Skip Navigation

In the news

Stay up to date on what’s new at Sonatype.

March 16, 2021 - Sonatype acquires MuseDev, expands Nexus code analysis platform

Sonatype, which provides tools for developers to build better quality software, has acquired code analysis platform MuseDev. The acquisition adds developer-friendly code scanning to Sonatype’s platform to create a “full-spectrum” software supply chain management platform, company CEO Wayne Jackson said.

March 16, 2021 - Sonatype Acquires MuseDev to Add Code Analysis

Sonatype today revealed it has acquired MuseDev, a provider of a code analysis tool, in addition to updating its Nexus platform for discovering vulnerabilities in software supply chains.

December 31, 2020 - For CIOs, There’s No Place Like Home (Office)

CIOs describe their home office setup: Pets, antiques, toys and clear access to coffee

December 23, 2020 - CIOs Expect Tech Investments to Climb in 2021

Rapid tech deployments during the pandemic have acted as a proof-of-concept for a range of digital projects

December 18, 2020 - SolarWinds, the World’s Biggest Security Failure and Open Source’s Better Answer

Open source is not the one that’s inherently insecure. Proprietary software — a black box where you can never know what’s really going on — is now, always has been, and always will be more of a security problem. There are many ways to find those open source mistakes. For instance, you can look to Sonatype Nexus Lifecycle for a third-party code analysis tool.

December 09, 2020 - The future of DevOps: 21 predictions for 2021

More developers will move to application security's front lines. By 2024, 40% of development teams will make it into the high-performer category, up from 25% today, demonstrating both high-velocity releases and strong security outcomes. The bad news is that adversaries will continue to outpace them when it comes to finding successful exploit paths to new vulnerabilities.

October 13, 2020 - Sonatype: what dependency management did next (generation)

Sonatype's latest Advanced Development Pack is designed to change how teams manage code dependencies. 

October 07, 2020 - Sonatype Advances Open Source Code Quality, Security

Sonatype launched an Advanced Development Pack service that surfaces dependencies between open source components in a way that makes it easier for developers to know which ones to employ to build the most secure application possible and what components offer the simplest upgrade path.

October 07, 2020 - Sonatype helps development teams handle code dependencies

Because so much of modern development is reliant on modular components, developers often face the issue of dependency upgrades that break the functionality of their application. In order to help teams manage this problem Sonatype is launching an Advanced Development Pack that changes the way dependencies are handled.

October 06, 2020 - Open source security: Malicious NPM packages broadcast sensitive user data online

Sonatype security researchers discovered two malicious NPM packages that, if unwittingly downloaded by developers, published users’ IP addresses, usernames, and device fingerprint data online.

October 06, 2020 - Four npm packages found uploading user details on a GitHub page

Four JavaScript npm packages contained malicious code that collected user details and uploaded the information to a public GitHub page.

October 01, 2020 - Sonatype Finds 'Typosquatting' Packages in npm

Researchers at Sonatype, a leader in the DevSecOps and repository management space, discovered and confirmed the presence of new vulnerable npm packages this week. The packages exfiltrate/broadcast the target's IP, username, and device fingerprint info onto a public GitHub page where anyone can gain access.

August 21, 2020 -'Next-Gen' Supply Chain Attacks Surge 430%

As commercial and enterprise software developers become more disciplined about keeping their open source software components updated to reduce the risk of software supply chain attacks, the bad guys are getting craftier: Researchers warn that they're over-running open source projects to turn them into malware distribution channels.

August 13, 2020 - The state of application security: What the statistics tell us

Companies are moving toward a DevSecOps approach to application development, but problems remain with security testing ownership and open-source code vulnerabilities.

August 13, 2020 - Open Source Supply Chain Attacks Surge 430%

Security experts are warning of a 430% year-on-year increase in attacks targeting open source components directly in order to covertly infect key software supply chains.

August 12, 2020 -Report: A 430% increase in next-generation supply chain attacks in last year

The past year saw a 430% increase in next-generation cyber attacks aimed at actively infiltrating open source software supply chains, according to the 2020 State of the Software Supply Chain report. 

August 12, 2020 - High performing developers release more often

The highest performing developers put out releases 15 times more often and are 26 times faster to detect and fix open source vulnerabilities than their low performing counterparts, according to a new study.

August 12, 2020 - ‘Open Season on Open Source,’ Supply Chain Survey Warns

In its annual report on the state of the software supply chain, security specialist Sonatype foresees no let-up in the shift to open source tools, noting that up to 90 percent of the code components used by developers are widely available. That all-time high is occurring despite what the company describes as a “massive increase” in software supply chain attacks.

August 12, 2020 -Upstream attacks on open source ecosystem up 400% as criminals seek to compromise applications at scale

There has been a dramatic surge in cyber-attacks in which malicious components are planted in open source libraries, a new report reveals. Sonatype’s sixth annual State of the Software Supply Chain report recorded a 430% rise in these “next generation” attacks, which proactively seed the open source ecosystem with vulnerabilities rather than leveraging previously disclosed zero-day flaws.

July 29, 2020 - Sonatype ranks sixth on Fast Company’s Best Workplaces for Innovators

The open-source software development company encourages employees to take one day every other week to work on a passion project—more than half of Sonatype’s products began as “innovation day” experiments.

July 23, 2020 - What is DevSecOps? Why it's hard to do well

DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.

June 25, 2020 - Second Annual Cybersecurity Impact Awards Announces Honorees

The 2nd Annual Cybersecurity Impact Awards identified and is recognized multiple honorees (individuals and businesses) located in Washington, D.C., Maryland and Virginia (DMV) for their leadership and innovation within the cybersecurity industry.

June 19, 2020 - Interview: Sonatype’s Brian Fox on open source security and ‘drama-free’ DevSecOps

In this interview, Sonatype's CTO Brian Fox talks about how the persistence of cumbersome legacy approaches is more problematic than ever, with malicious actors increasingly targeting applications, becoming faster at exploiting vulnerabilities, and planting malicious components in open source libraries.

June 3, 2020 - Sonatype’s Nexus Platform Offers Three New DevOps Integrations for Atlassian

“We’ve analyzed over 70 million open source software components to ensure developers have rapid, precise access to information about their quality and security,” says Brian Fox, co-founder and CTO of Sonatype. “The Atlassian integrations benefit from Sonatype’s deep, precise data. Not only is our database of vulnerable components 70% larger than other market alternatives, our data is curated to provide the most value and insight for the developers who need it.”

June 1, 2020 - Octopus Scanner malware infected GitHub repositories & developers’ devices

“The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users,” says Brian Fox, CTO at open source software security specialist Sonatype.

June 1, 2020 - How Octopus Scanner malware attacked the open source supply chain

Brian Fox, CTO at open source software security specialist Sonatype, commented that what makes Octopus Scanner so dangerous is that infects developer tools that subsequently infect all of the projects they are working on, impacting their team or community of open source users.

May 27, 2020 - It's All in the Feedback Loops

Listen to the episode to learn :   

Why continuous learning is such great thing
How visualizing feedback loops makes DevOps easier to grasp
What DevSecOps looks like in real world

May 21, 2020 - Productivity and WFH: Developers slow to bounce back worldwide as lockdown lifts

"These declines are especially apparent when comparing year over year activity levels, where one can see predictable and repeated declines around December holidays, Easter breaks, and summer vacations," he said. "Yet in the face of every developer shifting from a seat at the office to one at the kitchen table, the rebounds were less apparent or simply non-existent." -- Brian Fox, CTO and co-founder of Sonatype

May 20, 2020 - Five Reasons Happy Developers Build in Better Security

Happy developers are more productive, build more secure code, innovate faster and are better for business.

May 20, 2020 - 16 cybersecurity startups that are promising even in a down economy

Sonatype addresses security issues in open-source code by helping developers ensure that it's safe.

May 8, 2020 - The Hot 150 Cybersecurity Companies To Watch In 2020

Sonatype places on the annual list of the world’s hottest pure-play cybersecurity companies

April 13, 2020 - Secure Your Golang Projects Using Nancy

Nancy is a command line application, written in Golang by the Golang community and sponsored by Sonatype. It uses Sonatype’s OSS Index to check your dependencies for publicly filed vulnerabilities.

April 10, 2020 - The New Stack Context: The Secret of Successful DevSecOps Shops

[W]e spoke with Derek Weeks, vice president at Sonatype, about the results of a new community survey the company just released on DevSecOps that provides some insights on how teams are incorporating automated security tools and how that shift affects company culture and developer happiness.

April 7, 2020 - Happy developers write secure code, report claims

“By introducing mature DevOps practices, businesses can not only innovate faster, they can enhance their development teams’ job satisfaction, and ultimately differentiate themselves as employers – critical when so many companies face significant skills shortages and increased competition.”

April 7, 2020 - Happy Devs like DevOps, but not necessarily managers, other Devs…

Sticking with the happiness metric, Sonatype concluded job satisfaction was higher in mature DevOps practices, with 92 per cent of devs in such teams declaring themselves satisfied, compared to 61 per cent of those in immature groups.

April 7, 2020 - DevSecOps Survey: You need happy developers to build secure software

Don’t get me wrong. Developers are my people. I surveyed over 5,000 of them from 102 countries to learn more about my tribe. And when I looked at the data, distinct patterns emerged. The fault lines run right along the upside-down frowns.

March 27, 2020 - Open Source Developers Are Security’s New Front Line

“The world is now in an unprecedented experiment where most of the development force is no longer working in secure networks, safe in corporate security and restricted by their cut-off networks. In this new world, the role of open source software is going to just increase, and has become its critical infrastructure,” said Ilkka Turunen, global director of pre-sales at open source security provider Sonatype.

March 16, 2020 - Microsoft's GitHub absorbs NPM into its code-hosting empire

Brian Fox, co-founder and CTO of Sonatype, which runs Java-focused Maven Central Repository, said it's important that critical open source infrastructure is well managed. It makes sense, he said, that NPM would "lean into Microsoft and GitHub to further their mission."

March 16, 2020 - GitHub's NPM Acquisition Will Boost JavaScript Security

Public code repositories are critical infrastructure, and maintaining code repositories in a reliable and trustworthy way can be challenging and expensive, said Brian Fox, co-founder and CTO of Sonatype. Sonatype maintains Maven Central, a repository for Java components. 

March 9, 2020 - Cloud And Open Source Can Reinvent Tech Conferences In The COVID-19 (And Carbon-Negative) Era

Actually, we could start with the obvious, and look at successful tech events that are already virtual-only. Events such as All Day DevOpsGlobal Devops Bootcamp, and HashiTalks point the way for developer-focused events run by communities and vendors alike.

February 10, 2020 - What Is DevSecOps and How to Enable It on Your SDLC?

For the past three to four years, all the companies around the IT world have adopted agile and different application development methodologies that leverage the work for different departments or areas and helps them to develop new products and release new features to improve their processes and infrastructure.

January 27, 2020 - New IoT Security Regulations: The Devil’s in the Details

New IoT security regulations are a welcome move to shore up security, but the devil is in the detail, and many questions remain unanswered.

January 27, 2020 - Facebook's Nick Clegg claims Whatsapp messages “cannot be hacked"

Facebook exec Nick Clegg has received criticism over comments suggesting that end-to-end encrypted Whatsapp messages could not be hacked. 

January 21, 2020 - Sonatype: Secure code with less hassle

Sonatypes’s Jason Green and Derek Weeks discuss how their company can reduce cost and increase cybersecurity for federal agencies.

November 26, 2019 - Open Source Code Security and Your Enterprise

The average enterprise is relying upon about 3,500 open source projects to support faster software development. Unfortunately, external suppliers of the code are often chosen based on popularity or familiarity rather than code quality. Vice President at Sonatype and the co-founder of All Day DevOps Derek Weeks sat down with us to discuss open source…

November 12, 2019 - Sonatype Delivers Premium Open Source Controls to GitHub Users

New Integrations Deliver Enterprise-Grade Open Source Governance and Dependency Management to Millions of GitHub Developers

November 12, 2019 - Deloitte's Fast 500 list includes 10 Maryland tech companies

Ten Maryland companies made the 2019 list of the nation's fastest-growing tech firms assembled by professional services firm Deloitte, including Sonatype.

November 5, 2019 - Developers, The Enterprise, and Open Source Security

This series details the thoughts of five DevOps, open source, and security thought-leaders, including Sonatype's Derek Weeks and Brian Fox, to gain a better sense of how developers and enterprises should be interacting with open source software, what they should keep in mind, and the role of community and knowledge-sharing in open source spaces.

October 24, 2019 - Sonatype Nexus Lifecycle and WhiteSource: Buyer's guide and reviews October 2019

An explosive increase in open source usage within enterprise has made it increasingly difficult for companies to track open source components using their traditional methods. Now, it has become necessary to automate the open source management process.

October 18, 2019 - Arm joins forces with UK government in “significant milestone” in designing out cyber threats

A partnership between the UK government and chipmaker Arm to develop new chip technologies that are more resistant to cyberattacks has been welcomed by the cybersecurity industry.

October 14, 2019 - 5 practical ways your organization can benefit from DevSecOps

Behind the buzzword, is there a real need of and value for organizations in exploring DevSecOps? It’s important to understand why DevSecOps matters in this day and age of security breaches and what the pragmatic benefits are for your organization.

October 16, 2019 - Open Source Vulnerabilities Cut Across Sectors

Large or small, enterprises from all sectors are dealing with the same vulnerabilities in open source code. The difference: the scale of the problem. DJ Schleen of Sonatype discusses insights from the latest ISMG roundtable dinner.

October 9, 2019 - Application Security: Why Open Source Components Matter

Derek Weeks, vice president and DevOps advocate with Sonatype, discusses what's changed since the Equifax data breach of 2017, when an unpatched vulnerability in Apache Struts opened the door to an attack, and how CISOs and security leaders need to do more to ensure open source components developers download to build applications don't lead to a similar incident.

October 8, 2019 - Why we need a true measure of application security health

Sonatpe's DJ Schleen shares why feelings have no place in application security, and how his new application security health calculation can provide a number that security teams can understand and take action on.

October 8, 2019 - Application Security: Offense Vs. Defense

Sonatype CMO Matt Howard discusses how the conversation highlights the offense vs. defense approaches to securing critical applications.

October 3, 2019 - Tech Titans 2019: Washington’s Top Tech Leaders

The Washingtonian's guide to the most important and innovative people in Washington's digital economy, including Sonatype's CEO Wayne Jackson.

October 2, 2019 - DevOps 100: Top leaders, practitioners, experts to follow

As the DevOps movement continues to make headway into the enterprise, TechBeacon updated its"DevOps 100" list of IT leaders who are driving those changes for 2019 - including Sonatype's Mark Miller and Derek Weeks.

October 2, 2019 - Northern Virginia Technology Council Announces 2019 Capital Cyber Award Winners

On the first day of Cybersecurity Awareness Month, the Northern Virginia Technology Council (NVTC) announced the winners of the inaugural Capital Cyber Awards and named Sonatype Cyber Company Over $25 Million.

October 1, 2019 - Amazon Promotes 'Extremely Creepy' Security Cameras That Can Be Easily Hacked To Spy on You

Security cameras recommended and sold by Amazon come with "huge" security risks, according to a study.An investigation by UK consumer watchdog Which? revealed that cameras with an Amazon Choice tag could be easily hacked.

October 1, 2019 - Amazon Promoted Webcams Vulnerable To Hackers, Warns Which?

Cheap home security cameras, webcams and baby monitors, promoted by Amazon, are riddled with security flaws.

September 28, 2019 - How To Install Latest Sonatype Nexus 3 on Linux

Sonatype Nexus is one of the best repository managers out there. It is some tool that you cannot avoid in your CI/CD pipeline. It effectively manages deployable artifacts.

September 26, 2019 - Sonatype builds automated malware prevention for open-source libraries

Sonatype has been developing the next-generation of its Nexus Intelligence research engine that automatically detects counterfeit and malicious code injections into open-source software supply chains. 

