When Good Code Goes Bad

Milk spoils. Iron rusts. And software goes bad. Yet the difference is, with the first two, you know the change has occurred. With software, those changes are not always obvious. Unlike other industries that rely on supply from other organizations, software development has no clear way to understand when an open source or proprietary component 'part' is found to be defective.

more
Sonatype Webinar

Continuous Acceleration with a Software Supply Chain Approach

On-Demand Recording

Join Gene Kim, CTO, researcher and author of the best-selling book “The Phoenix Project” and Josh Corman, Sonatype CTO and co-founder of Rugged Software as they discuss how high performing organizations are applying proven supply chain principles to accelerate software delivery.

more
Sonatype Webinar

Strengthen Cyber Resilience with Software Supply Chain Visibility

On-Demand Recording

Our dependence on software continues to grow, powering some of our nation’s most critical infrastructure. To secure our cyber assets, we need to apply high standards to our software suppliers as well as the third party parts built into our software. Join the discussion on how open source and component-based development is driving the need for a software supply chain. Learn techniques and technologies used to vet software suppliers and known vulnerable components. Watch the on-demand recording.

more
Sonatype Webinar

Accelerating Continuous Delivery by Improving NuGet Component Management

On-Demand Recording

Use of repository managers in continuous delivery environments are shown to reduce build times 20-fold as compared to relying on public open source repositories like the NuGet Gallery. By relying on a local caching proxy for the NuGet Gallery and hosting your own proprietary NuGet packages locally, you can dramatically improve build speeds and reliability. In this session, we also show how a repository manager that integrates with NuGet helps .NET developers manage component versions, dependencies and license types using proxy facilities to ensure a continuous flow of development and faster cycle times.

more
GOTO London 2015

GOTO London 2015

Date: September 16 - 18 , 2015
Location: London, UK

Sonatype CTO Josh Corman will be presenting at GOTO London

more
BSides Las Vegas

BSides Las Vegas

Date: August 4 - 5 , 2015
Location: Las Vegas, NV

Sonatype CTO Josh Corman will be presenting at BSides Las Vegas

more
HP Protect 2015

HP Protect 2015

Date: September 1 - 4, 2015
Location: Gaylord National Resort and ConventionCenter, National Harbor, MD

Sonatype's Derek Weeks will be presenting at HP Protect

more
DevOps Days

Agile Alliance 2015

Date: August 3 - 7, 2015
Location: Washington DC

Speaker Mark Kilby will be presenting two sessions at Agile Alliance 2015

more

Sonatype Listed in CIO's Top 20 Most Promising DevOps Solution Providers in 2015

Sonatype has been chosen as one of CIO Magazine's top 20 most promising DevOps solution providers for their innovative work with software supply chain automation. The manufacturing industry was transformed with three basic principles. Use fewer and better suppliers, use higher quality parts, and track what is used and where. Sonatype uses automation to apply these principles across the software development lifecycle so organizations can reduce complexity, inefficiency, unplanned rework and risk.

“What Toyota did for the automotive supply chain is what Sonatype is doing today for the software supply chain,” said Wayne Jackson, CEO, Sonatype. “Sonatype’s Nexus software platform is revolutionizing the distribution, automation, and integration of components used across the software supply chain by eliminating complexity and making continuous delivery and DevOps practices even faster.”

more
Sonatype Webinar

Carahsoft and Sonatype Partnership Kickoff Webcast: Public Sector Software Development

On-Demand Recording

As usage of Open Source Software increases in the public sector and mission critical applications, it is important to continually secure the supply chain and select the safest components available. View this webinar to see how Sonatype's Nexus Lifecycle product help you quickly and proactively find and replace flawed open source from your software ecosystem and achieve comprehensive and lasting governance across the entire software supply chain. View the on-demand recording.

more
Sonatype Webinar

Inside the Sonatype Engineering Team - The Tooling

On-Demand Recording

Learn how our completely remote workforce leverages agile techniques and tooling such as JIRA, GitHub, HipChat and Nexus Pro+ to plan and deliver new product capabilities in two week sprints. View the on-demand recording.

more
Sonatype Webinar

Inside the Sonatype Engineering Team - The Process

On-Demand Recording

Learn how our remote workforce works together leveraging a tool chain of Ansible, AWS, Bamboo, Docker and Nexus Lifecycle to build, release and operate our products and infrastructure. View the on-demand recording.

more

Programmers are copying security flaws into your software, researchers warn

It's easy to assume that hackers work way above our pay grade. Electronic intruders must be able to exploit vulnerabilities in the software we use because they're evil geniuses, right? That may be the case in some very sophisticated attacks, experts say, but in others, not so much. Programmers -- the people who create the software -- don't write all their code from scratch, instead borrowing freely from others' work. The problem: they're not vetting the code for security problems.

more

Study of 106,000 Software Development Organizations Reveals That The Way the World Creates Software is Broken

23% of the Components in the Average Software Application Contain Known Vulnerabilities

FULTON, Md., June 17, 2015 /PRNewswire/ -- Sonatype today released the results of an extensive study of the software development practices of 106,000 organizations representing 17 billion requests for open source and third party software components from the Central Repository in 2014 alone. The study revealed that the way the world creates software is broken – with 23% of the components in the average software application containing known vulnerabilities.

