Devopscom News Source

A True Story: DevOps(Sec) Manages Out Elective Risks

Bill boosted developer productivity by 15% last year after taking a closer look at the company's software supply chain. And this approach isn't unique to Bill's organization. Many high performance IT and DevOps teams are adopting proven supply chain principles to accelerate software delivery.

more

Sonatype’s Nexus Repository Manager Installs Double in Last 18 Months, Reinforcing Dominant Market Share Position

Fulton, MD – February 26, 2015 – Sonatype, the Nexus company and a continuous delivery leader, today announced that its Nexus repository manager usage has doubled in the last 18 months (July 2013 to February 2015.) With five times more installs than any other repository manager, Nexus continues to be the industry standard for accelerating continuous software delivery and DevOps.

more

Growing Open Source Use Heightens Enterprise Security Risks

Companies often have little clue about the extent of third-party code in the enterprise or the risks it poses, security experts say. The data breaches disclosed earlier this month at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. The breaches were another reminder of how flaws in third-party software can sometimes cause major headaches for companies that are not prepared for them.

more

How secure are your open source-based systems?

The use of open source in federal systems is attracting scrutiny. In December, House Committee on Foreign Affairs Chairman Ed Royce (R-Calif.) and Rep. Lynn Jenkins (R-Kan.) introduced the Cyber Supply Chain and Transparency Act of 2014 (H.R. 5793) that would have required any supplier of software to the federal government to identify which third-party and open source components are used and verify that they do not include known vulnerabilities for which a less vulnerable alternative is available. One way to check if your systems are comprised is with an Application Health Check that provides a free breakdown of every component in an application and alerts IT managers to potential security and licensing problems.

more

US Congress Intervenes to Address Cyber Security Crisis with Software Supply Chain Focus; Sonatype Introduces Free Application Health Check to Support Government Agencies and Software Providers

Fulton, MD – December 10, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a free Application Health Check to immediately alert federal agencies and software suppliers about known vulnerable open source components and where they exist within an application.

more

Sonatype CTO Honored as Thought Leader

The most popular phrase to come out of the Spider-Man stories—“With great power, comes great responsibility”—hit close to home for Joshua Corman, CTO at Sonatype, who longed to be a superhero at a young age, but settled for being a protector in the IT security world. Corman believes that great power comes from protecting technology. Exposed to technologies at a young age by his father—whom he cites as an inspiration—Corman's interest grew into a successful career where he is considered a respected innovator.

more

Sonatype’s New Software Release Determines OSS Risk and Provides Immediate Path to Resolution

Fulton, MD – November 17, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a new version of its Component Lifecycle Management (CLM) software. An industry first, developers can now avoid security risks without missing business-critical delivery deadlines.

more

Sonatype aims to help developers reduce risk from open-source components

Software developers use a large number of open-source components, often oblivious to the security risks they introduce or the vulnerabilities that are later discovered in them.

Sonatype, a company that helps developers manage open-source components across different applications, attempts to solve this long-standing problem with a new version of its Component Lifecycle Management (CLM) product, released Friday.

more

Nexus Live: October 9, 2014 1:00pm EDT, TheNEXUS Community Sneak Peak

On-Demand Recording

During the October 2014 broadcast of Nexus Live we were able to catch up with Gene Kim and Josh Corman to find out what’s in store for the DevOps Enterprise Summit in the Bay Area at the end of the month. We also took a quick look at TheNEXUS, the new community site for Nexus, Nexus Pro and CLM. Take a look.

more

Sonatype Brings NuGet Component Management to .NET Developer Community

Fulton, MD – October 1, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today announced free NuGet package support through its open source component manager – Nexus OSS. As developers are consuming an ever-increasing number of open source components -- now approaching 250 million downloads annually – the .NET community is seeking to improve build performance and stability through the use of component managers. This trend mirrors the evolution in the Java development environments where there are 13 billion open source component download requests managed annually. More than 40,000 organizations and teams seeking to improve their open source development performance and security have turned to Sonatype’s Nexus component managers -- all of which can now leverage available NuGet support.

more

Fixing HealthCare.gov security

In a report released Tuesday, the Government Accountability Office found problems in the "technical controls protecting the confidentiality, integrity and availability" of the federally facilitated marketplace (FFM), which is the area of the site to buy health insurance.

more
Sonatype Webinar

Webinar: Ban Avoidable Risk and Rework on Open Source Components: Featuring Customer Story

