Security Questions - Maven

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Questions - Maven

Jack O'Connor
Hello,

 

My company is considering using Apache Maven but I need some answers to some
security questions.  I hope someone out there can help me out.

 

1) Is the software compliant with U.S. Federal Information Processing
Standard (FIPS) 140-2?

2) Is any third party software bundled with the software?

3) Can the software export security related audit trails to external
collection systems, such as syslog or ArcSight?

5) Are user accounts required or optional?

 

Thank you!

 

Jack

Reply | Threaded
Open this post in threaded view
|

RE: [maven] Security Questions - Maven

jpyeron
See responses inline.

> -----Original Message-----
> From: Jack O'Connor [mailto:[hidden email]]
> Sent: Monday, November 26, 2018 9:11 PM
> To: [hidden email]
> Subject: [maven] Security Questions - Maven
>
> Hello,
>
>
>
> My company is considering using Apache Maven but I need some answers to
> some
> security questions.  I hope someone out there can help me out.
>
>
>
> 1) Is the software compliant with U.S. Federal Information Processing
> Standard (FIPS) 140-2?
>

You will need to use a compliant or certified JRE/JDK configuration. Maven inherits the status of the JVM.

> 2) Is any third party software bundled with the software?

Please refer to the lib directory for all 3rd party libraries. There are no third party executables.

>
> 3) Can the software export security related audit trails to external
> collection systems, such as syslog or ArcSight?

Yes, you will need to ensure the logging properties are configured to do so.

>
> 5) Are user accounts required or optional?
>

Not applicable.

>
>
> Thank you!
>
>
>
> Jack



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security Questions - Maven

Bernd Eckenfels
In reply to this post by Jack O'Connor
Hello,

> 1) Is the software compliant with U.S. Federal Information Processing
Standard (FIPS) 140-2?

Maven is a modular open source, there is no single „Maven“ Body of work. When you use it, It dynamically uses plugins from various Sources, so it is hard to answer General Questions About ist properties. (and by Extension makes it hard to be certified to anything). Generally spoken most plugins use the Java VM and Standard libraries - so you could argue that most of ist cryptographic operations are done by the JCE in the JVM.

While there are JVM cryptographic extensions and JVMs which claim to be FIPS Level 1 compliant it is generally a very Long stretch to call software running on those to be FIPS compliant. Partially because FIPS has some quite impossible restrictions and require a tightly controlled Environment. (I spare us all the discussion how useful I think FIPS 140-2 certifications are)

> 2) Is any third party software bundled with the software?

Of Course - most of the Maven plugins use open source libraries from all over the world. The Software directly delivered with Maven core binary distributions is generally compatible with the ASL and requirements of the ASF for dependencies. This does not apply to all plugins

> 3) Can the software export security related audit trails to external collection systems, such as syslog or ArcSight?

See my answer to 1, this seems to be a flawed understanding of development Tools. Having said that you can of Course parse Maven output in some specific context (or change ist log format). But it is more a Question of which CI, Repository and SCM Server to use – those would beneftit from Audit logs more than a command line tool.

> 5) Are user accounts required or optional?

Maven runs under the invoking user (which has to have an account on the development machine of course). There are some plugins which can interface with external Systems or require credentials for Services. Depending on how you set them up.

BTW: I cannot really say whats going wrong in this aquisition Evaluation but the questions do really not make much sense to an open source command line development tool. Instead of answering them I would question if the General classification which lead you to research them is correct.

Having said that, a secure Software development process/SDLC is a good thing to plan in advance, you should get some architects on board which can help you with that. A Requisition checklist wont do you any good for that.

Gruss
Bernd