September 25, 2019 - Growjo Launches Fastest Growing Washington DC Companies Award For 2019

List of the top fastest growing companies in the Washington, DC area in 2019 coming from technology startups, saas and tech security.

September 6, 2019 - What are open-source operating systems? Everything you need to know

The lowdown on what open-source operating systems are and why they matter.

August 28, 2019 - Close Agile open source tools vulnerabilities

Gene Kim, author and DevOps advocate, took a fresh look at the way enterprises use Agile open source components. Kim collaborated with Sonatype on the "State of the Software Supply Chain" report, which examined and documented release patterns of Agile open source tools, along with cybersecurity practices, across 36,000 Java projects and 12,000 enterprise dev teams.

August 22, 2019 - Here's what Elon Musk, Richard Branson, and 53 other successful people ask job candidates during interviews

Many of the most successful people have gotten job interviews down to a science — and they're not in the habit of wasting time with dumb or irrelevant queries. Business Insider shares 53 questions asked by successful executives incudling Sonatype's Wayne Jackson.

August 21, 2019 - Veristor and Forty8Fifty Labs Partner with Sonatype on Development and Delivery of Open Source Governance

Veristor Systems and Forty8Fifty Labs, the DevOps and software development subsidiary of Veristor, announced a partnership with Sonatype.

August 5, 2019 - The 50 best workplaces for innovators

Most companies these days claim to embrace innovation. Fast Company collaborated with Accenture to identify 50 organizations that actually cultivate big ideas and encourage experimentation - including Sonatype.

July 29, 2019 - 5 ways to shift your app sec team's focus to the supply chain

Dealing with software supply chain threats requires that developers put renewed focus on ensuring the integrity of both their internal code and any third-party code they incorporate into their programs, software security experts agree.

July 18, 2019 - 2019 State of the Software Supply Chain Report: 5 key takeaways

Today, businesses that are racing to deliver better value to their customers—and differentiate from competitors—are embracing Edwards Deming's principles within their open-source-based software development practices. As software has become the last path to differentiation in most competitive industries, practices are evolving, from artisan-based creations to those that more closely resemble high-velocity parts assembly.

July 5, 2019 - State of the Software Supply Chain: Secure Coding Takes Spotlight

After almost a year of research that involved studying 36,000 open source software projects, 12,000 enterprise development teams and 3.7 million open source releases, we at Sonatype are excited to share the “2019 State of the Software Supply Chain” report.

July 1, 2019 - The Truth About Your Software Supply Chain

Open source components help developers innovate faster, but they sometimes come at a high price.

June 27, 2019 - Equifax's code downloaded more after breach

In 2017, Hackers entered Equifax using a vulnerability in the open source Apache Struts library. And, despite that being one of the largest and best publicized breaches in history, downloads of the vulnerable, unpatched Struts library increased.

June 27, 2019 - Amid Supply Chain Concerns, is Open Source Software Secure?

Is open source software secure? Ask someone in the industry and they may well scoff and ask you “how long is a piece of string?” As with proprietary software (which is certainly not all secure), not all open source was created equal. Yet with Sonatype’s fifth annual State of the Software Supply Chain Report revealing that UK enterprises downloaded over 21,000 software components with a known vulnerability in the last year alone, the question – sweeping though it is – should not be shrugged off.

June 26, 2019 - Good news, bad news in new open source software report


It is possible to manage your open source software supply chain to reduce the risk of vulnerabilities and breaches. The problem is, not everyone is following this advice, according to the 2019 State of the Software Supply Chain Report, which was released yesterday by DevOps automation firm Sonatype.

June 26, 2019 - Report: Code Responsible for Equifax Breach Downloaded 21 Million Times Last Year

The situation highlights the challenge of securing open source software, which underlies virtually every IT system in government.

June 25, 2019 - Report: Not all open-source software is created equal

While open-source software is an integral part of software development today, security continues to be an issue. A recently released report revealed a 71 percent increase in open-source security related breaches over the last five years. In addition, 25 percent of organizations reported a confirmed or suspected open-source software related breach. 

June 25, 2019 - State of the Software Supply Chain Report 2019: Best Practices für Open-Source-Entwickler

Neben Best Practices rund um Open-Source-Projekte wurden ebenso diverse Open-Source-Komponenten untersucht. Die Ergebnisse des Berichts stammen aus der Analyse von 36.000 Open-Source-Projektteams und 3,7 Millionen Open-Source-Releases.

June 25, 2019 - UK Firms Riddled With Vulnerable Open Source Software

There’s been a 71% increase in open source-related breaches over the past five years, with UK firms downloading on average 21,000 software components known to be vulnerable over the past 12 months, according to Sonatype.

June 25, 2019 - Vulnerable software components widely used by enterprises

The average UK enterprise has downloaded over 21,000 software components with a known vulnerability in the past year alone, according to new data from Sonatype the DevSecOps automation specialist.

May 30, 2019 - Open Source Security - How to Defend at the Speed of Attack

Sonatype CMO Matt Howard discusses the relevance and value of this application security conversation.The reason why this topic resonates so well across sectors and regions? "Because software is the last path for differentiation in every industry," Howard says, "and whether you know it or not, every business in the world today is largely a software company."

May 25, 2019 - GDPR one year on -- what have we learned and what happens next?

This weekend marks exactly a year since the introduction of the EU's GDPR legislation shook up the world of data protection and sent businesses around the world into a flurry of compliance activity.

May 25, 2019 - 2019 SD Times 100

The 2019 SD Times 100 recognizes those companies and organizations that are the leaders, innovators and influencers in the software development market.  They have flown ahead of the flock with new, innovative projects or by establishing leadership positions, or by influencing how and what we create. Sonatype was named in the Security category.

May 22, 2019 - Inside the Government's Open Source Software Conundrum

How do agencies make sure the crowdsourced code that underlies nearly every piece of tech on the market is safe to use?

May 16, 2019 - Why the WhatsApp hack DOESN'T mean you should stop using the messaging app

WhatsApp's reputation as one of the world's most secure messaging apps took a battering this week, when it emerged that hackers had managed to install spyware on some users' phones by simply calling them through the app.

May 15, 2019 - Sonatype wins 2019 Corporate Growth Award

Maple Lawn-based Sonatype took home the Emerging Growth Company of the Year award during the ACG National Capital’s 2019 Corporate Growth Awards Gala.

May 14, 2019 - Hackers exploited critical flaw in WhatsApp to inject spyware into devices

A critical security vulnerability in WhatsApp allowed malicious actors to inject surveillance malware into users' devices, the online messaging service has revealed, stating that the flaw impacted only a limited number of users.

May 13, 2019 - Frequent Breaches Have Brought Cybersecurity Change To The Forefront. What's Next?

Over the last 20 years, the cybersecurity industry has often said each breach is going to be the wake up call the industry needs. It’s happened so many times that it’s practically a running joke. But now, things are starting to change .

May 1, 2019 - DevSecOps: how can companies embrace it?

Firms are starting to make the development process more secure with DevSecOps. How does it work?

May 1, 2019 - Industry Warns of Flaws as Gov’t Proposes Mandatory IoT Security Labelling

The UK government is mulling plans to introduce a mandatory IoT security labelling scheme – although it is suggesting voluntary implementation to start with – as it launched a five-week consultation that closes June 5.

May 1, 2019 - 50 Great Places to Work in Washington, DC

These employers offer interesting work, great pay and benefits, chances to learn and grow, and a sane work/life balance.

April 21, 2019 - This map shows which states in the US are competing to top California-based Uber's $15.7 billion in equity funding

In this graphic, research firm CB Insights identified the most highly-funded companies in each of the 50 states, plus Washington, D.C. Some - Sonatype was named the most highly-funded company in Maryland.

April 20, 2019 - Epic DevSecOps fails: 6 ways to fail the right way

No one likes to fail; we'd much rather succeed than not. Failure, though, is part of the human condition—and, as a new book says, maybe we're better off because we can't avoid it, wrote Sonatype's Mark Miller, editor of a new 180-page book from DevSecOps Days Press titled Epic Failures in DevSecOps.

April 19, 2019 - NCSA and NASDAQ Advise Risk Managers to Look ‘Beyond IT’ Following a Breach

Sonatype's Tyler Shields discuss “Incident Response and Recovery” at the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit .

April 18, 2019 - The tech CEO who sold a startup for $1 billion and has just raised $80 million for another reveals his 4 secrets for raising money

Wayne Jackson is a veteran tech entrepreneur who has overseen a billion-dollar sale and raised hundreds of millions in funding rounds. Speaking to Business Insider, Jackson revealed his four secrets to raising finance from investors.

April 17, 2019 - DevOps Chat: Forrester Wave Leaders Discuss SCA

Forrester recently released its “Forrester Wave Software Composition Analysis SCA for Q2 2019,” highlighting the leaders in this fast-growing category. Security Boulevard had a chance to sit down with three of the companies highlighted in the Wave report, including Sonatype, to talk about why SCA is so important.

April 3, 2019 - A CEO who sold a startup for $1 billion, led a big IPO for another, and raised $80 million for a 3rd shares some simple advice on building a tech unicorn

Wayne Jackson sold his first startup for more than $1 billion, led a successful IPO with another firm, and recently raised $80 million for his latest tech venture. He has some simple advice on growing a successful tech business: Find your niche.

March 28, 2019 - Sonatype Partners with HackerOne on Central Security Project

Sonatype announced a partnership with HackerOne to create The Central Security Project (CSP).The program brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository, the world’s largest collection of open source components.

March 27, 2019 - The Central Security Project: Vulnerability Reporting for Open Source Java

HackerOne and software supply chain management tool Sonatype have teamed up to help security researchers have a single place to report security bugs with The Central Security Project, a new effort that “brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository, the world’s largest collection of open source components.

March 27, 2019 - New vulnerability reporting platform aims to make open source safer

Vulnerabilities in open source code represent a risk for businesses, but the process of reporting them is cumbersome and that can leave software open to risk. Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process and turn to public lists or social media, where bad actors can easily find the details before fixes are created.

March 26, 2019 - Secure open source components to bypass breaches

As enterprises increasingly turn to open source code to cut dev efforts and costs, IT industry vendors recommend that they secure dependencies and deploy patches to safeguard apps.

March 21, 2019 - Making open source safer

In a significant industry milestone, Sonatype and HackerOne have teamed up to make the open source community safer for all who use it.

March 19, 2019 - 6 Ways Mature DevOps Teams Are Killing It in Security

New survey shows where "elite" DevOps organizations are better able to incorporate security into application security.

March 18, 2019 - Five Questions with… Sonatype CTO Brian Fox

Every Monday morning CBR fires five questions at a C-suite tech industry interviewee - Sonatype's CTO Brian Fox was in the hot seat answering questions about his past, and where he sees the future going.

March 10, 2019 - What Makes a DevSecOps Program Elite?

What's the difference between an elite and a less mature DevSecOps program? Sonatype's Derek Weeks unveils the results of the 2019 DevSecOps Community Survey.

March 6, 2019 - Organizations with mature DevOps practices are far more likely to integrate automated security, report shows

Featuring the responses of more than 5,500 participants, the 2019 DevSecOps Community Survey offers detailed insights into the DevOps and DevSecOps ecosystem.

March 5, 2019 - 26% of firms suffered breaches in 2018 due to vulnerable open source components

The lack of open source governance programmes, the inability of a large number of organisations to implement elite DevSecOps programmes, and the inability of organisations to impart application security training to employees have resulted in a 71 percent rise in open source breaches over the past five years.

March 4, 2019 - Survey Finds Mixed Progress on DevSecOps

A survey of 5,558 IT professionals published today by Sonatype in collaboration with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit and Twistlock finds 27 percent of organizations have mature DevOps practices in place, while another 48 percent are still working on improving them.

March 5, 2019 - The patterns of elite DevSecOps practices

As DevOps practices are maturing rapidly, organizations with elite DevSecOps programs are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors.

March 5, 2019 - DevSecOps steps in for companies that don't have time to dedicate to security

For the last three years, half of developers have agreed security is important, but they don't dedicate enough time to it, according to Sonatype's 2019 survey of more than 5,550 IT professionals.

March 4, 2019 - Open source breaches increase 71% in five years

There has been a surge in open source breaches over the past five years, with just over a quarter of companies reporting a confirmed or suspected breach in the past year alone.

March 4, 2019 - Open source software breaches surge in the past 12 months

Security breaches related to open-source security projects are on the rise and a lack of time being made available to developers to resolve vulnerabilities is believed to be to blame.

March 4, 2019 - Quarter of Firms Suffer Breaches via Open Source Components

Security breaches linked to open source software components have risen by 71% over the past five years, as securing applications continues to be a challenge for many organizations, according to Sonatype.

March 1, 2019 - 19 open source software-related startups that will blow up in 2019, according to VCs

Open source continues to proliferate. Sonatype helps take open source into the enterprise, allowing enterprises to govern it with things like security policies. Enterprise adoption of open source is accelerating and so will Sonatype.

February 28, 2019 - DevOps Chat: Repos and Nexus Firewall Access, with Sonatype

There are really only two repositories of any scale for software components today: the Nexus repo managed by Sonatype and the Artifactory artifact repo managed by JFrog. In a big move toward keeping DevOps open and secure, the Sonatype people have released a plugin that will allow their Nexus Firewall to work with Artifactory as well as Nexus.

February 26, 2019 - Kenna Security and Sonatype Partner for Open Source Vulnerability Intelligence

Kenna Security and Sonatype have announced a partnership to provide risk assessment and vulnerability intelligence for open source projects.

February 25, 2019 - Detecting vulnerabilities in third-party dependencies of your organization

Whether you’re a developer, a CTO or a tech lead, I bet you have at some point faced a dilemma of adding a third-party dependency to your software. With all the benefits, they sure do come with some obvious trade-offs. Enter Sonatype Nexus.

February 25, 2019 - DevOps Chat: The Business of Security and DevSecOps, with Sonatype’s Tyler Shields

Tyler Shields is someone who has made the leap from technical security expert to business leader. At Veracode, CA and now Sonatype, Tyler is someone who can clearly enunciate the path forward for business leaders on what they should be doing in regard to DevSecOps, open source security and minimally viable security.

February 13, 2019 - Dark Web Data Dump Sees 620 Millions Accounts from Hacked Websites Go on Sale

“A number of the breached sites failed to disclose the attacks, indicating that they weren’t aware of the hack, or opted not to reveal it, and thus could fall foul of GDPR and be subject to serious fines. Either way, it’s likely to be concerning for consumers, who will bear the brunt of the attacks," Isaid lkka Turunen, global director at software firm Sonatype.

February 1, 2019 - These Maryland companies received the most venture capital funding in 2018

Details of the top five venture capital recipients in Maryland, ranked by funding received last year.

February 1, 2019 - Billion-dollar year: Maryland builds venture capital momentum with record-breaking 2018

Propelled by the injection of funding, Sonatype’s “record 2018” which included a 67 percent increase in new business sales, a 132 percent customer net renewal rate, 211 new enterprise customers and a 50 percent increase in employees. Looking into 2019, the company expects to see at least 50 percent year-over-year growth across the company, as it expands product offerings and continues to scale its team.

January 30, 2019 - 65 Fortune 100s Downloaded Flawed Apache Struts

Despite Apache Struts releasing multiple updates to its software in the nearly two years since the Equifax breach, Sonatype published research which found that between July and December 2018, two-thirds of the Fortune 100 companies downloaded the same vulnerable version of Apache Struts that was used in the infamous breach.

January 29, 2019 - Most of the Fortune 100 still use flawed software that led to the Equifax breach

Sonatype, which already works with Fannie Mae and Tomitribe, announced Tuesday a new working relationship with Equifax to monitor the use of the credit agency’s open-source libraries across its network to help prevent another breach.

