repositories.

  2. Enable Policy Compliant Component Selection (PCCS) for the npm proxy repository.

  3. Set the Integrity-Rating policy to Fail at the Proxy stage.

  4. Create the Security-Malicious and Security-Namespace Conflict policies and set them to Fail at the Proxy stage.

  5. Activate Auto-release from Quarantine for Integrity Rating.

Most of these steps are in place by default when you install Nexus Firewall. However, sometimes they are configured differently, depending on which IQ server release you are using. It is essential to perform these checks for ultimate peace of mind. The best part, once you set your configuration, there are no other changes or checks, so this effort is a one-off.

Before we start, Sonatype’s Customer Education team has put together an informative video explaining most of what we cover below. It is a great video to set the scene.

Let’s get started!

1. Create and enable the Audit and Quarantine capabilities for the npm and PyPI proxy repositories.

It may be the case that your developers do not use Java-Script or Python. However, they may start using them in the future and, if you follow these steps, you will be protecting your organization from day zero. The minute a developer pulls their first npm or PyPI component, you’re already protected. This is why we recommend setting up both the npm and PyPI proxy repositories for your organization in Nexus Repository Manager.

In these instructions, we assume that you have already created both the npm and PyPI proxy repositories. If you need help creating such repositories, please leave a comment in this post and we will help you.

In Nexus Repository Manager:

  1. Using the Server Administration and Configuration cog, select System, select Capabilities and “+ Create capability”.
    • Since Nexus Repository is a complex system with many features, some features don’t have a dedicated always-visible UI element to configure them. Capabilities are how you enable these features.
  2. Select IQ: Audit and Quarantine.
    • The Audit and Quarantine features provide a way to protect your development environment from risky or undesirable components. These features use IQ Server policy management to identify and, if desired, prevent a proxy repository from serving unwanted components. Find more information on Using Audit and Quarantine.
  3. Select your already created npm-proxy repository to evaluate. Follow the Quick Start guide if you haven’t created an npm proxy repository.
  4. Check the box under Quarantine to enable for repository.

Then repeat the same steps for the PyPI proxy repository.

2. Enable Policy Compliant Component Selection (PCCS) for the npm proxy repository.

For npm proxy repositories, you’ll need to enable Policy Compliant Component Selection (PCCS). In cases where developers use the latest tags or version ranges for dependencies with npm, this feature will provide the most recent policy compliant version of that package. The setting-the-scene video above explains the motivation behind PCCS well.

  1. Navigate to Nexus Repository Manager.
  2. Select the Server Administration and Settings cog.
  3. Select Repositories.
  4. Select the desired repository.
  5. Check Download policy compliant versions only.
  6. Click Save.


.

3. Set the Integrity-Rating policy to Fail at the Proxy stage.

This setting should be the default upon Nexus Firewall installation. However, it only takes a few seconds to check that this is the case.

In Nexus IQ Server:

  1. Select Orgs and Policies, then Root Organization, and Policies.
  2. Set the Integrity Rating default policy action to Fail at the Proxy stage and Update.

This policy will help protect repositories from Pending and Suspicious Components.


.

4. Create the Security-Malicious and Security-Namespace Conflict policies and set them to Fail at the Proxy stage.

For newer IQ server installations, these policies are created by default and set to Fail at the Proxy stage. However, if your original IQ instance was older than release 107, then you must create these two new policies manually, even if you later upgrade your IQ instance to the latest release. This is to preserve your custom policies and all of your existing waivers.

Here are the instructions on how to create the Security-Namespace Conflict policy:

  1. Update your installation to at least IQ Server release 106, as older versions do not support the new policy condition.
  2. Log into IQ Server.
  3. Navigate to the root organization. Within the Policies section, choose Add a Policy.

In the policy editor:

  1. Enter “Security-Namespace Conflict” as the name for the new policy and set its threat level to 10.
  2. Set the policy inheritance to All Applications and Repositories.
  3. Add a single constraint named “3rd-party component name conflicts with proprietary component name” which employs the condition “Proprietary Name Conflict is present”.

  1. In the Actions section of the policy, choose Fail for the Proxy stage. The other stages are not applicable to this policy and can remain at No Action.
  2. At the bottom of the screen, click Create to save the new policy.

  1. Now that this policy is active, you will need to go to all of your hosted repositories and check the Proprietary Components checkbox to protect them from Namespace Confusion attacks. To do this:

  2. Navigate to Nexus Repository Manager and Sign In.

  3. Click the cog in the navigation bar. This takes you to the administration menu.

  4. Select Repositories from the sidebar.

  5. Select the hosted repository with your proprietary components.

  6. Click the checkbox under Proprietary Components.
    nexus-proprietary

  7. Click Save.

  8. Repeat for each hosted repository that you would like to protect.

Now repeat steps 1 to 6 for the Security-Malicious policy, this time with the Constraint Name set as “Malicious vulnerability category” which employs the condition Security Vulnerability Category is Malicious Code.

  1. In the Actions section of the policy, choose Fail for the Proxy stage. The other stages are not applicable to this policy and can remain at No Action.
  2. At the bottom of the screen, click Create to save the new policy.


.

5. Activate Auto-release from Quarantine for Integrity Rating.

Finally, when a quarantined package has been fully investigated by Sonatype’s Research team, its Integrity Rating will change from Pending or Suspicious to Normal or Malicious.

Activating Auto-release from Quarantine for Integrity Rating will unblock quarantined packages whose new Integrity Rating has been changed to Normal by our team. Any new build will now successfully download the package. This feature is enabled by default upon installation of Firewall, but it is important to check that it is still enabled.

Here is how to do it:

  1. Select the Firewall tab in Nexus IQ Server.
  2. On the second panel Auto Release from Quarantine Status, select Configure.
  3. Ensure the toggle for Auto Release from Quarantine is on, and Save Changes.

Additional information on Automatic Quarantine Release.

Important: These changes will impact your Software Development Life Cycle by stopping suspicious and malicious packages from being downloaded and used in your builds. Your developers might be unable to build if they are trying to use suspicious and malicious packages. Therefore, it is important to explain these changes to the developer community so they are prepared.

2 Likes

Additionally, we encourage you to check out Getting Started with Nexus Firewall on Sonatype Learn.

1 Like

If you needed even more reasons to perform these checks, Sonatype’s Customer Education team has prepared this short video explaining why you should act now to protect yourself from bad actors.