Fulton, MD - December 10, 2014 - Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application Health Check to immediately alert federal agencies and software suppliers about known vulnerable open source components and where they exist within an application.
Fulton, MD – November 17, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a new version of its Component Lifecycle Management (CLM) software. An industry first, developers can now avoid security risks without missing business-critical delivery deadlines
Fulton, MD – October 1, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today announced free NuGet package support through its open source component manager – Nexus OSS. As developers are consuming an ever-increasing number of open source components -- now approaching 250 million downloads annually – the .NET community is seeking to improve build performance and stability through the use of component managers. This trend mirrors the evolution in the Java development environments where there are 13 billion open source component download requests managed annually. More than 40,000 organizations and teams seeking to improve their open source development performance and security have turned to Sonatype’s Nexus component managers -- all of which can now leverage available NuGet support.
Development organizations using Nexus component managers benefit from:
“Helping development teams realize efficiencies, while mitigating licensing and security risks, is a key goal for VSIP Program partners like Sonatype,” said Mitra Azizirad, General Manager, Developer Platform & Sales at Microsoft Corp. “Providing developers the right component management tools, like the Nexus OSS, introduces beneficial agile improvements that persist throughout the development lifecycle.”
In addition to expanding NuGet support from the paid version of Nexus Professional to also include Nexus OSS, Sonatype is also the first to deliver critical security vulnerability and license risk data for NuGet packages to the .NET development community. Visibility to known risks will enable developers to make better, more informed decisions about the components they select when building applications. Through Nexus, Sonatype provides ongoing updates to organizations of potential risks entering their software development lifecycle.
Sonatype’s Nexus OSS software and more information about open source component managers can be found here:
About Sonatype:
Every day, developers rely on millions of third party and open source building blocks — known as components -- to build the software that runs our world. Sonatype ensures that only the best components are used throughout the software development lifecycle so that organizations don't have to make the tradeoff between going fast and being secure. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com
Tony Keller
The Walker Group
tkeller@walkerlimited.com
FULTON, MD (July 22, 2014) – Three out of four organizations that build software applications either have failed to adopt policies to prevent the use of vulnerable software components or have neglected to ban even a single component to enforce existing policies, according to a new survey sponsored by venture capital firm New Enterprise Associates, Inc. (NEA) and software supply chain management company Sonatype. In the survey 3 out of 10 respondents actually admitted they either had or suspect a breach was caused by an open source component within the last 12 months.
The 2014 State of Open Source Development and Application Security Survey questioned more than 3,300 software developers, architects and application security professionals around the world about their use of open source software, policies governing its use, and common application security practices.
The survey provides a clear perspective on the state of application security across many of the world’s leading software development organizations because 90 percent of a typical application is composed of open source components, with more than 13 billion requests served for these free, reusable software building blocks last year. Among the survey highlights:
As with any software, flaws will be found in open source components. But unlike internally developed software code, organizations bringing open source components into their firms do not have effective governance policies and practices to identify, track or remediate vulnerabilities within those components. This creates a rich target for hackers to exploit the vulnerable applications.
“Applications are the #1 attack vector leading to breaches, according to the 2014 Annual Verizon Data Breach Investigations Report. That means that if you are not using secure components, you are not building secure applications,” said Wayne Jackson, CEO of Sonatype. “Our survey clearly shows that most companies completely ignore the problem, and this creates an extraordinary security risk, as the panic over the Heartbleed bug demonstrated. This isn’t a theoretical threat. It’s real, and some very large businesses have admitted to being attacked.”
In fact, according to a Sonatype analysis, in one year there were more than 46 million requests for insecure versions of the 31 most popular open source security libraries1. And even after critical or severe vulnerabilities were announced and fixed in these popular open source components the vulnerable versions continue to be downloaded on a massive scale: Struts2 web application framework (179,050 downloads), the Bouncy Castle cryptography API (214,484 downloads), the Jetty web application server (5,174,913 downloads) and the HTTP Client implementation for Java (3,749,193 downloads)2.
Sonatype recommends that application developers avoid use of flawed components by using software offering automated governance, monitoring and alerts to identify and proactively fix component vulnerabilities throughout the software development lifecycle.
The 2014 State of Open Source Development and Security Survey was co-sponsored by Contrast Security, Rugged Software and the Trusted Software Alliance. It marked the fourth annual examination of open source software development trends spearheaded by Sonatype to raise awareness and improve development and security practices. Full survey results can be found at www.sonatype.com/company.