January 29, 2019 - Vulnerable software that helped cause Equifax breach still being used by major U.S. corporations

On Tuesday, Sonatype announced that the company would be partnering with Equifax in order to help the credit reporting agency prevent future breaches. The company will monitor Equifax’s network-wide open source libraries.

January 28, 2019 - 2019 DevSecOps Predictions

2019 will be the beginning of the end for AppSec as we know it. While 2018 was in many regards the year of DevSecOps, we still only scratched the surface of its effect on the industry. 2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is.

January 25, 2019 - Billion-dollar babies: Greater Washington's unicorns in the making

The Washington Business Journal takes a look at the small handful of up-and-coming companies in the Washington area, including Sonatype, that have broken out of the pack and have a real shot at leaping to unicorn status. They are all valued at more than $250 million — and, by all accounts, are growing.

January 18, 2019 - Tech firms reject no-deal Brexit and pivot towards ‘people’s vote’

Sonatype's vice president for international Wai Man Yau, said the EU has been the driving force for some of the most crucial pieces of digital legislation, such as the General Data Protection Regulation (GDPR), and that the UK risks being left behind. "No government would want to risk the security of businesses and citizens," he said, "and so both the UK and the EU nations have a vested interest in working together to boost cyber security levels.

January 10, 2019 - The 8 Best GitHub Integrations to Look at in 2019

Sonatype’s DepShield is another free tool for scanning your repos for open-source vulnerabilities. It searches your repo against the Sonataype OSS Index and opens GitHub issues with details about any problems it finds.

January 10, 2019 - Sonatype Set To Expand On a Successful 2018

Following an outstanding 2018 for Sonatype, Inc., company CMO, Matt Howard & CFO, Dave Miller join Olivia Voznenko at the Nasdaq to share the inside scoop behind Sonatype's successful 2018. Also, they discuss what the year 2019 has in store for Sonatype just before ringing the closing bell.

January 04, 2019 - GitHub Security for Repositories: Comparing WhiteSource Bolt, Snyk, Depshield, and GitHub Alerts

Sonatype DepShield is a free GitHub app which can automatically identify vulnerabilities in open source dependencies. Depshield enables GitHub developers to take essential governance and security measures in their own hands. Depshield is powered by Sonatype's OSS Index and integrates publicly available open source vulnerability data into GitHub's public repositories. This allows developers to identify, and eventually fix, possible issues as soon as possible.

December 21, 2018 - 2019 Cyber-Security Predictions - Pandora's Box of Ills - But Hope Remains

"2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie. 75 percent of developers will begin expecting security intelligence about their code to come from GitHub plugins - and across the development lifecycle. AppSec must live where developers live, and developers must understand security. 2019 will usher this in as non-negotiable business imperative. …. 2019 will set in motion, a massive three to five year transformation that will leave current AppSec professionals out of a job by 2024, unless they seriously understand DevOps."  – Derek Weeks, VP and DevOps Advocate, Sonatype.

December 21, 2018 - US Energy and Commerce Committee: 6 Strategies for Modern Cybersecurity Risks

On the 12th of December, following the comprehensive timeline report detailing what happened during the Equifax Breach, the Subcommittee on oversight and investigations released an additional report identifying the core strategies organizations can take to address modern cybersecurity risks.Following the increase both in security disclosures and events the Energy and Commerce subcommittee set about identifying what the common characteristics of these security events are and what, if any, priorities organizations can set from a strategic perspective to control and address these risks going forward.

December 17, 2018 - Equifax Data Breach

Sonatype's Bill Karpovich appeared on Fox Business News to discuss the recent House report on the Equifax breach published by the Energy and Commerce Subcommittee on Oversight and Investigations.

December 13, 2018 - The 2019 Career-Launching Companies List

Every year, we select the private information technology companies we believe have enough momentum to become very large and successful businesses. We produce this annual list to surface the businesses that have product-market fit and the greatest long-term prospects.

November 30, 2018 - Open Source Software is Under Attack; New Event-Stream Hack is Latest Proof

The open source community is under attack as hackers grow bolder than ever.

Earlier this year, I detailed a new battlefront for open source software based on the fact that bad actors are increasingly polluting public wells like npmwhich millions of thirsty developers drink from — to the tune of 6 billion downloads per week — and was recently compromised when a bad actor injected malicious code into the popular JavaScript component, event-stream.

November 7, 2018 - The Key to Enterprises Remaining Competitive is Safe Open Source

Enterprises cannot want to transform but be resistant to change, especially when it comes to adopting and integrating open source.

October 30, 2018 - Here's Why Software Developers Are Worried About IBM's $34 Billion Acquisition of Red Hat

“[IBM pledging support for Linux] was a major move towards legitimizing this movement,” Bill Karpovich, EVP of open source software firm Sonatype and a former executive for IBM Cloud, told Business Insider. “[IBM has] always had a business model that supports open source…They’re putting their money where their mouth is. With this acquisition, they certainly are putting big dollars on the open source model.”

October 15, 2018 - UK Government Launches IoT Code of Practice: Industry Experts React

The UK government has launched a voluntary Code of Practice for internet-connected devices. The IoT Code of Practice is a world first and aims to boost the security of devices such as smart watches and virtual assistants.

October 11, 2018 - The Tech Supply Chain is More Vulnerable Than Ever

A shot heard around the world was fired last week when Bloomberg published its article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” In it, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 U.S. companies by including compromised microchips in Supermicro motherboards, which those companies then used across data centers. Once installed in the data centers, those microchips could be accessed by the bad actors who could then control the motherboards from afar. As the article states, this was “the most significant supply chain attack known to have been carried out against American companies.” Regardless of whether the Bloomberg story is valid, supply chain attacks are already happening in the wild, and this should be a wake-up call for all of us.

October 8, 2018 - Funding Roundup: DC-Area Startups Raised $120M in September

September was quiet volume-wise for District term sheets, but some high-value deals moved big chunks of money into the local startup scene. At least 10 D.C.-area startups raised a combined $120 million in funding, led by a massive venture round by Maryland software company Sonatype.

October 4, 2018 - Dangerous New Trend in Open Source Vulnerability

A new report from Sonatype has revealed a dangerous new trend where hackers are capitalising on the popularity of open source and injecting vulnerabilities directly into open source components.

September 26, 2018 - 2018 Has Been Open Season on Open Source Supply Chains

As the number of open source components used in software supply chains shoot up, hackers are going along for the ride. Increasingly threat actors are planting bad code in open-source repositories in the hopes to harvest the flaws later when used in larger banking, manufacturing and healthcare DevOps projects.

September 26, 2018 - A Look at the Sonatype State of the Software Supply Chain Report

Sonatype today released its fourth annual State of the Software Supply Chain report which found that software developers downloaded more than 300 billion open source components in the past 12 months and that 1 in 8 of those components contained known security vulnerabilities.

September 25, 2018 - Open-Source Software Supply Chain Vulns Have Doubled in 12 Months


Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach.Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components over the last 12 months.

September 7, 2018 - TPG Leads $80 Million Investment in Governance Software Provider Sonatype

TPG is leading an $80 million minority-stake investment in software developer Sonatype Inc.The investment round included participation from Accel, Goldman Sachs Group Inc. and Hummer Winblad Venture Partners, according to a press release. Sonatype, of Fulton, Md., runs a repository of open-source components developers can download and integrate into new software. Customers for its components include technology professionals in the government, financial services, technology, health-care and manufacturing sectors, according to the firm’s website.

September 7, 2018 - Sonatype picks up $80 mln in TPG-led round

Fulton, Maryland-based Sonatype, a provider of automated open source governance, has secured $80 million in funding. TPG led the round with participation from Accel, Goldman Sachs Group and Hummer Winblad.

September 7, 2018 - Two Peas In A Pod: Masterclass And Sonatype Each Raise $80M

While they may not qualify as the supergiant rounds that we’ve tracked lately, Masterclass and Sonatype each raised significant amounts of capital from investors this week, helping us to understand their respective categories: edtech and software security.

September 7, 2018 - Maryland cyber firm Sonatype raises $80 million from Silicon Valley investors

Sonatype, a Maryland-based cybersecurity company, announced Friday that it has raised $80 million from investors. The funding round was led by San Francisco-based private equity fund TPG Growth, with participation from Accel, Goldman Sachs and Hummer Winblad.

September 7, 2018 - Sonatype Raises $80 Million to Build Out Nexus Platform

Sonatype, a cybersecurity-focused open-source company, has raised $80 million from investment firm TPG.The company said the financing will help extend its Nexus platform, which it touts as an enterprise ready repository manager and library, which among other things tracks code and helps to keep everything in the devops pipeline up-to-date and secure.

September 7, 2018 - Exclusive: Sonatype announces $80 million investment

Sonatype, a company that helps companies build more secure software, will be announcing an $80 million funding round led by TPG.

September 7, 2018 - Sonatype lands $80M in funding. We ask the CEO: Could an IPO be next?

The funding is a minority investment led by TPG, a San Francisco private equity firm with $84 billion under management, with additional participation by existing investors Accel, Goldman Sachs Group and Hummer Winblad.

August 15, 2018 - More than 60 Greater Baltimore companies make Inc. 5000 list

More than 60 Greater Baltimore companies made this year's Inc. 5000 list of the nation's fastest-growing businesses.

August 14, 2018 - Sonatype offers developers free security scan tool on GitHub

Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code. Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.

July 26, 2018 - Open Source Vulnerability Index Containing 140,000 Vulnerabilities Launched by Sonatype

Sonatype operates on the principles of better, safer, and faster delivery with software supply chain automation. The company acquired the OSS Index last year and has now launched an automated and re-designed Open Source Software Index that provides developers with information on OSS dependencies and vulnerabilities for more informed product development.

July 24, 2018 - Fine-tuning the complexities of IT governance

When it comes to governance, risk and compliance (GRC), it seems the world is constantly playing catch-up.

June 26, 2018 - 10 Best Tech Startups in Maryland

The Tech Tribune staff has compiled the very best tech startups in Maryland. In doing our research, we considered several factors including but not limited to:

  1. Revenue potential
  2. Leadership team
  3. Brand/product traction
  4. Competitive landscape

June 25, 2018 - What the DevSecOps 2018 Survey Results Really Mean for Developers and Security

The 2018 DevSecOps Community Report is out and for those following the growth of DevOps and it's subsequent drive into the security community, under the moniker of DevSecOps, the results won't be surprising. In fact, I set out to write some hot-takes from the report that would really dig into an existential evaluation of security in a DevOps world, but in the end, the takeaways from the report are far more pedestrian. Don't read that as not meaningful — in fact, I think the survey results are very meaningful and informative for our path forward.

June 21, 2018 - Innovation at the expense of security

For every company in every industry, competition is as likely to come from an unknown startup as it is from long - established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is. Just ask broadcast and cable television companies about Netflix. Ask Hilton and Marriott about Airbnb.  The fear of death can be a powerful motivator.

June 15, 2018 - Ernst & Young Entrepreneur of the Year Awards Gala Winners

On June 14, entrepreneurs of the greater Washington area came together in celebration of their accomplishments for the 2018 EY Entrepreneur of the Year Mid-Atlantic Awards at the Ritz Carlton in Tysons Corner.

June 15, 2018 - Ernst & Young Entrepreneur of the Year Awards Gala Winners

On June 14, entrepreneurs of the greater Washington area came together in celebration of their accomplishments for the 2018 EY Entrepreneur of the Year Mid-Atlantic Awards at the Ritz Carlton in Tysons Corner.

June 15, 2018 - 3 Maryland companies vie for national EY Entrepreneur of the Year Awards

Three Maryland companies will go on to Palm Springs, California, to vie for the national title of EY Entrepreneur of the Year, after winning awards for the mid-Atlantic region.

June 9, 2018 - A Healthy DevOps Toolchain — Electric Cloud

DevOps toolchains, often comprised of existing or acquired software tools, are critical for rapid, reliable and efficient application delivery. Having an integrative, holistic approach to tooling fosters team interaction. These tools working together provides a dramatic improvement to the application lifecycle.

June 8, 2018 - Microsoft and GitHub: A Great Step Forward for DevOps

Microsoft just announced the acquisition of GitHub. What does this mean for developers, companies, the DevOps market, and CloudBees?

June 7, 2018 - 6 dicas para liderar equipes virtuais

A força de trabalho atual é distribuída - em vários escritórios pequenos, adotando funcionários que trabalham em casa e espalhados pelos continentes - e a TI sempre esteve na vanguarda dessa mudança, abraçando entusiasticamente as novas tecnologias de comunicação que tornam essa prática possível. Mas as ferramentas e técnicas que usamos para gerenciar uma força de trabalho remota e forjá-las em uma equipe quando não se encontra no cafezinho todos os dias ainda estão, de alguma forma, em suas infância. E, muitas vezes, não ajudam a superar determinados obstáculos.

June 6, 2018 - DevOps Security: It’s Everyone’s Responsibility Now

DevOps is intended to dramatically increase the pace of application development and support. This is expected to allow more mistakes to get through to production environments, but that’s OK because they can be corrected right away rather than have to wait for the next development cycle to play out.

June 5, 2018 - The industry reacts to Microsoft’s acquisition of GitHub

Yesterday, after days of speculation, it was confirmed that Microsoft would acquire GitHub for $7.5 billion.

June 4, 2018 - Strutting' Past the Equifax Breach: Lessons Learned

In hindsight, there were two likely causes for last year's massive breach: the decision to use Apache Struts, and a failure to patch in a timely fashion. Both are still a recipe for disaster.

June 4, 2018 - Microsoft to acquire GitHub for US$7.5billion

Microsoft has announced that it will be acquiring GitHub for US$7.5billion in an all-stock transaction, representing the tech giant’s largest purchase since professional networking site LinkedIn in 2016 for US$26.2billion.

June 4, 2018 - "We're all in on open source": Microsoft buys GitHub

Microsoft has acquired the software development platform GitHub for $7.5bn in stock, it was announced today. The deal is due to be completed by the end of the year.

June 1, 2018 - SD Times 100 2018: It’s a celebration!

The 2018 SD Times 100 is here, and we celebrate the achievements of these companies as they take or retain their position as thought leaders and influencers in the software development industry.

May 31, 2018 - How to lead a virtual team: 5 keys for success

The days of workplaces located in a single office are done. Today's workforce is distributed — across multiple small offices, embracing work-at-home-employees, and spread across continents — and IT has always been at the forefront of that change, eagerly embracing new communications technologies that make it possible. But we're only a few years into this shift, and the tools and techniques we've used to manage a workforce and forge them into a team when they don't meet at the water cooler every day are in some ways still in their infancy.

May 31, 2018 - How to lead a virtual team: 5 keys for success

The days of workplaces located in a single office are done. Today's workforce is distributed — across multiple small offices, embracing work-at-home-employees, and spread across continents — and IT has always been at the forefront of that change, eagerly embracing new communications technologies that make it possible. But we're only a few years into this shift, and the tools and techniques we've used to manage a workforce and forge them into a team when they don't meet at the water cooler every day are in some ways still in their infancy.

May 30, 2018 - Feeling secure enough to use open source for IAM projects

Identity is big, really big, especially when it is customer-facing. There are a lot of moving parts to build, pieces to hook up, and external functionality to integrate. The whole makes the identity ecosystem which was once a dream of a few but is fast becoming a reality for many.

May 26, 2018 - "Kubernetes Security Best Practices "

Kubernetes (K8S) is an open-source container orchestration tool that can automatically scale, distribute, and handle faults on containers. Originally created by Google and donated to the Cloud Native Computing Foundation, Kubernetes is widely used in production environments to handle Docker containers (although it supports other containers tools such as rkt) in a fault-tolerant manner.

May 24, 2018 - Navigating the container security ecosystem

SJ Technologies partnered with Sonatype for the DevSecOps Community 2018 Survey. The survey was wildly popular, receiving answers from more than 2,000 respondents representing a wide range of industries, development practices, and responsibilities. One-third of respondents (33%) came from the technology industry, and banking and financial services was the second most represented group (15%). 70% of all respondents were using a container registry. With so many respondents utilizing containers, a deeper dive into container security is in order.

