Nexus Live: October 9, 2014 1:00pm EDT, TheNEXUS Community Sneak Peak

On-Demand Recording: Streamed October 9, 2014

During the October 2014 broadcast of Nexus Live we were able to catch up with Gene Kim and Josh Corman to find out what’s in store for the DevOps Enterprise Summit in the Bay Area at the end of the month. We also took a quick look at TheNEXUS, the new community site for Nexus, Nexus Pro and CLM. Take a look.

more
Sonatype Webinar

Øredev Developer Conference

Date: November 4 - 7, 2014
Location: Malmö, Sweden

ØREDEV was founded in 2005 by Jayway, a company comprised of and focused on specialists within IT. Øredev inherited this company's vision and philosophy.

Øredev has its origins and focus on the software development process, from programming to project management. They work to organize an event based on the concept of quality - for learning and networking - Sharing Knowledge.

more
Sonatype Webinar

Lascon Panel: 11,000 Voices: Experts Shed Light on 4-Year Open Source & AppSec Survey

Date: October 23 - 24, 2014
Location: Austin, TX - Norris Conference Center

We all know that OWASP recently updated its top 10 list to include “(A9) Avoiding the use of open source components with known vulnerabilities.” The guideline was added as OWASP leaders came to understand that 90% of a typical application is composed of open source components. In this session, our panel of senior application security experts will share and discuss the results of a four-year, industry-wide study on application security practices, policies, and trends within the open source development community.

more
Sonatype Webinar

All Things Open

Date: October 22 - 23, 2014
Location: Raleigh, NC - Raleigh Convention Center

Join the world’s top developers, technologists and decision makers as we explore open source, open tech and the open web in the enterprise. Two days of keynotes, talks, tutorials, workshops and networking opportunities in Raleigh and the Research Triangle area.

more
Sonatype Webinar

Enterprise Open Source & Lifecycle Management

Date: Tuesday 14th October, from 17:00 to 19:00 CEST
Location: Amsterdam, NL

This is an opportunity to meet with the innovators from Sonatype, the leaders in Component Lifecycle Management and consultants from illume, specialists in Application Lifecycle Management, to discuss the challenges you are facing with respect to software development and learn about possible solutions from your hosts or fellow participants.

more
Sonatype Webinar

LISA USENIX

Date: November 9 - 14, 2014
Location: Seattle, WA

The LISA14 program recognizes the overlap and differences between traditional and modern IT operations and engineering, and has developed a highly-curated program around 5 key topics: Systems Engineering, Security, Culture, DevOps, and Monitoring/Metrics. Join us at LISA14, where you'll be inspired by forward-thinking ideas and gain practical skills and takeaways for the office.

more
Sonatype Webinar

DevOps Enterprise Summit

Date: October 21 - 23, 2014
Location: San Francisco, CA - San Francisco Airport Marriott Waterfront

DevOps Enterprise is THE event for people who are bringing Lean principles into the IT value stream while building DevOps and Continuous Delivery into their organization. Join us for an incredible three day event with the best practitioners from large and complex organizations, across all industry verticals. Line-up to include keynotes from industry luminaries and speakers from well known enterprises who will share their enterprise DevOps initiatives. On the third day, the emphasis will be on parallel tracks focused on technology, process and culture.

more
Sonatype Webinar

NH-ISAC

Date: December 3 - 4, 2014
Location: San Francisco, CA at the Holiday Inn Golden Gateway

The security threat landscape continues to expand globally at an incredible pace representing an environment vulnerable to sector and cross-sector potential cascading impacts. Securing the resilience of the nation’s health sector, comprised of a vast network of sector and cross-sector inter-connecting infrastructures, depends upon advancing the ability to prepare for and respond to threats and vulnerabilities. Join us at the NH-ISAC to bring together trusted community experience and expertise with ideas to develop new cybersecurity resilience solutions demonstrating security technology in the healthcare industry.

more
Sonatype Webinar

Southern Fried Agile

Date: October 23, 2014
Location: Charlotte, NC at the Sheraton in Charlotte

This year we’re expecting over 400 - 600 people at Southern Fried Agile, all IT and Business professionals that are passionate about and interested in Agile values & principles. Hope to see you there.

more

Sonatype Brings NuGet Component Management to .NET Developer Community

Fulton, MD – October 1, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today announced free NuGet package support through its open source component manager – Nexus OSS. As developers are consuming an ever-increasing number of open source components -- now approaching 250 million downloads annually – the .NET community is seeking to improve build performance and stability through the use of component managers. This trend mirrors the evolution in the Java development environments where there are 13 billion open source component download requests managed annually. More than 40,000 organizations and teams seeking to improve their open source development performance and security have turned to Sonatype’s Nexus component managers -- all of which can now leverage available NuGet support.

