www.anaconda.com Open in urlscan Pro
2606:4700::6810:8203  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * Enterprise
   * * * * Enterprise
         * Why Anaconda?
         * Platform
         * Professional Services
     * * Enterprise Data Science
         Top 10 AI Platform Use Cases For the Enterprise
 * Pricing
 * Solutions
   * * * By Need
         * Managing Security & Compliance
     * 
     * * By Role
         * Practitioners
         * IT
     * * Maker Blog Series
         Create an Intermittent Fan Controller With Python
 * Resources
   * * * Left Column
         * Libraries & PackagesVivamus sagittis lacus vel augue laoreet rutrum
           faucibus dolor auctor. Learn More
         * Support CenterVivamus sagittis lacus vel augue laoreet rutrum
           faucibus dolor auctor. Support
         * Open SourceVivamus sagittis lacus vel augue laoreet rutrum faucibus
           dolor auctor. Learn More
     * * Right Column
         * Resource CenterVivamus sagittis lacus vel augue laoreet rutrum
           faucibus dolor auctor. View All Resources
           * Blog
           * Podcasts
           * Whitepapers
           * Videos
           * Webinars
           * Docs
     * * Enterprise Data Science
         Top 10 AI Platform Use Cases For the Enterprise
 * About
   * * * Left Column
         * About AnacondaMorbi leo risus, porta ac consectetur ac.
         * EducationVivamus sagittis lacus vel augue laoreet.
         * Our Open-Source CommitmentMorbi leo risus, porta ac consectetur ac.
         * PressVivamus sagittis lacus vel augue laoreet.
         * Contact UsMorbi leo risus, porta ac consectetur ac.
     * * Right Menu
         * CareersVivamus sagittis lacus vel augue laoreet.
         * PartnersMorbi leo risus, porta ac consectetur ac.
         * Customer Reference ProgramVivamus sagittis lacus vel augue laoreet.
         * EventsMorbi leo risus, porta ac consectetur ac.
     * * Anaconda Perspectives
         What Is Art? A Stimulating Discussion Inspired by Stable Diffusion
 * Free Download
 * Contact Sales

Enterprise Data Science
Sep 28, 2021


SECURING THE OPEN-SOURCE PIPELINE WITH ANACONDA CVE CURATION

Team Anaconda

4min




Build and protect a secure repository fueled by accurate and curated CVE risk
and vulnerability scores. Fully leverage open-source software for enterprise use
with Anaconda’s CVE curation services.

--------------------------------------------------------------------------------


THE WORLD OF OPEN-SOURCE PACKAGES

Open-source software leverages the power of its community to fuel innovation.
Anyone around the world can use, study, change, or distribute source code for
any reason, and hundreds of thousands of packages are uploaded into the world of
open-source software (OSS). It is the Wild West of source code. OSS, while the
backbone of innovation, is often error-prone, security risk-ridden, and
unstable. Utilizing OSS in the enterprise requires vigilance, time, and
expertise to ensure fidelity and stability in your environment. To make matters
more complicated, OSS often relies on other OSS, too. These are called package
dependencies.

Visualization of package dependencies in open source.

Hundreds of thousands of OSS packages rely on hundreds of thousands of other OSS
packages, resulting in a highly complex dependency map. A complicated dependency
map means a complex package supply chain, and a complex package supply chain
represents a significantly increased level of vulnerability.

Any miscalculation in trusting packages in the dependency tree can lead to
vulnerabilities spreading across your entire network.


“$350,000,000 IN CRYPTOCURRENCY WAS PAID TO HACKERS IN 2020, A 311% INCREASE
FROM THE PRIOR YEAR.” – CHAINANALYSIS


THE ANACONDA WAY

Anaconda’s answer to the OSS world is Anaconda Individual Edition, which
includes Conda: a cross-platform and environment package management system
maintained by Anaconda. Anaconda Individual Edition includes more than 300 of
the most popular Python and R data science and machine learning packages that
have been rigorously tested for compatibility, allowing faster and easier access
for data science practitioners.

However, managing dependencies does not solve for risk. Due to the sheer number
of Python and R packages and their dependencies, packages are still not free of
security vulnerabilities and exposures. Imagine the effort that goes into
Wikipedia’s fact-checking!


HOW DO WE DEAL WITH RISK AND VULNERABILITIES IN OSS, THEN?

Users can access publicly available databases that flag packages for common
vulnerabilities and exposures (CVEs), such as The U.S. National Institute of
Standards and Technology (NIST) and U.S. National Vulnerability Database (NVD),
to inform them of the vulnerability status of open-source packages. In addition,
organizations can opt to use a CVE scanner to reveal CVEs existing in their
environments.