May 23, 2018 - Save the Date: Ernst & Young Entrepreneur of the Year Awards Gala, June 14

EY has announced the finalists for the Entrepreneur of the Year 2018 Award in the Mid-Atlantic Region. The awards program recognizes entrepreneurs excelling in areas such as innovation, financial performance and personal commitment to their businesses and communities.

May 23, 2018 - 14 Maryland Companies Named To Annual Cybersecurity 500

Cybersecurity Ventures has released its first annual Cybersecurity 500 list, including 14 of Maryland’s hottest and most innovative companies.

May 18, 2018 - Maryland Tech Council Announces Winners of 30th Annual Industry Awards

The Maryland Tech Council (MTC), Maryland’s largest technology trade association, announced the winners of its 30th Annual Industry Awards during a celebration and ceremony at The Hotel at the University of Maryland attended by more than 550 business leaders from around the state.

May 17, 2018 - 4 Great Experiences from DevNet Create 2018 – MachNation

The Maryland Tech Council (MTC), Maryland’s largest technology trade association, announced the winners of its 30th Annual Industry Awards during a celebration and ceremony at The Hotel at the University of Maryland attended by more than 550 business leaders from around the state.

May 16 2018 - Continuous Discussions Video Podcast: DevSecOps, Best Practices and More - DevOps.com

In a recent episode of the Continuous Discussions (#c9d9) podcast, a group of industry experts discussed why DevSecOps is officially more than just a buzzword, tips on how to get everyone in the organization to own security and some of their own challenges and experiences baking security into the software delivery pipeline.

May 11, 2018 - Unprepared for GDPR? 3 steps you can take now

In two weeks GDPR will become law. Unfortunately, far too many organisations are ill prepared when it comes to their compliance readiness. The first large scale breach following 25th May will demonstrate just how unprepared the industry is when it comes to their cybersecurity hygiene.

May 11, 2018 - Open Source Developers And Infrastructure Are The New Front Line Of Security

To succeed in today's marketplace, companies need to innovate, driving everyone from tractor manufacturers to airlines to become software development shops. The pace of innovation precludes building everything from scratch, resulting in 80-90% of a modern application consisting of open source components. This translates to global downloads of open source components in the tens of billions.

May 11, 2018 - Open Source: Is Your DevOps Org Vulnerable to an Equifax-Style Hack?

More than half of the Fortune 100 could be at risk of falling prey to the same kind of hack that caused devastation at Equifax last year, and it all comes down to poor open source component governance.

May 9, 2018 - Open source vulnerabilities boost DevSecOps investments

Last year's huge security breach in the systems of US-based credit reporting agency Equifax was not a once-off anomaly of poor cyber hygiene.

May 9, 2018 Companies Still Downloading Flaw that Led to Equifax Breach

The flawed software that led to the data breach at Equifax Inc. is still being downloaded and used at thousands of companies, raising concerns that proliferation of unpatched versions could lead to greater exposure to cyberattacks.

May 8, 2018 - Equifax Update Clarifies Breach Details to SEC

Under-fire credit reporting agency Equifax has released updated figures clarifying the types and volumes of data stolen in its massive 2017 breach.

May 8, 2018 - SECURITY & FRAUD Thousands Of Customers Using Flawed Software That Led To Equifax Breach

Despite the Equifax breach that exposed the personal data of more than 145 million Americans, Fortune is reporting that thousands of companies have the same computer security holes in their networks that places the sensitive data of consumers at risk.

May 8, 2018 - Equifax: US Breach Victim Tally Stands at 146.6 Million

Equifax said on Friday that in response to requests for additional information, it's shared more breach details with several U.S. Congressional committees. Notably, the data broker said that its breach investigators found that consumers had uploaded images of various government-issued identity documents that were exposed in the attack, including 38,000 driver's licenses, 12,000 Social Security or taxpayer ID cards, and 3,200 passports.

May 7, 2018 - Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax

When the news emerged that Equifax had succumbed to a colossal data breach from mid-May through July of last year, consumers were livid—in part because the ransacking was entirely preventable. Hackers stole 148 million people’s names, Social Security numbers, birthdates, home addresses, and more sensitive information, as of the major credit bureau’s last count in March, and worse yet, it happened two months after software fixes for the vulnerabilities at fault had been made available.

April 25, 2018 - Three Providers of Agile Code Development Technologies Named IDC Innovators

International Data Corporation (IDC) today published an IDC Innovators report identifying three technology providers that are considered key emerging vendors in the agile code development market. The three companies named as IDC Innovators are CloudBees Inc., GitLab Inc., and Sonatype, Inc.

April 23, 2018 - The state of cybersecurity: DevSecOps gets real at RSA

If there was one key takeaway for developers from RSA 2018, the cybersecurity industry's massive gathering in San Francisco that ended last week, it was that organizations are shifting security "left" in earnest

April 21, 2018 - DevOps practices more likely to integrate automated security

Sonatype published findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals. The survey shares practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions.  Survey respondents with mature DevOps practices were 338% more likely to integrate automated security than organizations with no DevOps practice.

April 20, 2018 - Trust: The Secret Ingredient to DevSecOps Success

As evident by the speaker tracks and hallway discussions here this week at the RSA Conference, the marriage of DevOps and security principles driving the DevSecOps movement is finally gaining traction in the security community.

April 19, 2018 - The 10 Top Funded Cybersecurity Companies in the D.C. Metro Area

Cybersecurity has long been said to be a hot industry in the D.C. metro area.In a three-year period from 2011 to 2014, the D.C. metro area saw three cybersecurity acquisitions totaling $4.1 billion. And currently, there are more than 77,500 filled cybersecurity jobs in the D.C. metro area, and another roughly 41,700 job openings in the field, according to records maintained by the Commerce Department’s National Institute of Cybersecurity Education.

April 18, 2018 - Survey: Sonatype Illustrates the Importance of DevOps Security

IT professionals are recognizing the weaknesses of DevOps and are looking for ways to improve. Security is the main gripe many people have. This has led to increased popularity in DevSecOps. Sonatype recently released a survey where they talked with over two thousand IT professionals about DevOps and where they utilize security.

April 17, 2018 - Devs know application security is important, but have no time for it

Sonatype polled 2,076 IT professionals to discover practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions, and the results of the survey showed that breaches related to open source components grew at a staggering 50% since 2017, and 121% since 2014.

April 17, 2018 - How the changing security landscape is forcing cloud providers to respond

The RSA Conference in San Francisco is a hotbed of news, analysis and reports on the security industry, with research from the Cloud Security Alliance (CSA) and automation software provider Sonatype being of particular interest.

April 17, 2018 - Major companies at risk from data breach that hit Equifax?

Sonatype President Bill Karpovich on concerns other companies are vulnerable to the same cyber attack as Equifax.

April 16, 2018 - Large scale data breaches provide drive for DevSecOps investments

Breaches related to open source components have grown 50 percent since 2017, and an eye-opening 121 percent since 2014, according to a new survey from open source governance and DevSecOps automation specialist Sonatype.

April 16, 2018 - DevOps May Be Cause of and Solution to Open Source Component Chaos

Modern software development is trending more toward a componentized approach because developers would rather assemble something using a variety of well-built pieces of third-party code than reinvent the wheel every time they create something new. The approach has done wonders for speed and agility, but it's increasing a lot of enterprise attack surfaces because too few organizations are keeping up with the vulnerabilities these components pose.

April 16, 2018 - Developers Outnumber Security Pros 100:1 as Breaches Grow

Breaches related to open source components in applications have soared by 50% since 2017, according to a new study from Sonatype urging developers to adopt DevSecOps practices.

April 16, 2018 - Application breaches jump 50pc as DevOps security bites

A new survey from Sonatype has revealed that DevOps teams are automating security 338 per cent more often as open source breaches jump by 55 per cent. The firm published the findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals which shared practitioner perspectives on evolving DevSecOps practices, shifting investments and changing perceptions. 

March 29, 2018 - 4 million open source security flaws identified

Within a month of launching a scan for known vulnerabilities in JavaScript and Ruby libraries, the GitHub code repository site identified an incredible 4 million security flaws in the half-a-million repositories on its platform.

March 27, 2018 - Can the Washington D.C. Metroplex Become a Major Hub for Cybersecurity Startups?

For many years, technology startup activity in the metropolitan Washington D.C. area has been respectable but very narrowly focused. Most of these startups, including cybersecurity companies, have traditionally targeted the federal government as their primary customer because the government has always been a much easier sell than the broad commercial market.

March 26, 2018 - Sonatype Open Sources Next Generation Firewall for Developers

Sonatype, a provider of development and operations (DevOps) tools designed to help organizations automate their software supply chains, now offers its Nexus Firewall to developers using the open-source version of its Nexus Repository software storage, distribution and organization tool.

March 25, 2018 - ​FOSSA: Open-sourcing open-source license management

No one ever became a programmer so they could mange open-source licenses. But, that's what many developers must do these days. Black Duck Software, the open-source software logistics and legal solutions provider, and North Bridge found in 2015 that 66 percent of companies create open-source software. That's great, but all that code comes with a wide variety of licenses, each with its own set of requirements. What's a developer or company to do?

March 24, 2018 - It’s time to regulate: The U.S. must make software companies liable for breaches

The software industry has failed to sufficiently protect the public from data theft and misuse. It’s time for the U.S. government to get serious about regulation.

March 19, 2018 - Exciting Jobs with the Fastest Growing Pay

Looking for a new gig and not willing to take a pay cut? You’re in luck. There are a handful of jobs that boast solid median base pay as well as a strong track record of pay growth. Glassdoor’s Local Pay Reports show that there are now a wide variety of positions that have been seeing big increases in pay from year to year (and even month to month).

March 15, 2018 - DevSecOps - It's Not Me or You, It's WE!

Next month, we're proud to participate in two special events focusing on DevSecOps. Ahead of DevSecOps Days and our webinar with John, we wanted to share some tips and emerging trends for DevSecOps that experts shared on another industry panel - the one held at the recent DevOps Enterprise Summit in San Francisco 2017.

March 15, 2018 - This Week in Spring: Even More Spring Boot 2

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week I’m in blizzard-besieged Boston, Massachusetts, for the epic Spring One Tour Boston event. Unfortunately, due to this crazy snow storm/blizzard, the event’s been postponed one day as we all grapple with the weather. Hope you were able to join the Spring Boot 2.0 launch webinar! If not the replay will be available here and don’t forget to check out the launch blog!

March 15, 2018 - Has DevSecOps succeeded in what it was created to accomplish?

At this point, the concept of DevOps should be familiar to everyone. But with the rise of cybersecurity attacks, organizations have seen the need to incorporate security into the mix. Thus, the idea of DevSecOps.

March 13, 2018 - Inside the distros: A year in Linux development

Linux will turn 30 in three years. We look at how far the major Linux distributions – or distros – have come over the past year and what they might be able to bring in the future.

March 8, 2018 - Inside Crypto Miners' Hack at IBM

More and more people are mining cryptocurrency to cash in on the craze. But some are actually hacking into computers to leverage other people's mining power. Sonatype's Senior Vice President Bill Karpovich explains the danger of these miners and how hackers exploited IBM several years ago.

March 8, 2018 - Is 2018 the Year of Crypto-Jacking?

“If 2017 was the year of ransomware, 2018 is going to be the year of crypto-jacking,” said Bill Karpovich, Vice President of strategy at software security company Sonatype.

March 8, 2018 - Security by design: greater need for governance?

Hot on the heels of the French legislators, the government in the UK is now announcing tougher guidelines device manufacturers in its Security by Design review. Crucial here is the move to build security into smart devices from the very beginning and ensure software is automatically updated.

December 13, 2018 - BitPay's Copay Wallet Was Compromised - Why and How Did This Happen?

Sonatype’s CTO Brian Fox, talks to TEISS on how and why BitPay’s Copay wallet was compromised, why it’s new territory, and what the industry as a whole should be looking to do to secure their software supply chains to make sure it doesn’t happen again.

March 7, 2018 - Government calls for revamp in IoT security; will manufacturers listen?

Amid rising concerns about the security of IoT devices, the government today announced its intent to make manufacturers of IoT devices responsible for the security of their products, while also proposing new rules to ensure that buyers are aware of security features in such devices at the time of purchase.

March 6, 2018 - Open Source: A revolution in technology, business and society

Free and open source software is far more than just another way to develop code. In fact, the rise of the open source revolution represents a fundamental change in the way we use information to create a better world.

March 5, 2018 - Building Open Source Security into DevOps

DevOps is a philosophy of IT operations that binds the development of services and their delivery to the core principles of W. Edwards Deming’s points on Quality Management. When applied to software development and IT organizations, Deming’s principles seek to improve the overall quality of software systems as a whole.

March 2, 2018 - One in Eight Open Source Components Contain Flaws

The number of buggy open source components downloaded in the UK has soared by over 100% over the past year, according to new research from Sonatype. The DevSecOps automation firm revealed that one in eight open source components downloaded in the country last year contained known security vulnerabilities – a 120% year-on-year increase.

February 28, 2018 - Maryland firms, executives are finalists in tech council awards

The Maryland Tech Council announced the finalists for its 30th anniversary industry awards.

February 27, 2018 - Sonatype’s Mark Miller and Derek Weeks – All Day, Every Day, DevOps

DevOps Radio is a CloudBees-sponsored podcast series. Hosting experts from around the industry, the show dives into what it takes to successfully develop, deliver and deploy software in today’s ever-changing business environment. From DevOps to Docker, each episode features real-world insights and a few stories, tips, industry scoop and more.

February 26, 2018 - France to hold software manufacturers accountable for security flaws

The French government has drawn up proposals to hold software manufacturers accountable for security vulnerabilities. The proposed legislation would make manufacturers liable for the security of a product while it is on the market, and with the possibility of requiring its software to be made open-source at end-of-life.

February 16, 2018 - Citizen developers push the pace in BizDevOps

The concept of BizDevOps is about bringing business leaders, developers and operations teams together to more quickly create and deploy software. Recent trends in BizDevOps include the introduction of low-code/no-code development platforms, a process that brings more productivity to the equation and enables business analysts and so-called citizen developers to have a bigger hand in building applications. The concept of BizDevOps is about bringing business leaders, developers and operations teams together to more quickly create and deploy software. Recent trends in BizDevOps include the introduction of low-code/no-code development platforms, a process that brings more productivity to the equation and enables business analysts and so-called citizen developers to have a bigger hand in building applications.

February 14, 2018 - Interview with Mike Hansen, Head of Product Development and Engineering for Sonatype

"I was an individual contributor for the first 10 years of my career. I loved writing software, especially network software, wrangling with complex problems in pursuit of the simplest possible solutions. While I was a good (not great) software developer, I suspected I might be a better leader." "I was an individual contributor for the first 10 years of my career. I loved writing software, especially network software, wrangling with complex problems in pursuit of the simplest possible solutions. While I was a good (not great) software developer, I suspected I might be a better leader."

February 13, 2018 - What Must Change In Wake of Spectre and Meltdown Scandal

When Intel CEO Brian Krzanich took to the stage at CES in Las Vegas, he could have been forgiven for wanting to be anywhere else in the world. Just days before the worldÕs biggest tech show got underway, it was revealed that almost all PCs, Macs and mobile devices were at risk of being hacked due to a pair of vulnerabilities that existed in a alarming number of Intel, AMD and ARM-produced chips. When Intel CEO Brian Krzanich took to the stage at CES in Las Vegas, he could have been forgiven for wanting to be anywhere else in the world. Just days before the worldÕs biggest tech show got underway, it was revealed that almost all PCs, Macs and mobile devices were at risk of being hacked due to a pair of vulnerabilities that existed in a alarming number of Intel, AMD and ARM-produced chips.