more

Fixing HealthCare.gov security

In a report released Tuesday, the Government Accountability Office found problems in the "technical controls protecting the confidentiality, integrity and availability" of the federally facilitated marketplace (FFM), which is the area of the site to buy health insurance.

more
Sonatype Webinar

ISSA Webinar: What's in your Software? Identifying Open Source Vulnerabilities

Date: September 23, 2014
Time: 12:00pm EDT

New software enters our security ecosystems daily. When we evaluate the software we look for vulnerabilities in the product. Of course we run functional tests, or break out our favorite scanner, to see if there is embedded malware or dangerous deployment requirements, or even bugs in the program. When done, it gets deployed. What happens after deployment is important, but also gets missed. Of course we will catch new vulnerabilities that are directly related to the product, but what about vulnerabilities in the third party components included in the product? Recently this point was driven home by the numerous vulnerabilities in OpenSSL. Most people usually hear about it when it comes as an update from the vendor. What can you do about it? This panel will leverage the insight from seasoned industry leaders as we hear their thoughts.

more
Sonatype Webinar

Webinar: See the Sonatype Product Roadmap Revealed

Original Broadcast Date: September 25, 2014

For years, development teams and now security professionals have looked to Sonatype for better management of open source and third party components across the software supply chain. Watch our live product roadmap discussion to learn more about our commitment to helping you achieve real business value from your enterprise applications more quickly - with efficiency, quality and security addressed across the software lifecycle. See how with new product advancements for more component languages, a consolidated risk management dashboard and expanded integration points across the SDLC can bring your organization enterprise-class component management to your development operations.

more

Hackers breach security at Healthcare.gov

Hackers breached security at the website of the government’s health insurance marketplace, HealthCare.gov, but did not steal any personal information on consumers, Obama administration officials said Thursday.

more

Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security.

more

Over 370 Organizations Report Confirmed or Suspected Open Source Breaches in Past 12 Months According to Sonatype Survey

FULTON, MD (July 22, 2014) – Three out of four organizations that build software applications either have failed to adopt policies to prevent the use of vulnerable software components or have neglected to ban even a single component to enforce existing policies, according to a new survey. In the survey 3 out of 10 respondents actually admitted they either had or suspect a breach was caused by an open source component within the last twelve months.

more

5 big security mistakes coders make

Hacks make headlines. But usually, the focus is on who did it – notorious cyber criminals, hacktivists, or state-sponsored actors. Readers want to know who they are, where they're from, what they did, and why they did it. Howthey did it gets glossed over.

In fact, the "how" is the most important part – and application vulnerabilities are common culprits. What's number one on the list? Trusting third-party code that can't be trusted.

more

Researchers Track Spread of Security Flaws in Software Libraries

More than 200 software products rely on a flawed OpenSSL component, which exposed users to attack until vendors patched the software. The well-known incident highlights the trouble with security vulnerabilities in popular infrastructure software, frameworks and libraries, including popular software components—including LibPNG, used by more than 130 popular software products, and FreeType, used in more than 30 applications.

more
Sonatype Webinar

Webinar: Open Source Development and Application Security Survey: The Results are In!

Over 3,300 participated! The final results of our 4th Annual Open Source and Application Security Survey are in. Adrian Lane from Securosis and Brian Fox from Sonatype provide a detailed breakdown of the findings from a developer and an application security perspective. They discuss policies, practices, and breaches as well as how organizations can use these results to create constructive conversations to feed their open source security management practices.

more

Dept. of Homeland Security tools aimed at Heartbleed-like security evils

The Department of Homeland Security (DHS) has launched a Web portal aimed at assisting software developers in vetting their code for weaknesses hackers can exploit. The DHS calls this portal the Software Assurance Marketplace, or SWAMP for short. It's not a marketplace' in the sense that money is changing hands for products and services, but rather more a place to share tools, techniques and information.

more

US hacking victims fell prey to mundane ruses

The hacking techniques the U.S. government says China used against American companies turned out to be disappointingly mundane, tricking employees into opening email attachments or clicking on innocent-looking website links.

more

RSA Webinar: Software Liability?: The Worst Possible Idea (Except for all Others)

On-Demand Recording: Streamed Thursday, May 29, 2014

While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

more

Here’s The Surprising Interview Question One CEO Always Asks

To figure out if job candidates have what it takes to survive in today's cutthroat work environment, Wayne Jackson, chief executive of the software security firm Sonatype, asks the following: "Can you tell me about a time when you almost gave up, how you felt about that, and what you did instead of giving up?"

more

Awards

Codie INC 500 Red Herring SD Times NVTC RSA Gartner