Sonatype, which provides tools for developers to build better quality software, has acquired code analysis platform MuseDev. The acquisition adds developer-friendly code scanning to Sonatype’s platform to create a “full-spectrum” software supply chain management platform, company CEO Wayne Jackson said.
Sonatype today revealed it has acquired MuseDev, a provider of a code analysis tool, in addition to updating its Nexus platform for discovering vulnerabilities in software supply chains.
CIOs describe their home office setup: Pets, antiques, toys and clear access to coffee
Rapid tech deployments during the pandemic have acted as a proof-of-concept for a range of digital projects
Open source is not the one that’s inherently insecure. Proprietary software — a black box where you can never know what’s really going on — is now, always has been, and always will be more of a security problem. There are many ways to find those open source mistakes. For instance, you can look to Sonatype Nexus Lifecycle for a third-party code analysis tool.
More developers will move to application security's front lines. By 2024, 40% of development teams will make it into the high-performer category, up from 25% today, demonstrating both high-velocity releases and strong security outcomes. The bad news is that adversaries will continue to outpace them when it comes to finding successful exploit paths to new vulnerabilities.
Sonatype's latest Advanced Development Pack is designed to change how teams manage code dependencies.
Sonatype launched an Advanced Development Pack service that surfaces dependencies between open source components in a way that makes it easier for developers to know which ones to employ to build the most secure application possible and what components offer the simplest upgrade path.
Because so much of modern development is reliant on modular components, developers often face the issue of dependency upgrades that break the functionality of their application. In order to help teams manage this problem Sonatype is launching an Advanced Development Pack that changes the way dependencies are handled.
Sonatype security researchers discovered two malicious NPM packages that, if unwittingly downloaded by developers, published users’ IP addresses, usernames, and device fingerprint data online.
Four JavaScript npm packages contained malicious code that collected user details and uploaded the information to a public GitHub page.
Researchers at Sonatype, a leader in the DevSecOps and repository management space, discovered and confirmed the presence of new vulnerable npm packages this week. The packages exfiltrate/broadcast the target's IP, username, and device fingerprint info onto a public GitHub page where anyone can gain access.
As commercial and enterprise software developers become more disciplined about keeping their open source software components updated to reduce the risk of software supply chain attacks, the bad guys are getting craftier: Researchers warn that they're over-running open source projects to turn them into malware distribution channels.
Companies are moving toward a DevSecOps approach to application development, but problems remain with security testing ownership and open-source code vulnerabilities.
Security experts are warning of a 430% year-on-year increase in attacks targeting open source components directly in order to covertly infect key software supply chains.
The past year saw a 430% increase in next-generation cyber attacks aimed at actively infiltrating open source software supply chains, according to the 2020 State of the Software Supply Chain report.
The highest performing developers put out releases 15 times more often and are 26 times faster to detect and fix open source vulnerabilities than their low performing counterparts, according to a new study.
In its annual report on the state of the software supply chain, security specialist Sonatype foresees no let-up in the shift to open source tools, noting that up to 90 percent of the code components used by developers are widely available. That all-time high is occurring despite what the company describes as a “massive increase” in software supply chain attacks.
There has been a dramatic surge in cyber-attacks in which malicious components are planted in open source libraries, a new report reveals. Sonatype’s sixth annual State of the Software Supply Chain report recorded a 430% rise in these “next generation” attacks, which proactively seed the open source ecosystem with vulnerabilities rather than leveraging previously disclosed zero-day flaws.
The open-source software development company encourages employees to take one day every other week to work on a passion project—more than half of Sonatype’s products began as “innovation day” experiments.
DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.
The 2nd Annual Cybersecurity Impact Awards identified and is recognized multiple honorees (individuals and businesses) located in Washington, D.C., Maryland and Virginia (DMV) for their leadership and innovation within the cybersecurity industry.
In this interview, Sonatype's CTO Brian Fox talks about how the persistence of cumbersome legacy approaches is more problematic than ever, with malicious actors increasingly targeting applications, becoming faster at exploiting vulnerabilities, and planting malicious components in open source libraries.
“We’ve analyzed over 70 million open source software components to ensure developers have rapid, precise access to information about their quality and security,” says Brian Fox, co-founder and CTO of Sonatype. “The Atlassian integrations benefit from Sonatype’s deep, precise data. Not only is our database of vulnerable components 70% larger than other market alternatives, our data is curated to provide the most value and insight for the developers who need it.”