February 7, 2018 - As data protection laws strengthen open-source software governance becomes critical

As new local and international data protection laws come into force, organisations running high-velocity software development practices must tighten up their governance and risk-management policies, or run the risk of facing severe legal penalties. As new local and international data protection laws come into force, organisations running high-velocity software development practices must tighten up their governance and risk-management policies, or run the risk of facing severe legal penalties.

January 24, 2018 - Skype, Slack and Signal Vulnerable to Critical Framework Bug

Hundreds of software applications built using the developer framework called Electron may be vulnerable to a remote code execution flaw, according to developers of the framework. Impacted are dozens of popular Windows applications such as MicrosoftÕs Skype for Windows, Slack and the Signal secure messaging application. Hundreds of software applications built using the developer framework called Electron may be vulnerable to a remote code execution flaw, according to developers of the framework. Impacted are dozens of popular Windows applications such as MicrosoftÕs Skype for Windows, Slack and the Signal secure messaging application.

January 23, 2018 - Third Annual DevOps Dozen Winners Announced

We are very pleased to announce the winners of the third annual DevOps Dozen Awards. In many ways this year was a watershed year for the DevOps Dozen, as the process of selecting, voting and choosing the winners was much more refined and mature. In each of the 12 (itÊisÊa dozen, after all) categories the winners were absolutely deserving of the award and recognition. We are very pleased to announce the winners of the third annual DevOps Dozen Awards. In many ways this year was a watershed year for the DevOps Dozen, as the process of selecting, voting and choosing the winners was much more refined and mature. In each of the 12 (itÊisÊa dozen, after all) categories the winners were absolutely deserving of the award and recognition.

January 5, 2018 - Intel Chip Flaw

Following the news that aÊfundamental design flaw inÊIntelÕs processor chips, dating back to 1995 would allow an attacker to read protected memory, IT security experts commented below. Following the news that aÊfundamental design flaw inÊIntelÕs processor chips, dating back to 1995 would allow an attacker to read protected memory, IT security experts commented below.

January 4, 2018 - Six cruel truths for CIO, Part 4

Very often you can hear arguments about viruses and other malware.ÊMuch less often talk about upgrading systems, patches for software, replacing versions.ÊHere, as a rule, the principle of "works - do not touch" is professed.ÊOnly this very malware finds new holes in system and application programs. Very often you can hear arguments about viruses and other malware.ÊMuch less often talk about upgrading systems, patches for software, replacing versions.ÊHere, as a rule, the principle of "works - do not touch" is professed.ÊOnly this very malware finds new holes in system and application programs.

December 19, 2017 - The Rise of Software

At the end of the second quarter of 2017, of the top ten most valuable public companies seven were tech companies while five were software companies.ÊThese five companies represented close to $3 trillion in market cap. Apple and Amazon, the other two, clearly have their share of software assets. At the end of the second quarter of 2017, of the top ten most valuable public companies seven were tech companies while five were software companies.ÊThese five companies represented close to $3 trillion in market cap. Apple and Amazon, the other two, clearly have their share of software assets.

December 19, 2017 - Businesses Open to data protection by design to fully comply with GDPR

With GDPR coming into play May 2018, companies doing business in the EU face the prospect of fines and damaged reputations if they cannot prevent vital corporate and customer data from falling into the wrong hands. With GDPR coming into play May 2018, companies doing business in the EU face the prospect of fines and damaged reputations if they cannot prevent vital corporate and customer data from falling into the wrong hands.

December 18, 2017 - Hackers use NSA exploits to mine Monero

Zealot campaign used Eternalblue and Eternalsynergy to mine cryptocurrency on networks.ÊSecurity researchers have found a new hacking campaign that used NSA exploits to install cryptocurrency miners on victim's systems and networks. They said that the campaign was a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. Zealot campaign used Eternalblue and Eternalsynergy to mine cryptocurrency on networks.ÊSecurity researchers have found a new hacking campaign that used NSA exploits to install cryptocurrency miners on victim's systems and networks. They said that the campaign was a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits.

December 13, 2017 - Cybersecurity in 2018: Expect GDPR fines and an AI arms race

With 2018 fast approaching, here we are at the end of a tumultuous year in the world of cybersecurity. Attacks have been launched on infrastructure and democracy, mainstream media attention has been snatched and billions of sets of data have been plundered. With 2018 fast approaching, here we are at the end of a tumultuous year in the world of cybersecurity. Attacks have been launched on infrastructure and democracy, mainstream media attention has been snatched and billions of sets of data have been plundered.

December 7, 2017 - Why container tech is the backbone of DevOps

Containerisation is one of the most exciting tech trends to emerge over the last few years. Designed to work at operating system level, it's a popular virtualisation method that allows IT professionals to deploy and distribute applications easily.

November 20, 2017 - The modern way to develop safe code

Derek Weeks, VP and DevOps Advocate at Sonatype, discusses how software development has evolved over the past ten years and the influence of DevOps practices across government agencies.Ê Rather than taking a project and hiring people who can code, today systems are put together with blocks of code that are already written.

November 16, 2017 - Parity Technologies knew of Flaw Resulting in Loss of $300 Million in Cryptocurrency Ethereum

The loss of $300 million in cryptocurrency shows the urgent need for businesses and cryptocurrency firms to know what libraries and binaries theyÕre using.ÊWith open source binaries forming the basis of 80 Ð 90% of applications, they play a vital role in driving innovation and powering the world as we know it. However, Parity Õs issues are a stark reminder that all binaries are not created equal.

November 16, 2017 - The Best Way for Dev and Ops to Collaborate - Part 1

When you say "DevOps" one of the first words that comes to mind is "collaboration." Even the structure of the word "DevOps" implies that Dev and Ops are coming together, collaborating in a way they had not done before. On DEVOPSdigest's listÊ17 Ways to Define DevOps, in the first definition entitled "A Cultural Revolution," Aruna Ravichandran, VP of DevOps Solution Marketing and Management atÊCA Technologies, said: "DevOps is a cultural revolution that liberates software delivery through cohesive collaboration and advanced automation."

November 13, 2017 - £214 million in Ethereum cryptocurrency virtually gone after code deletion

Tuur Demeester, editor in chief at Adamant Research, claimed that of that figure, about £69 million belongs to Parity founder and former Ethereum core developer Gavin Woods' Initial Coin Offering (ICO) Polkadot. ÒFollowing the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July,Ó the advisory stated. Tuur Demeester, editor in chief at Adamant Research, claimed that of that figure, about £69 million belongs to Parity founder and former Ethereum core developer Gavin Woods' Initial Coin Offering (ICO) Polkadot. ÒFollowing the fix for the original multi-sig issue that had been exploited on 19th of July (function visibility), a new version of the Parity Wallet library contract was deployed on 20th of July,Ó the advisory stated.

November 06, 2017 - The Best Way for Dev and Ops to Collaborate - Part 1

When you say "DevOps" one of the first words that comes to mind is "collaboration." Even the structure of the word "DevOps" implies that Dev and Ops are coming together, collaborating in a way they had not done before. On DEVOPSdigest's listÊ17 Ways to Define DevOps, in the first definition entitled "A Cultural Revolution," Aruna Ravichandran, VP of DevOps Solution Marketing and Management atÊCA Technologies, said: "DevOps is a cultural revolution that liberates software delivery through cohesive collaboration and advanced automation."

November 03, 2017 - Is your data being sold on the dark web?

Sonatype's crown jewel is its database of descriptions of over 1.2 million open source packages. ÒIf that is lost, it could be an existential outcome,Ó said Wayne Jackson, CEO of the Fulton, Maryland-based software supply chain management company. To shut down any such leak quickly, Sonatype monitors the web for any indications that its data has been stolen and is being shared on line. That monitoring includes the dark web.

October 31, 2017 - Top languages every application security pro should know

By 2022, there will be aÊshortfall of anÊestimated 1.8 million security professionals worldwide, with an acute scarcity of the technical professionals needed for secure software development, according to theÊ2017 Global Information Security Workforce Study. For many people interested in breaking into security, theÊshortageÊcould be an opportunity. Some 87%Êof cybersecurity professionalsÊstarted in a different career, with 30% coming from outside ofÊIT, according to the biennial study.

October 29, 2017 - The Unrelenting Advance of New Technology and the Impact on GovCon

Letitia (Tish) Long, Chairman of the Board, Intelligence and National Security Alliance (INSA) [Internet of Things Cybersecurity Improvement Act of 2017] Letitia (Tish) Long, Chairman of the Board, Intelligence and National Security Alliance (INSA) [Internet of Things Cybersecurity Improvement Act of 2017]

October 27, 2017 - The Top 14 DC Tech Hires in October to Know About

Every month we recap the biggest tech hires and departures in the D.C. area over the past month. To get hiring and other local innovation news daily, sign up forÊThe Beat. HereÕs our list of the top hires in D.C. innovation for October Every month we recap the biggest tech hires and departures in the D.C. area over the past month. To get hiring and other local innovation news daily, sign up forÊThe Beat. HereÕs our list of the top hires in D.C. innovation for October

October 24, 2017 - Third-party libraries are one of the most insecure parts of an application

Much has been written to guide software developers on how to developÊsecure software. Despite this general awareness, we continue to see vulnerable software produced. One of the observations in theÊHPE Cyber Risk Report 2016Êis that attackers have shifted their focus from servers and operating systems directly to applications. Much has been written to guide software developers on how to developÊsecure software. Despite this general awareness, we continue to see vulnerable software produced. One of the observations in theÊHPE Cyber Risk Report 2016Êis that attackers have shifted their focus from servers and operating systems directly to applications.

October 17, 2017 - Why DevOps is the end of security as we know it

Security can be a hard sell. ItÕs difficult to convince development teams to spend their limited cycles patching security holes with line-of-business managers pressuring them to release applications as quickly as possible. But given thatÊ84 percentÊof allÊcyberattackshappen on the application layer, organizations canÕt afford for their dev teams not to include security. Security can be a hard sell. ItÕs difficult to convince development teams to spend their limited cycles patching security holes with line-of-business managers pressuring them to release applications as quickly as possible. But given thatÊ84 percentÊof allÊcyberattackshappen on the application layer, organizations canÕt afford for their dev teams not to include security.

October 16, 2017 - People on the Move: Bill Karpovich

Bill Karpovich will lead portfolio evolution, strategic partnering, acquisitions, and new growth initiatives worldwide for Sonatype, the leader in software supply chain automation. Reporting to CEO Wayne Jackson, Bill will help the company expand its portfolio and scale operations globally.

October 16, 2017 - Bill Karpovich Joins Sonatype as SVP, Strategy & Corporate Development

Sonatype, the leader in software supply chain automation, has hired Bill Karpovich as SVP, Strategy and Corporate Development. Bill will lead strategic partnering, acquisitions, and new growth initiatives. Bill joins Sonatype from IBM. Sonatype, the leader in software supply chain automation, has hired Bill Karpovich as SVP, Strategy and Corporate Development. Bill will lead strategic partnering, acquisitions, and new growth initiatives. Bill joins Sonatype from IBM.

October 16, 2017 - DevOps Jobs: 4 trends to watch

If you’ve got DevOps chops, you already know you’re in demand. And if you’re an IT leader hiring for a DevOps shop, you know the challenges in finding good people. Like DevOps itself, the DevOps job market continues to evolve. And let’s be honest: This isn’t an area of consensus in IT, as the ongoing debate about titles such as “DevOps Engineer” attests. 

October 16, 2017 - Q&A with Sonatype: on Open Source, Supply Chain Management, and the Nexus Platform

Today's software development teams haveÊincreasingly embraced the use of open source and third-party components in building their projects instead of actually starting from scratch. But while open source usage has added significant value to software development, enabling speed and innovation in teams, it has also introduced a host of security vulnerabilities.

October 13, 2017 - William G. Karpovich is now serving in a new position at Sonatype, Inc.

Sonatype, Inc. operates as an holding company, which provides enterprise software solutions. Its products include Nexus Repository Managers and Nexus Firewall, Lifecycle, and Auditor. The company was founded by Sarel Jason van Zyl and Brian Fox in 2008 and is headquartered in Fulton, MD. Sonatype, Inc. operates as an holding company, which provides enterprise software solutions. Its products include Nexus Repository Managers and Nexus Firewall, Lifecycle, and Auditor. The company was founded by Sarel Jason van Zyl and Brian Fox in 2008 and is headquartered in Fulton, MD. Sonatype, Inc. operates as an holding company, which provides enterprise software solutions. Its products include Nexus Repository Managers and Nexus Firewall, Lifecycle, and Auditor. The company was founded by Sarel Jason van Zyl and Brian Fox in 2008 and is headquartered in Fulton, MD.

October 09, 2017 - What's next in DevOps: 5 trends to watch

The term “DevOps” is typically credited to this 2008 presentation on agile infrastructure and operations. Now ubiquitous in IT vocabulary, the mashup word is less than 10 years old: We’re still figuring out this modern way of working in IT. Sure, people who have been “doing DevOps” for years have accrued plenty of wisdom along the way. But most DevOps environments – and the mix of people and culture, process and methodology, and tools and technology – are far from mature.

September 29, 2017 - News Roundup: Microsoft is working on a programming language for quantum computers

Microsoft wants to own Quantum Coding.ÊQuantum computing is still in itsÊnascent stage. But Microsoft Ð probably still wary of missing a trick like it did with mobile Ð has already staked its claim on the space. The Redmond Company announced this week that it isÊdeveloping a languageÊfor programming quantum bits. The as-yet-unnamed language should be available forÊpreviewÊby the end of the year.

September 29, 2017 - As CCleaner illustrates, software security has a Ôsystemic problemÕ

It’s a truism of the Digital Age that anything can be hacked. It’s also a truism that things aren’t always what they seem. Those notions hold true for CCleaner, which, with 115 million monthly active users, is the most popular Windows system-cleaning and -optimizing software in the world. New findings about an attack on older versions of CCleaner, first disclosed last week, indicate that hackers targeted the popular third-party consumer utility in order to infiltrate corporate computer systems.

September 28, 2017 - Interview mit Derek Weeks: "Bis aufs Schreiben von Code kann alles automatisiert werden"

Sicherheit und agile Entwicklung in DevOps-Umgebungen scheinen auf den ersten Blick nicht zusammenzupassen. Genau hier soll DevSecOps ansetzen. Dev-Insider hat sich mit Derek Weeks, Vice President Sonatype, Ÿber die vermeintlichen WidersprŸche unterhalten. Sicherheit und agile Entwicklung in DevOps-Umgebungen scheinen auf den ersten Blick nicht zusammenzupassen. Genau hier soll DevSecOps ansetzen. Dev-Insider hat sich mit Derek Weeks, Vice President Sonatype, Ÿber die vermeintlichen WidersprŸche unterhalten.

September 27, 2017 - Sonatype - An Introduction to the Nexus Platform

On this podcast, Curtis Yanko, Technical Director, Alliances and Partners at Sonatype discusses how the Nexus Platform helps customers automate open source governance so they can build software the same way Red Hat builds Red Hat Enterprise Linux.ÊListen here (9 minutes): On this podcast, Curtis Yanko, Technical Director, Alliances and Partners at Sonatype discusses how the Nexus Platform helps customers automate open source governance so they can build software the same way Red Hat builds Red Hat Enterprise Linux.ÊListen here (9 minutes):

September 26, 2017 - New breach, same lessons

The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But itÕs brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity. The story of recent breaches at the credit-rating agency Equifax, which may have involved the personal details of nearly 150 million people, has probably just begun, given the confusion that still surrounds events. But itÕs brought the security of open source software to the fore yet again, and highlighted the ongoing struggle organizations still have with cybersecurity.

