• Snippets, Scans and Snap Decisions: How Component Identification Methods Impact the Efficiency of Open Source Risk Management

    For the most part, modern software is assembled, not written. More than 90 percent of a typical software application is comprised of third party components, most of which are open source. Custom business logic comprises the remaining 10 percent. This massive reliance on open source components has created new challenges for managing software security, quality and intellectual property. Organizations who rely on custom software are increasingly seeking visibility and control to manage risk and maximize benefit. But to properly manage open source components, you must know as much as possible about them—starting with precisely identifying them. Security, quality and licensing information is of little use if you haven’t precisely identified the component you are using. And, without both accurate and actionable component information, developers are not able to make the right component selection from the start. This paper addresses the pros and cons of various methods used in open source risk management/governance/logistics solutions and how they impact your efficiency and accuracy.

  • Lawyers and Licenses in Open Source-based Development: How to Protect Your Software & Your Sanity.

    You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.

  • New Gartner Research on Why Open Source Demands Strong Governance.

    Download this Gartner analyst report for recommendations on establishing effective governance processes for the open source used in your applications. Recommendations include implementing an effective open source governance process to manage the risks and costs associated with OSS within mission-critical workloads and ensuring your open source governance efforts include issues that affect developers, internal and external, because they are often the primary means for open source technologies to enter the enterprise.

     
    Gartner (2014) Widespread Use of Open-Source Software Demands Strong and Effective Governance by M. Driver, [13th of August 2014]

  • Securosis: 2014 Open Source Development and Application Security Survey Analysis.

    This year, security analyst firm Securosis added their perspective to the always eye-opening results of the yearly Sonatype Open Source Development survey. See what they had to say about the impact of open source development on overall application security.

  • 451 Research: Is open source the new sexy? Sonatype on the catwalk.

    With the realization that as much as 90% of new software written today is assembled from open source components, enterprises are turning to inspection to figure out their risk. Sonatype is in a good position to take advantage of this rising awareness with its repo manager and component lifecycle management offerings.

  • 7 Security Gaps in the Neglected 90% of your Applications.

    The combination of growing component usage, coupled with lack of security, requires us to urgently re-evaluate traditional application security approaches and identify practical next steps for closing these security gaps.

  • On the Radar: Sonatype

    OVUM shares views on Sonatype’s products and vision, especially relating to Component Lifecycle Management (CLM).

  • New FS-ISAC Guidelines Name Sonatype as a Preferred Third Party Vendor

    Sonatype has been selected as preferred vendor for 'Control Type 3 Policy Management and Enforcement for Consumption of Open Source Libraries and Components' as part of the Financial Services ISAC guidelines.

  • Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities

    In 2013, the Open Web Application Security Project (OWASP) was updated to include “A9: using components with known vulnerabilities.” This paper explains this new threat with practical ideas for reducing risk from open source components which now comprise 80% of an average application.

  • Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance

    Recent revisions to the Payment Card Industry (PCI) guidelines now require organizations to address potential vulnerabilities caused by use of open source components in their applications.

  • Successful Agile Development Efforts Require Automated “Golden” Policies

    While the repository manager remains a foundation for component management, a new approach is needed to ensure that developers deliver trusted applications. An approach that leverages automated policies and that provides guidance and enforcement throughout the entire software lifecycle. In short, you need a golden policy approach, not a golden repository.

  • Sonatype's CLM "Hybrid SaaS" Architecture: Combining the benefits of SaaS and On Premise.

    Discover how Sonatype's Component Lifecycle Management (CLM) solution is architected to utilize the advantages of the cloud and on-premise deployment.

  • Introduction to CLM: How to Improve Productivity while Minimizing Risk in Open Source Application Development

    The average software application today is 80 percent comprised of open source components downloaded from shared repositories, yet most of today’s application security tools are designed for custom source code. This gap leaves most application code vulnerable to security threats, licensing issues and performance defects. Understand how Component Lifecycle Management addresses this problem in refreshing new ways.

  • 451 Research : Securing the Open Source Software Supply Chain with Sonatype

    The purpose of Sonatype's CLM platform is to get out of the way of agile developers and let them do their thing, while at the same time keeping track of the versions, vulnerabilities and licensing of the open source components they're using.

  • Executive Brief: Addressing Security Concerns in Open Source Components

    This executive brief summarizes the findings of an independent and comprehensive security review of the 31 most commonly used open source components and provides practical guidance and best practices for addressing security risks.

  • Advanced Binary Matching: To Fix It, You Must Find It

    Learn how advanced binary matching can allow you to analyze a large application and produce a precise bill of materials in minutes.

  • White Paper: Introduction to Repository Management

    This document defines repository and repository management, providing context for developers interested in learning how to use Nexus Professional to achieve a more efficient development cycle.

  • White Paper: Benefits of a Repository Manager

    This paper outlines how the use of a repository manager enables development teams to reduce build times, improve control, and increase collaboration.

  • White Paper: Stages of Adoption for Repository Managers

    This document outlines the stages of adoption, and provides organizations with a roadmap for adopting best practices in repository management for each phase.