more

Software Applications Have on Average 24 Vulnerabilities Inherited from Buggy Components

Many commercial software companies and enterprise in-house developers are churning out applications that are insecure by design due to the rapid and often uncontrolled use of open-source components. Even worse, these software makers wouldn’t be able to tell which of their applications are affected by a known component flaw even if they wanted to because of poor inventory practices.There’s a supply chain discipline to how companies from the various manufacturing industries source their components and track where they use them, that the software development industry has not yet embraced, said Joshua Corman, Sonatype’s CTO.

more
Sonatype Webinar

Webinar: New Research Reveals 24 Vulnerabilities in the Average Application

On-Demand Recording

Gain new insights on how to deliver higher quality software even faster -- with less unplanned, unscheduled rework. If you are using open source components as part of development you may be unknowingly sabotaging your efforts by introducing known vulnerabilities – shockingly there are 24 vulnerabilities in the average application. Hear the results of an extensive analysis of open source usage across 106,000 development organizations. We’ll be drawing analogies between modern software development and traditional manufacturing supply chains, focusing on proven steps to improve speed, efficiency and quality. Watch the on-demand recording.

more

Sonatype Facilitates DevOps Approach to App Dev

Applications are rarely built from scratch today, but rather tend to leverage myriad tools and libraries as organizations increasingly move to a rapid deployment DevOps style of IT. "We're unifying our combination of solutions as a platform, so that organizations can get the full perspective on how software is built," Wayne Jackson, Sonatype's CEO, told Enterprise Apps Today. "It's a full-on embrace of the role that supply chain concepts play in the context of DevOps."

more

Learning by Example: What software developers can learn from Toyota about supply chains.

Software developers can learn a lot from the example of car manufacturing. Both stand to benefit from reducing the complexity in their supply chains and gaining more control over the parts they use. The software supply chain is growing increasingly complicated, and with that complexity comes challenges. As complexity continues to grow, software supply chain automation will usher in a new era for application development efficiency that drives increases in innovation, productivity, cost savings, and control over risk.

more
Devopscom News Source

Security, DevOps and the shift to a software supply chain

Josh Corman, Sonatype CTO and Gene Kim, author of The Phoenix Project, believe that the ultimate Zen state to strive for in software delivery is a "software supply chain. This makes you even faster than DevOps–even more efficient and with higher quality and risk mitigation without tradeoffs.” The idea of the software supply chain further builds on the lean manufacturing principles of W. Edwards Deming, who many in the Agile and DevOps worlds see as the spiritual grandfather of these movements.

more
Devopscom News Source

A True Story: DevOps(Sec) Manages Out Elective Risks

Bill boosted developer productivity by 15% last year after taking a closer look at the company's software supply chain. And this approach isn't unique to Bill's organization. Many high performance IT and DevOps teams are adopting proven supply chain principles to accelerate software delivery.

more
Jenkins logo

Jenkins User Conference Santa Clara

Date: September 2-3, 2015
Location: Santa Clara Convention Center

The world’s biggest conference for Jenkins users, by Jenkins users. Come learn how to optimize Jenkins across the software delivery process! Sonatype is proud to be a platinum sponsor for the event.

more

Sonatype’s Nexus Repository Manager Installs Double in Last 18 Months, Reinforcing Dominant Market Share Position

Fulton, MD – February 26, 2015 – Sonatype, the Nexus company and a continuous delivery leader, today announced that its Nexus repository manager usage has doubled in the last 18 months (July 2013 to February 2015.) With five times more installs than any other repository manager, Nexus continues to be the industry standard for accelerating continuous software delivery and DevOps.

more

Growing Open Source Use Heightens Enterprise Security Risks

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say. The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. The breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.

more

How secure are your open source-based systems?

The use of open source in federal systems is attracting scrutiny. In December, House Committee on Foreign Affairs Chairman Ed Royce (R-Calif.) and Rep. Lynn Jenkins (R-Kan.) introduced the Cyber Supply Chain and Transparency Act of 2014 (H.R. 5793) that would have required any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. One way to check if your systems are comprised is with an Application Health Check that provides a free breakdown of every component in an application and alerts IT managers to potential security and licensing problems.

more

US Congress Intervenes to Address Cyber Security Crisis with Software Supply Chain Focus; Sonatype Introduces Free Application Health Check to Support Government Agencies and Software Providers

Fulton, MD – December 10, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application Health Check to immediately alert federal agencies and software suppliers about known vulnerable open source components and where they exist within an application.

more

Sonatype CTO Honored as Thought Leader

The most popular phrase to come out of the Spider-Man stories—“With great power, comes great responsibility”—hit close to home for Joshua Corman, CTO at Sonatype, who longed to be a superhero at a young age, but settled for being a protector in the IT security world. Corman believes that great power comes from protecting technology. Exposed to technologies at a young age by his father—whom he cites as an inspiration—Corman's interest grew into a successful career where he is considered a respected innovator.

more

Awards

Codie INC 500 Red Herring SD Times NVTC RSA Gartner