September 22, 2017 - Many companies have the same software that gave hackers access to Equifax data

More than 50,000 organizations are using outdated and leaky versions of Apache, the software whose Struts app gave hackers aÊback door into EquifaxÑeven though free fixes have been available for nine months, according to Sonatype, aÊfirm that monitors downloads of open-source software. Corporate America has been slow to update its open-source software, even after the Equifax hack that exposed 143 million peopleÕs sensitive data. ÒWhen you take on use of an open-source project, youÕre outsourcing software development to strangers,Ó says SonatypeÊCEOÊWayne Jackson. More than 50,000 organizations are using outdated and leaky versions of Apache, the software whose Struts app gave hackers aÊback door into EquifaxÑeven though free fixes have been available for nine months, according to Sonatype, aÊfirm that monitors downloads of open-source software. Corporate America has been slow to update its open-source software, even after the Equifax hack that exposed 143 million peopleÕs sensitive data. ÒWhen you take on use of an open-source project, youÕre outsourcing software development to strangers,Ó says SonatypeÊCEOÊWayne Jackson.

September 21, 2017 - Equifax chief information officer, chief security officer announce retirement after data breach

Under-fire credit reporting agency Equifax has confirmed that its CSO and CIO are retiring following a massive data breach at the company affecting 143 million U.S. and 400,000 British customers. A few days later, Equifax brought in security consulting firm Mandiant, now a unit of FireEye and associated with many high-profile forensics investigations including the Yahoo breach previous year, when data on more than 1 billion accounts were exposed. Under-fire credit reporting agency Equifax has confirmed that its CSO and CIO are retiring following a massive data breach at the company affecting 143 million U.S. and 400,000 British customers. A few days later, Equifax brought in security consulting firm Mandiant, now a unit of FireEye and associated with many high-profile forensics investigations including the Yahoo breach previous year, when data on more than 1 billion accounts were exposed.

September 21, 2017 - Equifax CIO and CSO Retire Amid Confusion Over Patching

The two most senior security roles have since been filled by the credit rating firm, with the world still stunned by the scale of the breach that also affected around 400,000 people in the UK.ÊThe way EquifaxÊexecutives and its IT security team appears to have failed to adequately apply patches, the amount of time it took toÊdiscoverÊthe depth of the breach and the delay in ultimately reporting it certainly paints a picture of a colossal failure atÊallÊlevels, including the curiouslyÊtimed stock sales by top executives (who deny knowledge of the breach at the time of the sale) just days before the disclosure,ÊreportedÊbyÊBloomberg.

September 20, 2017 - Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected. The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late July, when the attack was finally detected.

September 19, 2017 - Plenty of blame to go around for Equifax breach

If youÕre not reading this on another planet or in a bunker somewhere, then youÕre likely aware of the recent breach of data from credit agency Equifax.ÊReports indicate that unknown attackers took advantage of a vulnerability in an Equifax web application to purloin personal identifiable information from 143 million people, including Social Security numbers. If youÕre not reading this on another planet or in a bunker somewhere, then youÕre likely aware of the recent breach of data from credit agency Equifax.ÊReports indicate that unknown attackers took advantage of a vulnerability in an Equifax web application to purloin personal identifiable information from 143 million people, including Social Security numbers.

September 19, 2017 - DevSecCon: The state of secure DevOps

With containerization, microservices, and a new software framework popping up seemingly every few months, software is moving fastÑso fast that adding security to the agile development processes is difficult because the technologies are changing so quickly. With containerization, microservices, and a new software framework popping up seemingly every few months, software is moving fastÑso fast that adding security to the agile development processes is difficult because the technologies are changing so quickly.

September 18, 2017 - Apache Struts Vulnerability: More Than 3,000 Organizations At Risk Of Breach

More than 3,000 organizations could be at risk of suffering an attack against the same vulnerability that allowed hackers to gain access to the records of more than 143 million Americans from credit reporting firm Equifax. The troublesome figure comes from supply chain automation firmÊSonatype, which found a total of 3,054 organizations still using a vulnerable version of Apache Struts, a popular web application framework.

September 18, 2017 - 3,000 Orgs Open to Equifax-type Breaches

The number of organizations that have downloaded vulnerable versions of the Struts2 component (CVE-2017-5638) totals 3,054, according to Sonatype. Analyzing data from the Maven Central repository, the largest distribution point for Java open-source components, Sonatype found a startling lack of hygieneÊrelated to enterprise consumption of vulnerable Struts2 components, which were exploited in the massive breach at Equifax.

September 16, 2017 - Equifax breach victims might not know their data is exposed

Equifax has been making headlines the last few weeks for a large security breach involving consumers in the U.S., U.K., and Canada. Attackers gathered the personal information of up to 143 million U.S. consumers, including credit card numbers for about 209,000 people. Other information accessed during the breach includes names, Social Security numbers, birth dates, addresses, and driverÕs license numbers, all of which are valuable to identity thieves. Equifax has been making headlines the last few weeks for a large security breach involving consumers in the U.S., U.K., and Canada. Attackers gathered the personal information of up to 143 million U.S. consumers, including credit card numbers for about 209,000 people. Other information accessed during the breach includes names, Social Security numbers, birth dates, addresses, and driverÕs license numbers, all of which are valuable to identity thieves.

September 13, 2017 - IoT and open source: How to boost app sec by putting quality first

Developers oftenÊfail to effectively manage theÊsecurity of the open-source components they use. Unfortunately, most software incorporates at least one vulnerable component, and that means that, unless developersÊkeepÊon top of their repository, they are linking vulnerabilities into their code. Developers oftenÊfail to effectively manage theÊsecurity of the open-source components they use. Unfortunately, most software incorporates at least one vulnerable component, and that means that, unless developersÊkeepÊon top of their repository, they are linking vulnerabilities into their code.

September 12, 2017 - Equifax hack lawsuits start to stack up

U.S. consumer credit reporting agency Equifax Inc. will soon be heading to court with multiple lawsuits being filed against the company following its disclosure of a massiveÊhack last week. The lawsuits, which stand at least two dozenÊaccording toÊReuters, come in a number of different flavors, including one suit that alleges that Equifax was guilty of equities fraud, while a number of other suits are specifically targeting EquifaxÕs response to the hack such as its offer of one year of free credit monitoring.

September 12, 2017 - The Morning Risk Report: Open-Source Software in Spotlight After Equifax Breach

As cybersleuths work to uncover the exact vulnerability hackers exploited to pull off the data theft, one thing companies not wanting to be the next Equifax can do is review the types of open-source software used in applications they deployÑand then look for ways to more effectively mitigate those threats. As cybersleuths work to uncover the exact vulnerability hackers exploited to pull off the data theft, one thing companies not wanting to be the next Equifax can do is review the types of open-source software used in applications they deployÑand then look for ways to more effectively mitigate those threats.

September 12, 2017 - Radio Interview with Wayne

KCBS news radio interviews Wayne Jackson, CEO of Sonatype, to discuss the Equifax data breach related to Struts2, open source governance practices, and pending IoT legislation in the Senate. ÊListen here (2 minutes): KCBS news radio interviews Wayne Jackson, CEO of Sonatype, to discuss the Equifax data breach related to Struts2, open source governance practices, and pending IoT legislation in the Senate. ÊListen here (2 minutes):

September 11, 2017 - What should be done to prevent more credit data hacks like EquifaxÕs

In the wake of the hacking last week of U.S. consumer credit reporting agency Equifax Inc., security experts bemoaning are calling for big changes, including big penalties for the data brokers that hold so much information critical to everyone’s financial life.

September 3, 2017 - Washington Area Appointments and Promotions

Sonatype of Fulton appointed Letitia Long and Steve Hills board members.

August 24, 2017 - Letitia Long

Letitia Long, the former director of the U.S. National Geospatial-Intelligence Agency (NGA), has joined Sonatype's Board of Directors. Letitia Long, the former director of the U.S. National Geospatial-Intelligence Agency (NGA), has joined Sonatype's Board of Directors.

August 24, 2017 - Steve Hills

Steve Hills, the former president and general manager of The Washington Post, has joined Sonatype's Board of Directors. Steve Hills, the former president and general manager of The Washington Post, has joined Sonatype's Board of Directors.

August 15, 2017 - Letitia Long and Steve Hills | Sonatype

Letitia Long, the former director of theÊU.S. National Geospatial-Intelligence AgencyÊandÊSteve Hills,Êthe former president and general manager ofÊThe Washington Post,ÊhaveÊjoined the board of directors of software supply chain automation company Sonatype as independent directors. Letitia Long, the former director of theÊU.S. National Geospatial-Intelligence AgencyÊandÊSteve Hills,Êthe former president and general manager ofÊThe Washington Post,ÊhaveÊjoined the board of directors of software supply chain automation company Sonatype as independent directors.

August 14, 2017 - Sonatype to measure automated programmes through Success Metrics

Software supply chain automation leader, Sonatype, has announced support of its new return on investment metrics and application quality within its Nexus Lifecycle solution. The new feature, Success Metrics, enables DevOps teams to measure and quickly assess the ability of its automated open source govonernance programmes.

August 8, 2017 - Sonatype Report Spotlights Software Supply Chain Issues

Most application developers today donÕt write much raw code. Rather, applications developed today are created mostly by combing various modules and widgets to create a custom application. But currently there is little oversight being applied to the provenance of application components, especially when it comes to open-source software. Most application developers today donÕt write much raw code. Rather, applications developed today are created mostly by combing various modules and widgets to create a custom application. But currently there is little oversight being applied to the provenance of application components, especially when it comes to open-source software.

August 4, 2017 - All open source components are not created equal

Imagine if you could improve the quality of your applications and cut development cost at the same time?It is possible, if you can manage the quality of the open source components used by their developers. This is according to the third annualÊState of theÊSoftwareÊSupply Chain Reportpublished by US-based software supply chain automation specialist, Sonatype.

July 31, 2017 - Active Management of Open Source Components Delivers Measurable Improvements Claims Sonatype Report

In July,ÊSonatypeÊreleased their third annualÊState of the Software Supply ChainÊreport concluding that when organisations actively manage the quality of open source components in software applications they see a 28% improvement in developer productivity (through reduction in manual governance), a 30% reduction in overall development costs, and a 48% increase in application quality (as application vulnerabilities are removed early reducing their incidence in production). In July,ÊSonatypeÊreleased their third annualÊState of the Software Supply ChainÊreport concluding that when organisations actively manage the quality of open source components in software applications they see a 28% improvement in developer productivity (through reduction in manual governance), a 30% reduction in overall development costs, and a 48% increase in application quality (as application vulnerabilities are removed early reducing their incidence in production).

July 24, 2017 - Monthly quiz: Test yourself on open source development tools trends

The move to open source development tools -- already unstoppable -- continues to gain momentum. Years ago, open source was looked upon as a way to save money. Today, a key driver is the clear fact that, with tens of thousands of contributors sharing their expertise and the ever-widening availability of high-quality code, resistance is futile. The move to open source development tools -- already unstoppable -- continues to gain momentum. Years ago, open source was looked upon as a way to save money. Today, a key driver is the clear fact that, with tens of thousands of contributors sharing their expertise and the ever-widening availability of high-quality code, resistance is futile.

July 22, 2017 - This Week in Scalability: System Backups in the Container Era

As we gear up to release our next e-book on the Kubernetes open source container orchestration engine (check with us in about a month), we have been reviewing how well K8s has been making its way into the enterprise Ñ the true determinant of whether the software becomes an essential component of Òthe new stack,Ó so to speak. As we gear up to release our next e-book on the Kubernetes open source container orchestration engine (check with us in about a month), we have been reviewing how well K8s has been making its way into the enterprise Ñ the true determinant of whether the software becomes an essential component of Òthe new stack,Ó so to speak.

July 20, 2017 - Software wet wipes, Sonatype advocates supply chain hygiene

Supply chain automation company Sonatype produces what it calls itsÊSoftware Supply Chain Report every year (now in its third) in an attempt toÊhighlights alleged ÔrisksÕ lurking within open source software components.

July 20, 2017 - DevOps-Praktiken reduzieren den Einsatz schadhafter Open-Source-Komponenten um 63 Prozent

Der Supply-Chain-Automation-AnbieterÊSonatypeÊveršffentlichte diese Woche den dritten jŠhrlichen Software-Supply-Chain-Statusbericht. Der diesjŠhrige Bericht hebt Risiken hervor, die in Open-Source-Software-Komponenten lauern, und quantifiziert die empirischen Vorteile eines aktiven Managements in Bezug auf die Hygiene innerhalb der Software-Lieferkette. Der Supply-Chain-Automation-AnbieterÊSonatypeÊveršffentlichte diese Woche den dritten jŠhrlichen Software-Supply-Chain-Statusbericht. Der diesjŠhrige Bericht hebt Risiken hervor, die in Open-Source-Software-Komponenten lauern, und quantifiziert die empirischen Vorteile eines aktiven Managements in Bezug auf die Hygiene innerhalb der Software-Lieferkette.

July 19, 2017 - Bad Code Library Triggers DevilÕs Ivy Vulnerability in Millions of IoT Devices

Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them. Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them.

July 19, 2017 - Software supply chain report focuses on open source impact

Sonatype has releasedÊits third annual State of the Software Supply Chain Report. This yearÕs report highlights risks lurking within open source software components and quantifies the empirical benefits of actively managing software supply chain hygiene. Sonatype has releasedÊits third annual State of the Software Supply Chain Report. This yearÕs report highlights risks lurking within open source software components and quantifies the empirical benefits of actively managing software supply chain hygiene.

July 19, 2017 - Sonatype report reveals open source software risks

Sonatype has announced the release of its third reportÊState of the Software Supply Chain; highlighting risks within open source software components and the benefits of actively managing software supply chain hygiene.

July 18, 2017 - DevOps-Praktiken reduzieren schadhafte Open-Source-Komponenten

Sonatype veršffentlicht den dritten jŠhrlichen Software-Supply-Chain-Statusbericht. Der diesjŠhrige Bericht hebt Risiken hervor, die in Open-Source-Software-Komponenten lauern, und quantifiziert die empirischen Vorteile eines aktiven Managements in Bezug auf die Hygiene innerhalb der Software-Lieferkette.

July 18, 2017 - DevOps macht Open-Source-Einsatz sicherer

In der Software-Lieferkette finden sich immer hŠufiger Open-Source-Komponenten. DevOps-Strategien und ein aktives Management helfen dabei, defekte Komponenten besser zu erkennen, wie der jŸngste Software Supply Chain Report von Sonatype unterstreicht. FŸr den 2017 Software Supply Chain Report hat Sonatype mehr als 17.000 Applikationen analysiert. Dabei zeigte sich, dass sich die ProduktivitŠt der Entwickler bei einer aktiven Steuerung der eingesetzten Open-Source-Komponenten um 28 Prozentpunkte erhšhte. Die gesamten Entwicklungskosten lie§en sich um 30 Prozent reduzieren.

July 18, 2017 - Sonatype 2017 State of the Software Supply Chain Report: DevOps Practices Reduce Use of Defective Open Source Components by 63%

Sonatype, the leader in software supply chain automation, today announced the release of its third annual State of the Software Supply Chain Report. This yearÕs report highlights risks lurking within open source software components and quantifies the empirical benefits of actively managing software supply chain hygiene.

July 18, 2017 - 2017 Software Supply Chain Report: Open-Source-Software-Komponenten umsichtig verwenden

Open Source gilt als sicher, weil viele Mitwirkende einen Blick auf den Code werfen. Dennoch zeigen Studien, dass durch den unbedachten Einsatz von OSS-Komponenten hŠufig auch Schwachstellen in Anwendungen eingeschleust werden. Mit einem guten Software Supply Chain Management kann das verhindert werden, sagt der neue Software Supply Chain Report 2017 von Sonatype. Open Source gilt als sicher, weil viele Mitwirkende einen Blick auf den Code werfen. Dennoch zeigen Studien, dass durch den unbedachten Einsatz von OSS-Komponenten hŠufig auch Schwachstellen in Anwendungen eingeschleust werden. Mit einem guten Software Supply Chain Management kann das verhindert werden, sagt der neue Software Supply Chain Report 2017 von Sonatype. Open Source gilt als sicher, weil viele Mitwirkende einen Blick auf den Code werfen. Dennoch zeigen Studien, dass durch den unbedachten Einsatz von OSS-Komponenten hŠufig auch Schwachstellen in Anwendungen eingeschleust werden. Mit einem guten Software Supply Chain Management kann das verhindert werden, sagt der neue Software Supply Chain Report 2017 von Sonatype.

