Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security.

more

Over 370 Organizations Report Confirmed or Suspected Open Source Breaches in Past 12 Months According to Sonatype Survey

FULTON, MD (July 22, 2014) – Three out of four organizations that build software applications either have failed to adopt policies to prevent the use of vulnerable software components or have neglected to ban even a single component to enforce existing policies, according to a new survey. In the survey 3 out of 10 respondents actually admitted they either had or suspect a breach was caused by an open source component within the last twelve months.

more

5 big security mistakes coders make

Hacks make headlines. But usually, the focus is on who did it – notorious cyber criminals, hacktivists, or state-sponsored actors. Readers want to know who they are, where they're from, what they did, and why they did it. Howthey did it gets glossed over.

In fact, the "how" is the most important part – and application vulnerabilities are common culprits. What's number one on the list? Trusting third-party code that can't be trusted.

more

HP Protect

Date: September 8-11, 2014

No one knows more about security flaws than bad guys. They trade secrets day and night with a single-minded purpose: winning. Your applications, information, networks, and online payments are all at risk.

more

Researchers Track Spread of Security Flaws in Software Libraries

More than 200 software products rely on a flawed OpenSSL component, which exposed users to attack until vendors patched the software. The well-known incident highlights the trouble with security vulnerabilities in popular infrastructure software, frameworks and libraries, including popular software components—including LibPNG, used by more than 130 popular software products, and FreeType, used in more than 30 applications.

more
Gartner logo

Gartner Security & Risk Management Summit EMEA 2014

Date: September 8 - 9, 2014
Location: London

Visit Sonatype at the Gartner Security & Risk Management Summit in London to learn more about how Component Lifecycle Management allows enterprises to accurately identify flawed open source components and proactively fix these components through the software development lifecycle.

more
Sonatype Webinar

Webinar: Open Source Development and Application Security Survey: The Results are In!

Over 3,300 participated! The final results of our 4th Annual Open Source and Application Security Survey are in. Adrian Lane from Securosis and Brian Fox from Sonatype provide a detailed breakdown of the findings from a developer and an application security perspective. They discuss policies, practices, and breaches as well as how organizations can use these results to create constructive conversations to feed their open source security management practices.

more

Dept. of Homeland Security tools aimed at Heartbleed-like security evils

The Department of Homeland Security (DHS) has launched a Web portal aimed at assisting software developers in vetting their code for weaknesses hackers can exploit. The DHS calls this portal the Software Assurance Marketplace, or SWAMP for short. It's not a marketplace' in the sense that money is changing hands for products and services, but rather more a place to share tools, techniques and information.

more

US hacking victims fell prey to mundane ruses

The hacking techniques the U.S. government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening email attachments or clicking on innocent-looking website links.

more

RSA Webinar: Software Liability?: The Worst Possible Idea (Except for all Others)

On-Demand Recording: Streamed Thursday, May 29, 2014

While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

more

Event: Java One 2014

Date: September 28 – October 2, 2014
Location: San Francisco, CA

Join us and the worldwide Java developer community at the largest Java based conference of the year. Java One is a must attend conference where practitioners come to learn how they can build next generation applications using Java.

more

Event: Appsec USA 2014

Date: September 16 -19, 2014
Location: Denver, CO

Join us at Appsec USA, the world-class software security conference located in an high energy atmosphere in downtown Denver. Appsec is a conference for developers, auditors, risk managers, technologists and entrepreneurs interested in sharing industry best practices.

more

Here’s The Surprising Interview Question One CEO Always Asks

To figure out if job candidates have what it takes to survive in today's cutthroat work environment, Wayne Jackson, chief executive of the software security firm Sonatype, asks the following: "Can you tell me about a time when you almost gave up, how you felt about that, and what you did instead of giving up?"

more

80 Percent of the Largest US and European Banks Deploy Sonatype to Address Growing Software Security Threat

Fulton, MD – April 22, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, continues to find its software in high demand. The company credits this momentum to an increasing awareness of the urgent need to address the risks associated with flawed open source components being used in millions of mission-critical software applications.

more
Sonatype Webinar

Webinar: Lessons Learned from Heartbleed, Struts and the Neglected 90%

On-Demand Recording: Streamed May 1st, 2014

Watch this insightful and witty discussion between two old pals, Wendy Nather, Security Research Director at 451 Research and Josh Corman, CTO at Sonatype on the state of application security today. They share their perspectives on the changing landscape of application development and how this is impacting common application security approaches. They agree the dramatic shift from source code to component based development has created an open source security gap. With component vulnerabilities becoming national news, Heartbleed, Struts and the promise of more to come, now is the time to address this growing security gap.

more

Who's to blame for 'catastrophic' Heartbleed Bug?

The Heartbleed Bug, basically a flaw in OpenSSL that would let savvy attackers eavesdrop on Web, e-mail and some VPN communications that use OpenSSL, has sent companies scurrying to patch servers and change digital encryption certificates and users to change their passwords. But who's to blame for this flaw in the open-source protocol that some say also could impact routers and even mobile devices as well?

more

After Heartbleed Bug, A Race to Plug Internet Hole

Popular websites and millions of Internet users scrambled to update software and change passwords Wednesday, after a security bug in crucial encryption code was disclosed sooner than researchers had planned.

Facebook Inc. and Yahoo Inc.'s blogging site Tumblr advised users to change their passwords because of the so-called Heartbleed bug. Canada's tax agency shut its filing website as a precaution, weeks before its April 30 filing deadline.

Websites for Airbnb Inc., the Four Seasons hotel chain and Netflix Inc. were vulnerable for a time, said Wayne Jackson, CEO of Sonatype Inc., which manages open-source software. Airbnb and Netflix said they had updated their software. Four Seasons didn't immediately respond to a request for comment.

more
Sonatype Press Release

Heartbleed bug. What you need to know.

Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web – the one that keeps your email, banking, shopping, passwords and communications private.

more

Sonatype And HP Integrate To Secure Cloud Components

Software development is increasingly being typified by a componentized approach. A single application might consist of code and component modules from a multitude of different sources. While this increases agility and allows developers to truly utilize best of breed aspects of the application, it also creates a minefield of security issues.

more

Sonatype Adds 3rd Party & Open Source Component Visibility to HP Fortify on Demand

SAN FRANCISCO, CA – February 24, 2014 Sonatype, the software company that enables developers to rapidly build secure software while also eliminating compliance and licensing risk, today announced that its component lifecycle management (CLM) analysis technology has been integrated with HP’s cloud-based software security solution – HP Fortify on Demand.

more

Awards

Codie INC 500 Red Herring SD Times NVTC RSA Gartner