Whitepapers

451 Research: Sonatype Embraces Security in DevOps

Sonatype is responding to the intersection of the faster, more agile software releases and more efficient infrastructure management of DevOps and security, where it has long focused on repository management and code assurance. Sonatype is also applying Deming supply-chain principles to boost developer productivity and speed while diminishing security issues and risk. The company’s latest software aims to provide visibility into software development and release cycles, and to help organizations act on data collected by its Nexus software supply-chain-automation products. Learn more.

The Seven Habits of Rugged DevOps, by Forrester Research

The 'seven habits' enable DevOps, legal and risk teams to accomplish more together than alone to deliver security at DevOps speed. In this Forrester Research report, Forrester explains that 'When DevOps folks have done everything and yet are no longer accelerating, they will realize that to get to an even faster gear will require rugged software supply chain practices included in the life cycle.' Learn more.

Concepts and Benefits of Repository Management

Since much of today’s software is assembled using open source, proprietary or 3rd party compo- nents, many organizations rely on repository management to efficiently source, store, share and deploy these components. The volume and velocity of component parts used in your software development process creates a ‘software supply chain’ and, in that context, a repository manager serves as your official parts warehouse. The repository manager can also provide critical insight into component quality so development teams make better choices up front, and avoid downstream technical debt and unplanned/unscheduled work. Learn more.

New FS-ISAC Guidelines Name Sonatype as a Preferred Third Party Vendor

Newly updated for 2015! Sonatype has been selected as preferred vendor for 'Control Type 3 Policy Management and Enforcement for Consumption of Open Source Libraries and Components' as part of the Financial Services ISAC guidelines.

Nexus Lifecycle Software Supply Chain Automation: How to Get Infosec and Legal Teams Invited to the DevOps Table

With automated discovery, approval and tracking of Free Open Source Software (FOSS) components, InfoSec and legal teams are no longer the bottleneck to development teams. When the selection of better and safer components is auto-adjudicated and continuously tracked and monitored throughout the software development lifecycle, InfoSec and legal teams become first class partners in DevOps efforts. Learn more.

2015 State of the Software Supply Chain Report: Hidden Speed Bumps on the Road to "Continuous"

If your company develops software, you’re likely consuming thousands of open source and proprietary components. Although your aim is to produce the highest-quality software in the most efficient way, a closer look at the statistics shows a potentially different story. By understanding the software supply chain operating—largely hidden—at the core of your operations, you can more easily make small changes that yield dramatic gains.

Software Supply Chain Automation: Going Beyond Agile, Lean and DevOps

This white paper highlights similarities between automobile manufacturing and software development with compelling information about how supply chain best practices could solve many common development issues, especially those relating to managing the flow of components into and though an organization.

451 Research : Securing the Open Source Software Supply Chain with Sonatype

The purpose of Sonatype's CLM platform is to get out of the way of agile developers and let them do their thing, while at the same time keeping track of the versions, vulnerabilities and licensing of the open source components they're using.

Successful Agile Development Efforts Require Automated “Golden” Policies

While the repository manager remains a foundation for component management, a new approach is needed to ensure that developers deliver trusted applications. An approach that leverages automated policies and that provides guidance and enforcement throughout the entire software lifecycle. In short, you need a golden policy approach, not a golden repository.

Introduction to CLM: How to Improve Productivity while Minimizing Risk in Open Source Application Development

The average software application today is 80 percent comprised of open source components downloaded from shared repositories, yet most of today’s application security tools are designed for custom source code. This gap leaves most application code vulnerable to security threats, licensing issues and performance defects. Understand how Component Lifecycle Management addresses this problem in refreshing new ways.

Executive Brief: Addressing Security Concerns in Open Source Components

This executive brief summarizes the findings of an independent and comprehensive security review of the 31 most commonly used open source components and provides practical guidance and best practices for addressing security risks.

7 Security Gaps in the Neglected 90% of your Applications.

The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing these security gaps.

Lawyers and Licenses in Open Source-based Development: How to Protect Your Software & Your Sanity.

You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.

451 Research: Is open source the new sexy? Sonatype on the catwalk.

With the realization that as much as 90% of new software written today is assembled from open source components, enterprises are turning to inspection to figure out their risk. Sonatype is in a good position to take advantage of this rising awareness with its repo manager and component lifecycle management offerings.

Securosis: 2014 Open Source Development and Application Security Survey Analysis.

This year, security analyst firm Securosis added their perspective to the always eye-opening results of the yearly Sonatype Open Source Development survey. See what they had to say about the impact of open source development on overall application security.

Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management

For the most part, modern software is assembled, not written. More than 90 percent of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created new challenges for managing software security, quality and intellectual property. Organizations who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about them—starting with precisely identifying them. Security, quality and licensing information is of little use if you haven't precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. This paper addresses the pros and cons of various methods used in open source risk management/governance/logistics solutions and how they impact your efficiency and accuracy.

On the Radar: Sonatype

OVUM shares views on Sonatype’s products and vision, especially relating to Component Lifecycle Management (CLM).

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities

In 2013, the Open Web Application Security Project (OWASP) was updated to include “A9: using components with known vulnerabilities.” This paper explains this new threat with practical ideas for reducing risk from open source components which now comprise 80% of an average application.

Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance

Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.

Sonatype's CLM "Hybrid SaaS" Architecture: Combining the benefits of SaaS and On Premise.

Discover how Sonatype's Component Lifecycle Management (CLM) solution is architected to utilize the advantages of the cloud and on-premise deployment.