“The Octopus Scanner Malware validates the importance of analysing binaries within your code and not taking the word of the manifest. What makes Octopus so dangerous is that it has the capability to infect other JAR files in the project so a developer ends up using and distributing the mutated code to their team or community of open source users,” says Brian Fox, CTO at open source software security specialist Sonatype.
Brian Fox, CTO at open source software security specialist Sonatype, commented that what makes Octopus Scanner so dangerous is that infects developer tools that subsequently infect all of the projects they are working on, impacting their team or community of open source users.
Listen to the episode to learn :
Why continuous learning is such great thing
How visualizing feedback loops makes DevOps easier to grasp
What DevSecOps looks like in real world
"These declines are especially apparent when comparing year over year activity levels, where one can see predictable and repeated declines around December holidays, Easter breaks, and summer vacations," he said. "Yet in the face of every developer shifting from a seat at the office to one at the kitchen table, the rebounds were less apparent or simply non-existent." -- Brian Fox, CTO and co-founder of Sonatype
Happy developers are more productive, build more secure code, innovate faster and are better for business.
Sonatype addresses security issues in open-source code by helping developers ensure that it's safe.
Sonatype places on the annual list of the world’s hottest pure-play cybersecurity companies
Nancy is a command line application, written in Golang by the Golang community and sponsored by Sonatype. It uses Sonatype’s OSS Index to check your dependencies for publicly filed vulnerabilities.
[W]e spoke with Derek Weeks, vice president at Sonatype, about the results of a new community survey the company just released on DevSecOps that provides some insights on how teams are incorporating automated security tools and how that shift affects company culture and developer happiness.
“By introducing mature DevOps practices, businesses can not only innovate faster, they can enhance their development teams’ job satisfaction, and ultimately differentiate themselves as employers – critical when so many companies face significant skills shortages and increased competition.”
Sticking with the happiness metric, Sonatype concluded job satisfaction was higher in mature DevOps practices, with 92 per cent of devs in such teams declaring themselves satisfied, compared to 61 per cent of those in immature groups.
Don’t get me wrong. Developers are my people. I surveyed over 5,000 of them from 102 countries to learn more about my tribe. And when I looked at the data, distinct patterns emerged. The fault lines run right along the upside-down frowns.
“The world is now in an unprecedented experiment where most of the development force is no longer working in secure networks, safe in corporate security and restricted by their cut-off networks. In this new world, the role of open source software is going to just increase, and has become its critical infrastructure,” said Ilkka Turunen, global director of pre-sales at open source security provider Sonatype.
Brian Fox, co-founder and CTO of Sonatype, which runs Java-focused Maven Central Repository, said it's important that critical open source infrastructure is well managed. It makes sense, he said, that NPM would "lean into Microsoft and GitHub to further their mission."
Public code repositories are critical infrastructure, and maintaining code repositories in a reliable and trustworthy way can be challenging and expensive, said Brian Fox, co-founder and CTO of Sonatype. Sonatype maintains Maven Central, a repository for Java components.
Actually, we could start with the obvious, and look at successful tech events that are already virtual-only. Events such as All Day DevOps, Global Devops Bootcamp, and HashiTalks point the way for developer-focused events run by communities and vendors alike.
For the past three to four years, all the companies around the IT world have adopted agile and different application development methodologies that leverage the work for different departments or areas and helps them to develop new products and release new features to improve their processes and infrastructure.
New IoT security regulations are a welcome move to shore up security, but the devil is in the detail, and many questions remain unanswered.
Facebook exec Nick Clegg has received criticism over comments suggesting that end-to-end encrypted Whatsapp messages could not be hacked.
Sonatypes’s Jason Green and Derek Weeks discuss how their company can reduce cost and increase cybersecurity for federal agencies.
The average enterprise is relying upon about 3,500 open source projects to support faster software development. Unfortunately, external suppliers of the code are often chosen based on popularity or familiarity rather than code quality. Vice President at Sonatype and the co-founder of All Day DevOps Derek Weeks sat down with us to discuss open source…
New Integrations Deliver Enterprise-Grade Open Source Governance and Dependency Management to Millions of GitHub Developers
Ten Maryland companies made the 2019 list of the nation's fastest-growing tech firms assembled by professional services firm Deloitte, including Sonatype.
This series details the thoughts of five DevOps, open source, and security thought-leaders, including Sonatype's Derek Weeks and Brian Fox, to gain a better sense of how developers and enterprises should be interacting with open source software, what they should keep in mind, and the role of community and knowledge-sharing in open source spaces.
