Whitepapers

2015 State of the Software Supply Chain Report: Hidden Speed Bumps on the Road to "Continuous"

If your company develops software, you’re likely consuming thousands of open source and proprietary components. Although your aim is to produce the highest-quality software in the most efficient way, a closer look at the statistics shows a potentially different story. By understanding the software supply chain operating—largely hidden—at the core of your operations, you can more easily make small changes that yield dramatic gains.

Software Supply Chain Automation: Going Beyond Agile, Lean and DevOps

This white paper highlights similarities between automobile manufacturing and software development with compelling information about how supply chain best practices could solve many common development issues, especially those relating to managing the flow of components into and though an organization.

451 Research : Securing the Open Source Software Supply Chain with Sonatype

The purpose of Sonatype's CLM platform is to get out of the way of agile developers and let them do their thing, while at the same time keeping track of the versions, vulnerabilities and licensing of the open source components they're using.

White Paper: Benefits of a Repository Manager

This paper outlines how the use of a repository manager enables development teams to reduce build times, improve control, and increase collaboration.

White Paper: Introduction to Repository Management

This document defines repository and repository management, providing context for developers interested in learning how to use Nexus Professional to achieve a more efficient development cycle.

Successful Agile Development Efforts Require Automated “Golden” Policies

While the repository manager remains a foundation for component management, a new approach is needed to ensure that developers deliver trusted applications. An approach that leverages automated policies and that provides guidance and enforcement throughout the entire software lifecycle. In short, you need a golden policy approach, not a golden repository.

Introduction to CLM: How to Improve Productivity while Minimizing Risk in Open Source Application Development

The average software application today is 80 percent comprised of open source components downloaded from shared repositories, yet most of today’s application security tools are designed for custom source code. This gap leaves most application code vulnerable to security threats, licensing issues and performance defects. Understand how Component Lifecycle Management addresses this problem in refreshing new ways.

Executive Brief: Addressing Security Concerns in Open Source Components

This executive brief summarizes the findings of an independent and comprehensive security review of the 31 most commonly used open source components and provides practical guidance and best practices for addressing security risks.

7 Security Gaps in the Neglected 90% of your Applications.

The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing these security gaps.

Lawyers and Licenses in Open Source-based Development: How to Protect Your Software & Your Sanity.

You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.

451 Research: Is open source the new sexy? Sonatype on the catwalk.

With the realization that as much as 90% of new software written today is assembled from open source components, enterprises are turning to inspection to figure out their risk. Sonatype is in a good position to take advantage of this rising awareness with its repo manager and component lifecycle management offerings.

Securosis: 2014 Open Source Development and Application Security Survey Analysis.

This year, security analyst firm Securosis added their perspective to the always eye-opening results of the yearly Sonatype Open Source Development survey. See what they had to say about the impact of open source development on overall application security.

Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management

For the most part, modern software is assembled, not written. More than 90 percent of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created new challenges for managing software security, quality and intellectual property. Organizations who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about them—starting with precisely identifying them. Security, quality and licensing information is of little use if you haven't precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. This paper addresses the pros and cons of various methods used in open source risk management/governance/logistics solutions and how they impact your efficiency and accuracy.

New FS-ISAC Guidelines Name Sonatype as a Preferred Third Party Vendor

Sonatype has been selected as preferred vendor for 'Control Type 3 Policy Management and Enforcement for Consumption of Open Source Libraries and Components' as part of the Financial Services ISAC guidelines.

On the Radar: Sonatype

OVUM shares views on Sonatype’s products and vision, especially relating to Component Lifecycle Management (CLM).

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities

In 2013, the Open Web Application Security Project (OWASP) was updated to include “A9: using components with known vulnerabilities.” This paper explains this new threat with practical ideas for reducing risk from open source components which now comprise 80% of an average application.

Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance

Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.

Sonatype's CLM "Hybrid SaaS" Architecture: Combining the benefits of SaaS and On Premise.

Discover how Sonatype's Component Lifecycle Management (CLM) solution is architected to utilize the advantages of the cloud and on-premise deployment.

White Paper: Stages of Adoption for Repository Managers

This document outlines the stages of adoption, and provides organizations with a roadmap for adopting best practices in repository management for each phase.