July 18, 2017 - Open Source Driving DevOps Automation

Heightened awareness about the security risks associated with open source software has increased use of disciplined DevOps practices that have improved application quality and developer productivity, a software supply chain survey finds.

July 18, 2017 - How to expose flaws in custom-built mobile apps

As enterprises develop more custom applications -- many of themÊmobile apps as part of a mobile-first strategyÊ--Êin-house developers are increasingly at risk of unwittingly using open-source code rife with vulnerabilities. As enterprises develop more custom applications -- many of themÊmobile apps as part of a mobile-first strategyÊ--Êin-house developers are increasingly at risk of unwittingly using open-source code rife with vulnerabilities.

July 17, 2017 - DevOps practices help improve the quality of open source components

The use of open source components can help speed up the software development process, but it comes with a risk if poor quality code leads to vulnerable applications being released. The latest State of the Software Supply Chain Report from DevOps tools specialistÊSonatypeÊreveals that organizations whichÊactively manage the quality of open source components flowing into production applications realize a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality.

July 17, 2017 - Sonatype's State of the Software Supply Chain, Motorola and Neurala team up for AI, and The Bitfury Group's Exonum

Sonatype released its third annual State of the Software Supply Chain report, which highlights risks within open source software components. The report also highlights the benefits of managing software supply chain hygiene.ÊÒCompanies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts.

July 7, 2017 - Npm Password Resets Show Developers Need Better Security Practices

Thousands of developers who publish JavaScript packages in the npm repository have had their passwords reset since May because their login credentials were too weak or had been publicly exposed. The affected accounts were in control of tens of thousands of Node.js modules that, in turn, were direct or indirect dependencies for half of the entire npm ecosystem. Thousands of developers who publish JavaScript packages in the npm repository have had their passwords reset since May because their login credentials were too weak or had been publicly exposed. The affected accounts were in control of tens of thousands of Node.js modules that, in turn, were direct or indirect dependencies for half of the entire npm ecosystem.

July 6, 2017 - IT Security Practices Being Eyed Earlier in App Development: Study

In the past, IT security in the application building process has often been addressed as an after-thought, usually brought up at the last minute, just after the desired application and code were created.ÊSince 2014, however, that frequent pattern has been changing as more security emphasis is apparently being brought into application development earlier in its creation, according to a recentÊDevSecOpsÊstudy on enterprise security practices, released byÊSonatype.

June 30, 2017 - Sonatype Acquires Vor Security to Expand Nexus Open-Source Component Support

In June, Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++. Sonatype, well known as the creators of artifact repositories Apache Maven and Nexus, have extended their previously Java, JavaScript, .Net and Python centric component intelligence capabilities to include the new open-source ecosystems. The new capabilities are packaged in a new product, Nexus Lifecycle XC and, like the existing Nexus Lifecycle product, are delivered via the Nexus IQ server.

June 29, 2017 - Sonatype Adds More Open Source Intelligence with Acquisition

Fulton-basedÊSonatypeÊis bringing on some deeper knowledge about potential security vulnerabiltiesÊwith an acquisition. The company that makes tools to automate software processesÊand potential holes in open source code acquiredÊVor Security, which is based in Ottowa, Canada.

June 29, 2017 - Eclipse Oxygen, the Android Things Console, and Sonatype acquires Vor Security

The Eclipse Foundation has announced Eclipse Oxygen is now available. The Oxygen release includes 83 projects, 287 committers, and about 71 million lines of code. ÒWeÕre proud to announce the arrival of Eclipse Oxygen, the 12th annual simultaneous release from the Eclipse Community,Ó The Eclipse Foundation has announced Eclipse Oxygen is now available. The Oxygen release includes 83 projects, 287 committers, and about 71 million lines of code. ÒWeÕre proud to announce the arrival of Eclipse Oxygen, the 12th annual simultaneous release from the Eclipse Community,Ó

June 29, 2017 - Md. software company buys security firm, launches new data service

A Maryland-headquartered provider of tools to automate software supply chains has acquired a Canadian firm and launched a new data service. Fulton-based Sonatype Inc. has acquired Vor Security of Ottawa, Ontario. Ken Duck, the founder and CEO of Vor, will work on data thatÊunderpins Sonatype'sÊtools. A Maryland-headquartered provider of tools to automate software supply chains has acquired a Canadian firm and launched a new data service. Fulton-based Sonatype Inc. has acquired Vor Security of Ottawa, Ontario. Ken Duck, the founder and CEO of Vor, will work on data thatÊunderpins Sonatype'sÊtools.

June 21, 2017 - The Top Advantages of Being Agile - Part 2

Why Agile? DEVOPSdigest asked the experts for their opinions on what are the most important advantages of being Agile. Part 2 is all about speed. Why Agile? DEVOPSdigest asked the experts for their opinions on what are the most important advantages of being Agile. Part 2 is all about speed.

June 20, 2017 - Sonatype Integrates Nexus Lifecycle with Microsoft Visual Studio

Sonatype, the leader in software supply chain automation, today announced that it has released a new version of Nexus Lifecycle that includes an extension to Microsoft Visual Studio, a popular integrated development environment (IDE). Sonatype, the leader in software supply chain automation, today announced that it has released a new version of Nexus Lifecycle that includes an extension to Microsoft Visual Studio, a popular integrated development environment (IDE).

June 13, 2017 - DevSecOps is Not a Security Panacea

Many development teams view security as an impediment to agility and innovation, butÊefforts over the past few years have tried to integrate security controls and testing directly into DevOps workflows without sacrificing development speed and deployment flexibility.

May 24, 2017 - Sonatype Releases New Version of Free Repository Health Check

Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. All 120,000 organizations using Nexus will benefit immediately from the ability to automatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline.

May 17, 2017 - BBC Radio Interview: Cyber Crime

With two international cyber-crime conferences in Belfast in the same week, we're asking whether your company can stay ahead of the hackers. Wendy Austin is joined by Shannon Lietz, DevSecOps lead at Intuit; Mark Miller, senior storyteller at Sonatype; and David Crozier of Queen's University spinout CSIT.

May 4, 2017 - Red Hat Summit: Black DuckÕs Hub solution, CloudHealth TechnologiesÕ cloud service management platform, and SonatypeÕs Nexus Repository

Red HatÕs annual open-source technology event, Red Hat Summit, is coming to a close today. The event showcases the latest innovations in cloud computing, platform, virtualization, middleware, storage and systems management technologies. Red HatÕs annual open-source technology event, Red Hat Summit, is coming to a close today. The event showcases the latest innovations in cloud computing, platform, virtualization, middleware, storage and systems management technologies.

May 2, 2017 - Sonatype Nexus Repository Certified to Run on Red Hat OpenShift Container Platform

Sonatype has containerized and certified its Nexus Repository to run on Red Hat OpenShift Container Platform. Sonatype has containerized and certified its Nexus Repository to run on Red Hat OpenShift Container Platform.

May 1, 2017 - Sonatype Nexus Repository Recognized as a Certified Red Hat OpenShift Solution

Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. ÊAs of today, all 120,000 organizations using Nexus will benefit immediately from the ability toÊautomatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline. Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. ÊAs of today, all 120,000 organizations using Nexus will benefit immediately from the ability toÊautomatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline.

April 26, 2017 - Nexus Launches into Mesosphere DC/OS

Nexus Repository is the first to offer DC/OS users a free, private registry for Docker containers in addition to enterprise-scale artifact management for the most popular development languages. Nexus Repository offers a great way to organize, store, and distribute software components critical to DevOps and CI/CD toolchains. Nexus Repository is the first to offer DC/OS users a free, private registry for Docker containers in addition to enterprise-scale artifact management for the most popular development languages. Nexus Repository offers a great way to organize, store, and distribute software components critical to DevOps and CI/CD toolchains.

April 26, 2017 - DevSecOps, or how to build safer software so much faster

DevOps can help develop software faster, but that's not making it any safer. DevSecOps is an effort to bring security into the mix. Here are some ways to get started.

April 25, 2017 - Sonatype Announces 2017 DevSecOps Survey Findings

Sonatype, the leader in software supply chain automation, today announced the telecommunications results of its 2017 DevSecOps Community Survey. 160 telecommunications IT professionals participated in the online survey conducted in February 2017, out of a total of 2,292 overall survey respondents. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice early, everywhere, and at scale. Analysis of responses also found that 20% of telecom organizations continue to struggle with breaches, consistent with overall survey respondents. Sonatype, the leader in software supply chain automation, today announced the telecommunications results of its 2017 DevSecOps Community Survey. 160 telecommunications IT professionals participated in the online survey conducted in February 2017, out of a total of 2,292 overall survey respondents. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice early, everywhere, and at scale. Analysis of responses also found that 20% of telecom organizations continue to struggle with breaches, consistent with overall survey respondents.

April 24, 2017 - Sonatype Introduces Free Next-Generation Repository Health Check

Sonatype released the next generation of its free Repository Health Check (RHC) feature within its flagship Nexus Repository product. ÊAs of today, all 120,000 organizations using Nexus will benefit immediately from the ability toÊautomatically analyze the quality and security of open source software components housed within their Nexus Repository as part of their DevOps pipeline.

April 21, 2017 - The Hidden Dangers of Component Vulnerabilities

Today's development practices continue to evolve toward the fast iterations of smaller builds. Developers are using approaches like microservices to chunk out monolithic applications into a sum of more rational and reusable mix-and-match elements.

April 20, 2017 - Sonatype Announces Git LFS Support for Nexus Repository

Sonatype, the leader in software supply chain automation, today announced that Nexus Repository is first to market with free support for Git Large File Size (LFS) artifacts. With the addition of Git LFS, Nexus Repository now supports eight of the most popular software component types, including Docker, Java, npm, NuGet, PyPI, Bower, and RubyGems. Sonatype, the leader in software supply chain automation, today announced that Nexus Repository is first to market with free support for Git Large File Size (LFS) artifacts. With the addition of Git LFS, Nexus Repository now supports eight of the most popular software component types, including Docker, Java, npm, NuGet, PyPI, Bower, and RubyGems.

April 19, 2017 - Sonatype Announces Secure DevOps Solution for Python Developers

Sonatype announced that its Nexus Firewall will offer support for automated governance of PyPI components before the end of the quarter.

April 19, 2017 - DockerCon 2017 Round-up

2017Õs DockerCon was held in Austin, Texas this past week. DockerCon is the annual conference centered on the container industry and community. Below is a round up of all the pressing news that was dropped at the event. We will be featuring news from StorageOS, TwistLock, Mesosphere, and Mirantas. 2017Õs DockerCon was held in Austin, Texas this past week. DockerCon is the annual conference centered on the container industry and community. Below is a round up of all the pressing news that was dropped at the event. We will be featuring news from StorageOS, TwistLock, Mesosphere, and Mirantas.

April 10, 2017 - As DevOps Grows, Automation Is Key to App Security

IT organizations continue to struggle with breaches, which have risen sharply over the past three years. Yet during the same period, the use of secure components has remained flat, suggesting that more organizations must improve their applications' security posture. IT organizations continue to struggle with breaches, which have risen sharply over the past three years. Yet during the same period, the use of secure components has remained flat, suggesting that more organizations must improve their applications' security posture.

March 23, 2017 - DevOps Embraces Security Measures to Build Safer Software

DevOps is not simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that DevOps teams are increasingly adopting security automation to create better and safer software. DevOps is not simply transforming how developers and operations work together to deliver better software faster, it is also changing how developers view application security. A recent survey from software automation and security company Sonatype found that DevOps teams are increasingly adopting security automation to create better and safer software. Read

March 23, 2017 - New DevOps Research From Sonatype Reveals Changing Attitudes Toward Application Security

Sonatype, the leader in software supply chain automation, has announced the results of its 2017 DevSecOps Community Survey which was conducted in February. ÊThere were 2,292 IT professionals that participated in the online survey whichÊrevealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organisations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Sonatype, the leader in software supply chain automation, has announced the results of its 2017 DevSecOps Community Survey which was conducted in February. ÊThere were 2,292 IT professionals that participated in the online survey whichÊrevealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organisations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Read

March 22, 2017 - Businesses make automated security a part of DevOps

Mature development organizations make sure automated security is built into their DevOps practice early, everywhere and at scale, according to a new report by Sonatype. Read

March 22, 2017 - Research reveals changing attitudes toward application security

Sonatype has announced the results of its 2017 DevSecOps Community Survey which revealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Sonatype has announced the results of its 2017 DevSecOps Community Survey which revealed that mature development organisations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Read

March 22, 2017 - DevSecOps-Automatisierung hilft Development-Teams

Professionelle Software-Hersteller haben bereits weitreichend DevOps-Praktiken umgesetzt und lassen auch Sicherheitsaspekte vermehrt automatisiert in die Strategie mit einflie§en. Zu diesem Schluss kommt eine Studie von Sonatype, einem Anbieter von Software-Supply-Chain-Automatisierung. Professionelle Software-Hersteller haben bereits weitreichend DevOps-Praktiken umgesetzt und lassen auch Sicherheitsaspekte vermehrt automatisiert in die Strategie mit einflie§en. Zu diesem Schluss kommt eine Studie von Sonatype, einem Anbieter von Software-Supply-Chain-Automatisierung. Read

March 21, 2017 - IT Pro Portal

Mature development organizations make sure automated security is built into their DevOps practice early, everywhere and at scale, according to a new report by Sonatype. Mature development organizations make sure automated security is built into their DevOps practice early, everywhere and at scale, according to a new report by Sonatype. Read

March 21, 2017 - DevOps-Studie: Sicherheit frŸhzeitig einbinden

Sonatype hat die Ergebnisse der ã2017 DevSecOps CommunityÒ-Umfrage bekanntgegeben.Ê 2.292 IT-Experten nahmen an der im Februar 2017 durchgefŸhrten Online-Umfrage teil. Die Untersuchung ergab, dass ausgereifte Entwicklungsorganisationen gewŠhrleisten, dass Sicherheit automatisiert in ihre DevOps-Praktiken eingebunden ist, und zwar frŸhzeitig, Ÿberall und im richtigen Ma§stab. Die Analyse der Antworten ergab au§erdem, dass IT-Organisationen nach wie vor mit SicherheitslŸcken zu kŠmpfen haben. Vergleicht man die Umfragewerte von Sonatype zwischen 2014 und 2017, so ist hier sogar ein Anstieg um nahezu 50 Prozent zu verzeichnen. Sonatype hat die Ergebnisse der ã2017 DevSecOps CommunityÒ-Umfrage bekanntgegeben.Ê 2.292 IT-Experten nahmen an der im Februar 2017 durchgefŸhrten Online-Umfrage teil. Die Untersuchung ergab, dass ausgereifte Entwicklungsorganisationen gewŠhrleisten, dass Sicherheit automatisiert in ihre DevOps-Praktiken eingebunden ist, und zwar frŸhzeitig, Ÿberall und im richtigen Ma§stab. Die Analyse der Antworten ergab au§erdem, dass IT-Organisationen nach wie vor mit SicherheitslŸcken zu kŠmpfen haben. Vergleicht man die Umfragewerte von Sonatype zwischen 2014 und 2017, so ist hier sogar ein Anstieg um nahezu 50 Prozent zu verzeichnen. Read

March 21, 2017 - Changing attitudes toward application security

Sonatype has published the results of its 2017 DevSecOps Community Survey.Ê 2,292 IT professionals participated in the online survey conducted in February 2017. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organizations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Sonatype has published the results of its 2017 DevSecOps Community Survey.Ê 2,292 IT professionals participated in the online survey conducted in February 2017. The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Analysis of responses also found that IT organizations continue to struggle with breaches as nearly a 50% increase was recorded between SonatypeÕs 2014 and 2017 survey. Read

