FULTON, Md., Dec. 14, 2015 /PRNewswire/ -- Sonatype, the company dedicated to helping IT organizations deliver higher quality software even faster, today announced free format support for Docker and npm in the market leading Nexus Repository Manager, as well as the development of plug-ins for both Twistlock and npm On-site.
Fulton, MD – June 17, 2015 – Sonatype today released the results of an extensive study of the software development practices of 106,000 organizations representing 17 billion requests for open source and third party software components from the Central Repository in 2014 alone. The study revealed that the way the world creates software is broken – with 23% of the components in the average software application containing known vulnerabilities.
Fulton, MD – June 15, 2015 – Sonatype today introduced the Nexus software platform designed to help IT organizations deliver higher quality software, even faster. The new Nexus software platform integrates the market leading Nexus repository managers, Sonatype’s software formerly known as Component Lifecycle Management (CLM), as well as many new capabilities.
Fulton, MD – March 30, 2015 – Sonatype, the Nexus company and a continuous delivery leader, today announced that it has been named to the JMP Securities Fast 50 list of hottest privately held security and networking companies. The list recognizes innovators that have the capability to dominate their respective markets.
Fulton, MD – February 26, 2015 – Sonatype, the Nexus company and a continuous delivery leader, today announced that its Nexus repository manager usage has doubled in the last 18 months (July 2013 to February 2015.) With five times more installs than any other repository manager, Nexus continues to be the industry standard for accelerating continuous software delivery and DevOps.
Fulton, MD - December 10, 2014 - Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application Health Check to immediately alert federal agencies and software suppliers about known vulnerable open source components and where they exist within an application.
Fulton, MD – November 17, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a new version of its Component Lifecycle Management (CLM) software. An industry first, developers can now avoid security risks without missing business-critical delivery deadlines
Fulton, MD – October 1, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today announced free NuGet package support through its open source component manager – Nexus OSS. As developers are consuming an ever-increasing number of open source components -- now approaching 250 million downloads annually – the .NET community is seeking to improve build performance and stability through the use of component managers. This trend mirrors the evolution in the Java development environments where there are 13 billion open source component download requests managed annually. More than 40,000 organizations and teams seeking to improve their open source development performance and security have turned to Sonatype’s Nexus component managers -- all of which can now leverage available NuGet support.
Development organizations using Nexus component managers benefit from:
“Helping development teams realize efficiencies, while mitigating licensing and security risks, is a key goal for VSIP Program partners like Sonatype,” said Mitra Azizirad, General Manager, Developer Platform & Sales at Microsoft Corp. “Providing developers the right component management tools, like the Nexus OSS, introduces beneficial agile improvements that persist throughout the development lifecycle.”
In addition to expanding NuGet support from the paid version of Nexus Professional to also include Nexus OSS, Sonatype is also the first to deliver critical security vulnerability and license risk data for NuGet packages to the .NET development community. Visibility to known risks will enable developers to make better, more informed decisions about the components they select when building applications. Through Nexus, Sonatype provides ongoing updates to organizations of potential risks entering their software development lifecycle.
Sonatype’s Nexus OSS software and more information about open source component managers can be found here:
About Sonatype:
Every day, developers rely on millions of third party and open source building blocks — known as components -- to build the software that runs our world. Sonatype ensures that only the best components are used throughout the software development lifecycle so that organizations don't have to make the tradeoff between going fast and being secure. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com
Tony Keller
The Walker Group
tkeller@walkerlimited.com
FULTON, MD (July 22, 2014) – Three out of four organizations that build software applications either have failed to adopt policies to prevent the use of vulnerable software components or have neglected to ban even a single component to enforce existing policies, according to a new survey sponsored by venture capital firm New Enterprise Associates, Inc. (NEA) and software supply chain management company Sonatype. In the survey 3 out of 10 respondents actually admitted they either had or suspect a breach was caused by an open source component within the last 12 months.
The 2014 State of Open Source Development and Application Security Survey questioned more than 3,300 software developers, architects and application security professionals around the world about their use of open source software, policies governing its use, and common application security practices.
The survey provides a clear perspective on the state of application security across many of the world’s leading software development organizations because 90 percent of a typical application is composed of open source components, with more than 13 billion requests served for these free, reusable software building blocks last year. Among the survey highlights:
As with any software, flaws will be found in open source components. But unlike internally developed software code, organizations bringing open source components into their firms do not have effective governance policies and practices to identify, track or remediate vulnerabilities within those components. This creates a rich target for hackers to exploit the vulnerable applications.
“Applications are the #1 attack vector leading to breaches, according to the 2014 Annual Verizon Data Breach Investigations Report. That means that if you are not using secure components, you are not building secure applications,” said Wayne Jackson, CEO of Sonatype. “Our survey clearly shows that most companies completely ignore the problem, and this creates an extraordinary security risk, as the panic over the Heartbleed bug demonstrated. This isn’t a theoretical threat. It’s real, and some very large businesses have admitted to being attacked.”
In fact, according to a Sonatype analysis, in one year there were more than 46 million requests for insecure versions of the 31 most popular open source security libraries1. And even after critical or severe vulnerabilities were announced and fixed in these popular open source components the vulnerable versions continue to be downloaded on a massive scale: Struts2 web application framework (179,050 downloads), the Bouncy Castle cryptography API (214,484 downloads), the Jetty web application server (5,174,913 downloads) and the HTTP Client implementation for Java (3,749,193 downloads)2.
Sonatype recommends that application developers avoid use of flawed components by using software offering automated governance, monitoring and alerts to identify and proactively fix component vulnerabilities throughout the software development lifecycle.
The 2014 State of Open Source Development and Security Survey was co-sponsored by Contrast Security, Rugged Software and the Trusted Software Alliance. It marked the fourth annual examination of open source software development trends spearheaded by Sonatype to raise awareness and improve development and security practices. Full survey results can be found at www.sonatype.com/company.
About NEA
NEA is a leading venture capital firm focused on helping entrepreneurs build transformational businesses across multiple stages, sectors and geographies. With more than $13 billion in committed capital, the firm invests in information technology and healthcare companies at all stages in a company’s lifecycle, from seed stage through IPO. NEA’s long track record of successful investing includes more than 175 portfolio company IPOs and more than 300 acquisitions. For additional information, visit www.nea.com.
About Sonatype:
Sonatype focuses on the challenge of creating a secure software supply chain. Today, developers rely on millions of third party and open source building blocks — known as components – to build up to 90% of a typical application. These components are downloaded from the internet, without controls, allowing components with known security vulnerabilities and/or licensing risks to be built in to newly developed software. And unlike a manufacturing supply chain, these components are not tracked throughout their lifecycle for update or recall. Sonatype uniquely identifies all components and integrates data about known security, license and quality risks into the tools developers use every day, so risky components can be easily avoided and defects repaired early in the development process. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com
Tony Keller
The Walker Group
tkeller@walkerlimited.com
1 2012 Executive Brief: Addressing Security Concerns in Open Source Components by Sonatype, Inc. and Aspect Security
2 Sonatype, Inc. analysis of activity in (Maven) Central Repository
Fulton, MD – April 22, 2014 — Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, continues to find its software in high demand. The company credits this momentum to an increasing awareness of the urgent need to address the risks associated with flawed open source components being used in millions of mission-critical software applications.