About NEA
NEA is a leading venture capital firm focused on helping entrepreneurs build transformational businesses across multiple stages, sectors and geographies. With more than $13 billion in committed capital, the firm invests in information technology and healthcare companies at all stages in a company’s lifecycle, from seed stage through IPO. NEA’s long track record of successful investing includes more than 175 portfolio company IPOs and more than 300 acquisitions. For additional information, visit www.nea.com.
About Sonatype:
Sonatype focuses on the challenge of creating a secure software supply chain. Today, developers rely on millions of third party and open source building blocks — known as components – to build up to 90% of a typical application. These components are downloaded from the internet, without controls, allowing components with known security vulnerabilities and/or licensing risks to be built in to newly developed software. And unlike a manufacturing supply chain, these components are not tracked throughout their lifecycle for update or recall. Sonatype uniquely identifies all components and integrates data about known security, license and quality risks into the tools developers use every day, so risky components can be easily avoided and defects repaired early in the development process. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com
Tony Keller
The Walker Group
tkeller@walkerlimited.com
1 2012 Executive Brief: Addressing Security Concerns in Open Source Components by Sonatype, Inc. and Aspect Security
2 Sonatype, Inc. analysis of activity in (Maven) Central Repository
Fulton, MD – April 22, 2014 — Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, continues to find its software in high demand. The company credits this momentum to an increasing awareness of the urgent need to address the risks associated with flawed open source components being used in millions of mission-critical software applications.
SAN FRANCISCO, CA – February 24, 2014 — Sonatype, the software company that enables developers to rapidly build secure software while also eliminating compliance and licensing risk, today announced that its component lifecycle management (CLM) analysis technology has been integrated with HP’s cloud-based software security solution – HP Fortify on Demand.
In today’s IT environment, companies struggle to ensure that all software applications are sufficiently assessed for potential security vulnerabilities introduced by relying on third party and open-source components. For example, one typical enterprise application alone can be composed of up to 90 percent 3rd party and open source building blocks. These reusable components allow for improved speed, efficiency and innovation. However, relying on these open-source components, without proper insight and governance, can leave organizations vulnerable to crippling security attacks, licensing liability, and compliance exposure.
As part of the integration, Sonatype provides component analysis that identifies the third party and open-source components commonly used as building blocks in modern applications. HP Fortify on Demand delivers comprehensive, accurate and affordable software analysis that identifies security vulnerabilities in any application —web, mobile, infrastructure or cloud. Together, these capabilities make for a more complete software security solution by reducing an enterprise’s exposure to risk caused by the rapid adoption of open-source software components.
"Given the dramatic shift to component-driven software development, there is an urgent need to address open source component usage,” said Wayne Jackson, CEO Sonatype. “In combining HP Fortify on Demand’s ability to identify custom software risks with Sonatype’s ability to identify 3rd party and open source software risks, companies are able to achieve unprecedented application security.”
Existing HP Fortify on Demand customers can now leverage the Sonatype CLM analysis technology to create a ‘bill of materials’ listing all components used in an application, identify which components have known vulnerabilities or license risk, and prioritize remediation.
“While open source enables organizations to reduce the time and resources needed to develop enterprise software solutions, these components can expose those offerings to unseen vulnerabilities,” said Jason Schmitt, director of product management, Fortify, HP. “HP Fortify on Demand integrates the open-source analysis capabilities of Sonatype, to give customers peace of mind that their open-source based applications are secure.”
With automated governance, monitoring, and alerts, Sonatype Component Lifecycle Management allows enterprises to accurately identify flawed components and proactively fix these components throughout the software development lifecycle. Five of the world’s largest banks, multiple multinational corporations, and several of the United States’ largest government agencies have recently enlisted Sonatype to assist them in addressing what is, for many, an application security crisis.
Learn more here.
Sonatype’s software protects the world’s enterprise software applications from security, compliance, and licensing risks, while reducing application development and deployment time. Every day, millions of developers build software applications from open source building blocks, known as components. Customers rely on Sonatype software to select and use the best components from the start of the development lifecycle so that trustworthy applications can also meet release deadlines. Policy automation, ongoing monitoring, and proactive alerts ensure these applications remain secure over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: www.sonatype.com
Fulton, Md. – Jan. 29, 2014 — Sonatype, the software company that enables developers to rapidly build secure software while also eliminating compliance and licensing risk, today released a new version of its Component Lifecycle Management (CLM) software.