Our data research team is always looking for ways to expand Sonatype Lifecycle's coverage with new sources and feeds of data. A little under a year ago, we stumbled across OSS Index.net. Initially, we were intrigued by the coverage of ecosystems we had not yet fully researched. However, as we opened a dialog and engaged in a formal relationship with Ken Duck, founder and CEO of Vor Security, the company behind OSS Index, it became apparent that this was not just another run of the mill data aggregation feed.
What most people don't realize is that so much of the reported data in places like NVD often lacks sufficient details to be truly precise and actionable. Sometimes it's even incorrect.
Security research is a specialized skill that requires a deep understanding of attack methods combined with software engineering expertise. Recognizing mistakes in reported information requires this unique skill set and can't be fully automated. At the end of the day, a human is required to interpret the results and ultimately determine where the vulnerability occurs. If your vendor isn't doing this for you, it is your team to deal with sifting through all the noise.
Like Sonatype, Vor understands the subtle deficiencies in the feeds commonly used by other tools, and undertook an effort to produce an efficient way to correct the data and make it useful to downstream consumers. Their approach to this solution involved processes and insights that were closely aligned with our own, which ultimately led to a human curation element as the final arbiter. Vor approached the vulnerability correction and assignment from the project to the components, which is exactly opposite of the Sonatype approach of finding the vulnerable code and tracking it back to the released component. By merging the top down and bottom up approaches, we can significantly increase our vulnerability coverage.
Sonatype's roots are in open source, starting with the early days of Apache Maven. In addition to being the providers and caretakers of The Central Repository for over 10 years, the creation of M2Eclipse and many others, we have long made our tooling, such as Nexus Repository available to open source projects and forges for free. This desire to do the right thing by the community, to make a difference, and leave things better than we found them is another common bond we share with Vor Security.
Bringing Vor into the Sonatype fold will immediately allow us to increase ecosystem coverage, and OSS Index provides a platform to accelerate innovation in open source security research. We are pleased to welcome Vor Security to Sonatype.
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a member of the Apache Software Foundation and former Chair of the Apache Maven project. Working with OpenSSF, Brian helped create The Open Source Consumption Manifesto, urging organizations to elevate awareness of open source usage. He also chaired efforts to provide official responses to requests for information from the The Office of the National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA). Within the Atlantic Council's Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as ONCD's recent National Cyber Security Strategy. Brian has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other security and development-related conferences.
Explore All Posts by Brian FoxTags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.