February 2, 2017 - A look at the top four venture capital recipients of 2016

Sonatype Inc., Vtesse Inc., NextCure and GrayBug LLC were the four companies that received the most venture capital funding in 2016. Sonatype Inc., Vtesse Inc., NextCure and GrayBug LLC were the four companies that received the most venture capital funding in 2016. Read

February 1, 2017 - State of the Software Supply Chain

Thanks to Derek Weeks, V.P. and DevOps Advocate for Sonatype for sharing their secondÊannual report on managing open source components to accelerate innovation. Following are the key findings of their research... Thanks to Derek Weeks, V.P. and DevOps Advocate for Sonatype for sharing their secondÊannual report on managing open source components to accelerate innovation. Following are the key findings of their research... Read

January 20, 2017 - Sonatype: 1 in 15 open source app components has at least one security vulnerability

Software supply chain automation company Sonatype is hanging out the flags to celebrate the fact that it has experienced a 300 percent growth in the use of itsÊNexus Repository over the past three years. Software supply chain automation company Sonatype is hanging out the flags to celebrate the fact that it has experienced a 300 percent growth in the use of itsÊNexus Repository over the past three years. Read

January 13, 2017 - Scanning JavaScript for vulnerabilities: How the impossible is now possible

Javascript is everywhere, and it's awesome! But the world most popular language can be riddled with problems if you aren't a careful programmer. Javascript is everywhere, and it's awesome! But the world most popular language can be riddled with problems if you aren't a careful programmer. Read

January 6, 2017 - Sonatype Takes on Container Governance

As usage of containers continues to proliferate across the enterprise there will be some natural shifting of management responsibility between developers and IT operations teams in many organizations. In fact, most developers will have a bare-minimum involvement in anything to do with IT governance. As usage of containers continues to proliferate across the enterprise there will be some natural shifting of management responsibility between developers and IT operations teams in many organizations. In fact, most developers will have a bare-minimum involvement in anything to do with IT governance. Read

December 15, 2016 - Code Reuse a Peril for Secure Software Development

The amount of insecure software tied to reused third-party libraries and lingeringÊin applications long after patches have been deployed is staggering. ItÕs a habitual problem perpetuated byÊdevelopers failing to vet third-party code for vulnerabilities, and some repositoriesÊtaking a hands-off approach with the code they host. The amount of insecure software tied to reused third-party libraries and lingeringÊin applications long after patches have been deployed is staggering. ItÕs a habitual problem perpetuated byÊdevelopers failing to vet third-party code for vulnerabilities, and some repositoriesÊtaking a hands-off approach with the code they host. Read

December 8, 2016 - Sonatype Adds Container Inspection to Its Lifecycle Software

Sonatype, a company offering a kind of quality control for software components, has extended its reach into the container world. Sonatype, a company offering a kind of quality control for software components, has extended its reach into the container world. Read

November 28, 2016 - DevOps & agile software development

TodayÕs interview is with Matt Howard, executive vice president for Market Development at Sonatype.Ê ÊHis company helps federal software developers put together code quicker, cheaper, and in a more secure manner. TodayÕs interview is with Matt Howard, executive vice president for Market Development at Sonatype.Ê ÊHis company helps federal software developers put together code quicker, cheaper, and in a more secure manner. Read

November 11, 2016 - Fancy 15 hours of DevOps

ItÕs one thing logging onto a 15 hour online event covering the world of DevOps. ItÕs quite another watching it live in the comfortable offices of one of the main sponsors with complimentary food and drinks from morning until evening. Plus happy hour. ItÕs one thing logging onto a 15 hour online event covering the world of DevOps. ItÕs quite another watching it live in the comfortable offices of one of the main sponsors with complimentary food and drinks from morning until evening. Plus happy hour. Read

November 1, 2016 - Why software is no longer being written from scratch

Application developers are increasingly reliant on open source component parts because pre-fabricated components speed up innovation and save developers the time (and money) of having to write code from scratch. Application developers are increasingly reliant on open source component parts because pre-fabricated components speed up innovation and save developers the time (and money) of having to write code from scratch. Read

October 21, 2016 - Sonatype Maps the JavaScript Genome for DevOps

Sonatype has mapped out the JavaScript genome to help organizations with high-velocity, automated development practices. Sonatype has mapped out the JavaScript genome to help organizations with high-velocity, automated development practices. Read

September 26, 2016 - What's in your code? Why you need a software bill of materials

When developers and suppliers carefully list the tools used to build an application and what third-party components are included, IT can improve software patching and updates. Read

September 21, 2016 - 14 DevOps Leaders Join Forces

CloudBees, Sonatype, GitHub, CA Technologies and 10 other IT solutions and service providers have announced that they are forming an alliance with the goal of making it easier for enterprises to adopt the software stack needed to implement DevOps in their organizations. CloudBees, Sonatype, GitHub, CA Technologies and 10 other IT solutions and service providers have announced that they are forming an alliance with the goal of making it easier for enterprises to adopt the software stack needed to implement DevOps in their organizations. Read

September 15, 2016 - 14 DevOps vendors link up to simplify enterprise adoption of 'best of breed' tools

DevOps Express initiative aims to streamline the way enterprises transform their software development and delivery processes to DevOps. Read

September 15, 2016 - Jenkins World: CloudBees, DevOps Express, the Blue Ocean project, and UndoÕs Live Recorder

Fourteen DevOps technology leaders announced a new initiative to streamline DevOps adoption at this weekÕs Jenkins World. The new DevOps Express aims to help answer key questions such as where to start, what a typical DevOps stack looks like, how to learn from others, how to minimize risk, and how to ensure technologies will work together. Fourteen DevOps technology leaders announced a new initiative to streamline DevOps adoption at this weekÕs Jenkins World. The new DevOps Express aims to help answer key questions such as where to start, what a typical DevOps stack looks like, how to learn from others, how to minimize risk, and how to ensure technologies will work together. Read

September 14, 2016 - Sonatype und CloudBees starten DevOps Express-Initiative

14 BranchenfŸhrer haben sich zum Ziel gesetzt, die Kundenzufriedenheit mit "kampferprobten" nativen DevOps-Lšsungen zu verbessern. 14 BranchenfŸhrer haben sich zum Ziel gesetzt, die Kundenzufriedenheit mit "kampferprobten" nativen DevOps-Lšsungen zu verbessern. Read

August 19, 2016 - Derek Weeks: A closer look at software supply chain

The software world is being flooded with open source product. In fact, the federal government has an open-source-first policy. But maybe it's time to stop and think about sources of open source. Where does all that code originate? The software supply chain. That's something Derek Weeks, vice president and DevOps advocate at Sonatype, looks at carefully. He joins Federal Drive with Tom Temin. Read

July 22, 2016 - Protecting the open source software supply chain

What: The 2016 State of the Software Supply Chain report from Sonatype detailing the use of open source components in software.ÊWhy: Because 80 to 90 percent of todayÕs software applications are made of component parts, and increasingly, open source components, Êdefect rates and security and quality issues abound within the software supply chain. Adopting supply chain automation principles, however, could reduce vulnerabilities. Read

July 12, 2016 - Report: 1 in 16 Java Components Have Security Defects

Sonatype has just released its second annual report on managing open source components. The "2016 State of the Software Supply Chain" report is available now, and well worth reading. Sonatype has just released its second annual report on managing open source components. The "2016 State of the Software Supply Chain" report is available now, and well worth reading. Read

July 11, 2016 - The State of the Software Supply Chain report

Open-source software is being used more than ever, yet practices for sourcing the software are inefficient and vulnerabilities are pervasive, according to a report from supply-chain automation provider Sonatype. Open-source software is being used more than ever, yet practices for sourcing the software are inefficient and vulnerabilities are pervasive, according to a report from supply-chain automation provider Sonatype. Read

July 11, 2016 - Room for Application Security Improvement

Application security suffers from the indiscriminate use of open source software components, finds Sonatype research. Application security suffers from the indiscriminate use of open source software components, finds Sonatype research. Read

July 11, 2016 - Report: Enterprises more reliant on open source and third-party software components

The software supply chain is booming and enterprises are frequently turning to open source and third party software components to decrease the amount of code they have to write, which helps accelerate deployment cycles, according to SonatypeÕs 2016 State of the Software Supply ChainÊreport released Monday. The software supply chain is booming and enterprises are frequently turning to open source and third party software components to decrease the amount of code they have to write, which helps accelerate deployment cycles, according to SonatypeÕs 2016 State of the Software Supply ChainÊreport released Monday. Read

July 11, 2016 - Enterprise software developers continue to use flawed code in apps

The use of third-party code in enterprise software projects is growing fast, but the used code often has known flaws. The use of third-party code in enterprise software projects is growing fast, but the used code often has known flaws. Read

July 11, 2016 - Enterprise software developers continue to use flawed code in apps

Companies that develop enterprise applications download over 200,000 open-source components on average every year -- and one in 16 of those components has security vulnerabilities. Read

April 13, 2016 - Sonatype launches new Nexus Universal Repository Manager

Sonatype, the leader in software supply chain automation, today released the latest version of Nexus Repository, adding free support for seven of the most popular software component types. Additionally, Sonatype announced that Nexus Repository has now surpassed 100,000 active installations, including a majority of the Fortune 100, and continues to experience massive growth in usage. Sonatype, the leader in software supply chain automation, today released the latest version of Nexus Repository, adding free support for seven of the most popular software component types. Additionally, Sonatype announced that Nexus Repository has now surpassed 100,000 active installations, including a majority of the Fortune 100, and continues to experience massive growth in usage. Read More

Feb 4, 2016 - Sonatype Snares $30 Million Investment Led By Goldman Sachs

Sonatype, a company that helps customers create automated, policy-driven software component security, announced a $30 million round today led by Goldman Sachs. Sonatype, a company that helps customers create automated, policy-driven software component security, announced a $30 million round today led by Goldman Sachs. Read More

Feb 4, 2016 - Goldman Sachs Leads $30 Million Investment in Software Supply Chain Fixer

Don Duet, who co-leads the tech division at Goldman, cited the growing importance of open source code at his company as justification for the deal. ÒToday, open source components underpin a vast majority of our most mission-critical applications at the firm,Ó he said in a statement. Don Duet, who co-leads the tech division at Goldman, cited the growing importance of open source code at his company as justification for the deal. ÒToday, open source components underpin a vast majority of our most mission-critical applications at the firm,Ó he said in a statement. Read More

Feb 4, 2016 - Md.-based cyber firm picks up $30 million led by Goldman Sachs

Jackson said helping Goldman with its own software infrastructure led to the financing announced Thursday. If the institution hadnÕt been a customer, he says, Òthey probably never would have found us.Ó Jackson said helping Goldman with its own software infrastructure led to the financing announced Thursday. If the institution hadnÕt been a customer, he says, Òthey probably never would have found us.Ó Read More

Feb 4, 2016 - Goldman Sachs Leads $30M Round in Sonatype

Goldman Sachs has led a $30 million investment in software developer Sonatype to help protect the quality of its open source software. Goldman Sachs has led a $30 million investment in software developer Sonatype to help protect the quality of its open source software. Read More

Dec 15, 2015 - Unwritten Rules of Hacking

Sonatype CTO Josh Corman is featured in CNN Money news segment from DefCon 2015 in Las Vegas, discussing white hat hacking as a force for good. Sonatype CTO Josh Corman is featured in CNN Money news segment from DefCon 2015 in Las Vegas, discussing white hat hacking as a force for good. Read More

Dec 14, 2015 - Safer Open Source Code Inside The Enterprise Ð Sonatype Nexus Firewall

Given this new proliferation of open source software components, we are starting to see automation controls come forward to help control these essentially dynamic and constantly developing code bases. Given this new proliferation of open source software components, we are starting to see automation controls come forward to help control these essentially dynamic and constantly developing code bases. Read More

Nov 20, 2015 - Who let security into DevOps?

Josh Corman featured in a series that covers DevOps and SecOps, and securing the Internet of Things. Josh Corman featured in a series that covers DevOps and SecOps, and securing the Internet of Things. Read More

Nov 13, 2015 - Thousands of Java applications vulnerable to nine-month-old remote code execution exploit

A popular Java library has a serious vulnerability, discovered over nine months ago, that continues to put thousands of Java applications and servers at risk of remote code execution attacks. A popular Java library has a serious vulnerability, discovered over nine months ago, that continues to put thousands of Java applications and servers at risk of remote code execution attacks. Read More

Nov 13, 2015 - Twistlock Partners with Sonatype on Container Security

Twistlock have also partnered with Sonatype in order to help developers keep vulnerabilities out of the Ôleft hand sideÕ of the image creation process. Twistlock have also partnered with Sonatype in order to help developers keep vulnerabilities out of the Ôleft hand sideÕ of the image creation process. Read More

Aug 18, 2015 - All the cyberattacks on the U.S. government (that we know of)

Federal agencies have suffered at least a dozen major data breaches or network intrusions since 2007. What's troubling is, experts say these are high-tech attacks trending toward an old-fashioned end: Espionage. Federal agencies have suffered at least a dozen major data breaches or network intrusions since 2007. What's troubling is, experts say these are high-tech attacks trending toward an old-fashioned end: Espionage. Read More

Aug 14, 2015 - Sonatype CTO, Josh Corman, interviewed on Fox Business News about a recent Verizon phone bill hack.

Sonatype CTO, Josh Corman, is interviewed on Fox Business News about cyber security and recent hacks on vehicles, medical devices and now a Verizon phone bill with a $117,000 charge. Sonatype CTO, Josh Corman, is interviewed on Fox Business News about cyber security and recent hacks on vehicles, medical devices and now a Verizon phone bill with a $117,000 charge. Read More

Aug 12, 2015 - CNBC Interview with Sonatype CTO, Josh Corman, about cyber security

CNBC interviews Sonatype CTO, Josh Corman, about a suspected Russian attack on the Pentagon with a discussion about the broader implications of cyber security. CNBC interviews Sonatype CTO, Josh Corman, about a suspected Russian attack on the Pentagon with a discussion about the broader implications of cyber security. Read More

Jul 20, 2015 - When Good Code Goes Bad

Unlike other industries that rely on supply from other organizations, software development has no clear way to understand when an open source or proprietary component 'part' is found to be defective. Unlike other industries that rely on supply from other organizations, software development has no clear way to understand when an open source or proprietary component 'part' is found to be defective. Read More

Jun 23, 2015 - Programmers are copying security flaws into your software, researchers warn

Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work. The problem: they're not vetting the code for security problems. Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work. The problem: they're not vetting the code for security problems. Read More

Jun 16, 2015 - Software Applications Have on Average 24 Vulnerabilities Inherited from Buggy Components

Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Read More

Jun 1, 2015 - Sonatype Facilitates DevOps Approach to App Dev

Applications are rarely built from scratch today, but rather tend to leverage myriad tools and libraries as organizations increasingly move to a rapid deployment DevOps style of IT. Applications are rarely built from scratch today, but rather tend to leverage myriad tools and libraries as organizations increasingly move to a rapid deployment DevOps style of IT. Read More

May 18, 2015 - Learning by Example: What software developers can learn from Toyota about supply chains

Software developers can learn a lot from the example of car manufacturing. Both stand to benefit from reducing the complexity in their supply chains and gaining more control over the parts they use. Software developers can learn a lot from the example of car manufacturing. Both stand to benefit from reducing the complexity in their supply chains and gaining more control over the parts they use. Read More

Jan 23, 2015 - Growing Open Source Use Heightens Enterprise Security Risks

The data breaches disclosed earlier this month at Park ÔN Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. The data breaches disclosed earlier this month at Park ÔN Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. Read More

Jan 21, 2015 - How secure are your open source-based systems?

The Cyber Supply Chain and Transparency Act of 2014 requires any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. The Cyber Supply Chain and Transparency Act of 2014 requires any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. Read More