PCI Compliance

Preventing cyber attacks on credit card data


PCI says “No” to using components with known vulnerabilities. Sonatype can help.

The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data.

Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines.

The good news is that Sonatype makes it easy to avoid this risk and achieve PCI compliance.

Learn more about PCI standards for component security

What are components? What's the risk?

These days, your developers are assembling the majority of your applications using open source building blocks called “components,” which are shared in a vast global developer network.

Yet, your organization probably doesn’t know what components are used, where they are used, or which have security risk that do not comply with PCI standards.

Sonatype created Component Lifecycle Management (CLM) to help you meet PCI standards by providing complete visibility into component security, license and and quality risks backed up by the automation and monitoring to ensure compliance over time.

The threat is real. Take Struts as an example.

Recent cyber attacks targeting known vulnerabilities in heavily used older versions of a popular open source web framework called "Struts" impacted:

  • global banks
  • a large financial exchange
  • a major software provider
  • and hundreds more

Despite 30+ publicly disclosed vulnerabilities which were immediately fixed with 35+ new versions and an FBI Flash Alert, 2,682 organizations have downloaded vulnerable Struts versions 80,575 times.

Empower your developers to avoid vulnerable components from the start. It’s a small investment that protects the 90% of your application comprised of components.

With Sonatype Component Lifecycle Management (CLM) you can:

FS-ISAC recommends Sonatype for "Policy management and enforcement of open source
libraries and components." With Component Lifecycle Management (CLM), you can:

Find and remediate
problems early in development using the tools that your developers use everyday. No extra work or delays.

Automate policies
for open source security, license & quality with integration throughout your software development lifecycle.

Monitor continuously
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.

See a tour of Sonatype CLM

Assess your current application risk in 2 minutes – it’s confidential and free.

As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."

  • Confidentially and quickly analyze your java open source components
  • Create a "bill of materials" inventory of precisely which components are used and where
  • Identify specific security, quality and license risks
  • Analyze both internal and third party applications

Learn More & Start Your Analysis

Explore further...

I'm interested in Sonatype CLM. I want to...