Scanning for NIST and NVD-generated CVEs can help combat the inherent risk and
vulnerabilities in OSS using a package management system where organizations can
control which packages are being used in environments. However, NIST and NVD’s
CVE systems are sensitive to flagging and reporting, regardless of accuracy,
origin, or scope. This results in an overinflation of false positives in the
CVEs.

For example, suppose a vulnerability was flagged in the package Django 2.1. In
that case, NVD will report all versions of Django following the vulnerability as
flagged for vulnerabilities, even if Django 2.2 fixed the problem.

Suppose organizations rely solely on NVD or NIST-generated CVEs. In that case,
many packages will not pass enterprise-grade security policies as there would be
assumptions about there being no package fix and no update option. Anaconda Team
Edition’s curation process takes a different approach to ensure users can access
necessary open-source packages and dependencies while keeping enterprise
security standards at the forefront.


ANACONDA’S HUMAN CVE CURATION

Anaconda Team Edition’s answer to an inflated database of CVEs is to manually
curate NIST and NVD-generated CVEs. Anaconda’s curation team reviews flagged
packages, verifies what software the CVE affects, and curates a CVE status and
score.

Referring to the earlier example, Anaconda’s CVE curation team would update the
Django CVE to clarify that it applies to only Django >= 2.1 <2.2, informing
users that the newest version is patched, free of CVEs, and safe to use.

All CVEs receive a CVE security score (CVSS) from NIST and NVD, ranging from
1-10, 10 being the most vulnerable. Anaconda’s curation allows organizations to
trust CVE scores and easily filter CVEs based on status and CVSS, allowing only
packages that pass internal security policies into workflows.

WHAT DOES ANACONDA’S CVE CURATION LOOK LIKE?

Curated CVEs are all either,

 * Reported (all CVEs that come from NIST/NVD),

 * Active (vulnerabilities are still potentially active),

 * Cleared (vulnerabilities have been analyzed and determined not to be
   applicable),

 * Mitigated (vulnerabilities were proactively mitigated with a code patch), or

 * Disputed (vulnerabilities legitimacy was disputed by an upstream project
   maintainer or other community members).

 

Altogether, Anaconda’s CVE curation provides actionable and meaningful CVE
reporting so OSS can be fully leveraged at the enterprise level and data
scientists can focus on building models.

A SECURE REPOSITORY, ONCE AND FOR ALL

Now that you have a repository of Anaconda-curated OSS, you’ve locked risks and
vulnerabilities out of your source code. But how do we maintain this secured
environment?

In comes repository mirroring – mirroring creates a copy of a repository that
allows users access to packages from a centralized, on-premise or in the cloud
location. A mirror can be complete, partial, or only include specific packages.
By creating a copy in your own server, you give OSS access for users behind a
firewall, severing the online relationship between your OSS and the wider OSS
network.

Mirrored repositories can have a “middle-man” or be completely offline.
Repositories with a middle-man (known as a proxy) have inbound and outbound
connections only through a designated port, which drastically minimizes your
attack surface. Completely offline repositories are called “air-gapped”
repositories, where there is no inbound or outbound internet connection. This is
the most secure type of repository as there is virtually no attack surface to
speak of.

Mirroring your repository creates a stable environment for your organization,
too. A mirrored repository is a “point in time” copy, meaning all users
accessing the repository will be accessing the same version of packages,
ensuring consistency and compatibility across your organization.

Secure and stabilize packages behind your firewall.

Take advantage of Anaconda Team Edition to secure your open-source pipeline so
your team can spend more time building models, analyzing data, and making
data-driven decisions.


YOU MIGHT ALSO BE INTERESTED IN

News
Jun 22, 2022


ANACONDA ACQUIRES PYTHONANYWHERE TO INCREASE PYTHON ACCESSIBILITY AND ADOPTION


Maker Blog Series
May 24, 2022


5 ROUTES FOR GOING FROM ZERO TO VIZ IN DATA SCIENCE


Enterprise Data Science
Apr 28, 2022


HOW ANACONDA IS RALLYING TO PROTECT COMMERCIAL USERS FROM CYBERSECURITY THREATS





LET’S CONNECT

Get in touch to learn more about Anaconda.

Contact Us


 * Enterprise
 * Why Anaconda?
 * Platform
 * Professional Services
 * Pricing
 * Contact Sales

 * Solutions
   * BY NEED
     * Managing Security & Compliance
   * BY ROLE
     * Practitioners
     * IT

 * About
   * Menu Item
     * About Anaconda
     * Careers
     * Education
     * Partners
     * Our Open-Source Commitment
     * Customer Reference Program
     * Press
     * Events
     * Contact Us

 * Resources
   * Menu Item
     * Libraries & Packages
     * Support Center
     * Open Source
     * Blog
     * Resource Center

© 2023 Anaconda Inc. All rights reserved.

 * Service Status
 * Legal
 * Privacy Policy
 * Terms of Use