On-Demand Recording

It's time we Raise the B.A.R.R to "Ban Avoidable Risk and Rework" and STOP using components with known vulnerabilities in our software and START building transparency and traceability of all open source components used. In this webcast, Nigel Simpson, Director of Architecture in the Media and Entertainment industry helps us learn strategies to improve governance and reduce risk by engaging developers early in the process. View this on-demand recording.

more
Sonatype Webinar

ISSA Webinar: What's in your Software? Identifying Open Source Vulnerabilities

On-Demand Recording

New software enters our security ecosystems daily. When we evaluate the software we look for vulnerabilities in the product. Of course we run functional tests, or break out our favorite scanner, to see if there is embedded malware or dangerous deployment requirements, or even bugs in the program. When done, it gets deployed. What happens after deployment is important, but also gets missed. Of course we will catch new vulnerabilities that are directly related to the product, but what about vulnerabilities in the third party components included in the product? Recently this point was driven home by the numerous vulnerabilities in OpenSSL. This panel will leverage the insight from seasoned industry leaders as we hear their thoughts and reactions to Heartbleed.

more
Sonatype Webinar

Webinar: See the Sonatype Product Roadmap Revealed

On-Demand Recording

For years, development teams and now security professionals have looked to Sonatype for better management of open source and third party components across the software supply chain. Watch our live product roadmap discussion to learn more about our commitment to helping you achieve real business value from your enterprise applications more quickly - with efficiency, quality and security addressed across the software lifecycle. See how with new product advancements for more component languages, a consolidated risk management dashboard and expanded integration points across the SDLC can bring your organization enterprise-class component management to your development operations.

more

Hackers breach security at Healthcare.gov

Hackers breached security at the website of the government’s health insurance marketplace, HealthCare.gov, but did not steal any personal information on consumers, Obama administration officials said Thursday.

more

Almost Too Big to Fail

Both dependence on open source and adversary activity around open source are widespread and growing, but the dynamic pattern of use requires new means to estimate if not bound the security implications. In April and May 2014, every security writer has talked about whether it is indeed true that with enough eyeballs, all bugs are shallow. We won't revisit that topic because there may be no minds left to change.

more

Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security.

more

Over 370 Organizations Report Confirmed or Suspected Open Source Breaches in Past 12 Months According to Sonatype Survey

FULTON, MD (July 22, 2014) – Three out of four organizations that build software applications either have failed to adopt policies to prevent the use of vulnerable software components or have neglected to ban even a single component to enforce existing policies, according to a new survey. In the survey 3 out of 10 respondents actually admitted they either had or suspect a breach was caused by an open source component within the last twelve months.

more

5 big security mistakes coders make

Hacks make headlines. But usually, the focus is on who did it – notorious cyber criminals, hacktivists, or state-sponsored actors. Readers want to know who they are, where they're from, what they did, and why they did it. Howthey did it gets glossed over.

In fact, the "how" is the most important part – and application vulnerabilities are common culprits. What's number one on the list? Trusting third-party code that can't be trusted.

more

Researchers Track Spread of Security Flaws in Software Libraries

More than 200 software products rely on a flawed OpenSSL component, which exposed users to attack until vendors patched the software. The well-known incident highlights the trouble with security vulnerabilities in popular infrastructure software, frameworks and libraries, including popular software components—including LibPNG, used by more than 130 popular software products, and FreeType, used in more than 30 applications.

more
Sonatype Webinar

Webinar: Open Source Development and Application Security Survey: The Results are In!

On-Demand Recording

Over 3,300 participated! The final results of our 4th Annual Open Source and Application Security Survey are in. Adrian Lane from Securosis and Brian Fox from Sonatype provide a detailed breakdown of the findings from a developer and an application security perspective. They discuss policies, practices, and breaches as well as how organizations can use these results to create constructive conversations to feed their open source security management practices.

more

Dept. of Homeland Security tools aimed at Heartbleed-like security evils

The Department of Homeland Security (DHS) has launched a Web portal aimed at assisting software developers in vetting their code for weaknesses hackers can exploit. The DHS calls this portal the Software Assurance Marketplace, or SWAMP for short. It's not a marketplace' in the sense that money is changing hands for products and services, but rather more a place to share tools, techniques and information.

more

Awards

Codie INC 500 Red Herring SD Times NVTC RSA Gartner