An explosive increase in open source usage within enterprise has made it increasingly difficult for companies to track open source components using their traditional methods. Now, it has become necessary to automate the open source management process.
A partnership between the UK government and chipmaker Arm to develop new chip technologies that are more resistant to cyberattacks has been welcomed by the cybersecurity industry.
Behind the buzzword, is there a real need of and value for organizations in exploring DevSecOps? It’s important to understand why DevSecOps matters in this day and age of security breaches and what the pragmatic benefits are for your organization.
Large or small, enterprises from all sectors are dealing with the same vulnerabilities in open source code. The difference: the scale of the problem. DJ Schleen of Sonatype discusses insights from the latest ISMG roundtable dinner.
Derek Weeks, vice president and DevOps advocate with Sonatype, discusses what's changed since the Equifax data breach of 2017, when an unpatched vulnerability in Apache Struts opened the door to an attack, and how CISOs and security leaders need to do more to ensure open source components developers download to build applications don't lead to a similar incident.
Sonatpe's DJ Schleen shares why feelings have no place in application security, and how his new application security health calculation can provide a number that security teams can understand and take action on.
Sonatype CMO Matt Howard discusses how the conversation highlights the offense vs. defense approaches to securing critical applications.
The Washingtonian's guide to the most important and innovative people in Washington's digital economy, including Sonatype's CEO Wayne Jackson.
As the DevOps movement continues to make headway into the enterprise, TechBeacon updated its"DevOps 100" list of IT leaders who are driving those changes for 2019 - including Sonatype's Mark Miller and Derek Weeks.
On the first day of Cybersecurity Awareness Month, the Northern Virginia Technology Council (NVTC) announced the winners of the inaugural Capital Cyber Awards and named Sonatype Cyber Company Over $25 Million.
Security cameras recommended and sold by Amazon come with "huge" security risks, according to a study.An investigation by UK consumer watchdog Which? revealed that cameras with an Amazon Choice tag could be easily hacked.
Cheap home security cameras, webcams and baby monitors, promoted by Amazon, are riddled with security flaws.
Sonatype Nexus is one of the best repository managers out there. It is some tool that you cannot avoid in your CI/CD pipeline. It effectively manages deployable artifacts.
Sonatype has been developing the next-generation of its Nexus Intelligence research engine that automatically detects counterfeit and malicious code injections into open-source software supply chains.
List of the top fastest growing companies in the Washington, DC area in 2019 coming from technology startups, saas and tech security.
The lowdown on what open-source operating systems are and why they matter.
Gene Kim, author and DevOps advocate, took a fresh look at the way enterprises use Agile open source components. Kim collaborated with Sonatype on the "State of the Software Supply Chain" report, which examined and documented release patterns of Agile open source tools, along with cybersecurity practices, across 36,000 Java projects and 12,000 enterprise dev teams.
Many of the most successful people have gotten job interviews down to a science — and they're not in the habit of wasting time with dumb or irrelevant queries. Business Insider shares 53 questions asked by successful executives incudling Sonatype's Wayne Jackson.
Veristor Systems and Forty8Fifty Labs, the DevOps and software development subsidiary of Veristor, announced a partnership with Sonatype.
Most companies these days claim to embrace innovation. Fast Company collaborated with Accenture to identify 50 organizations that actually cultivate big ideas and encourage experimentation - including Sonatype.
Dealing with software supply chain threats requires that developers put renewed focus on ensuring the integrity of both their internal code and any third-party code they incorporate into their programs, software security experts agree.
Today, businesses that are racing to deliver better value to their customers—and differentiate from competitors—are embracing Edwards Deming's principles within their open-source-based software development practices. As software has become the last path to differentiation in most competitive industries, practices are evolving, from artisan-based creations to those that more closely resemble high-velocity parts assembly.
After almost a year of research that involved studying 36,000 open source software projects, 12,000 enterprise development teams and 3.7 million open source releases, we at Sonatype are excited to share the “2019 State of the Software Supply Chain” report.
Open source components help developers innovate faster, but they sometimes come at a high price.
In 2017, Hackers entered Equifax using a vulnerability in the open source Apache Struts library. And, despite that being one of the largest and best publicized breaches in history, downloads of the vulnerable, unpatched Struts library increased.
Is open source software secure? Ask someone in the industry and they may well scoff and ask you “how long is a piece of string?” As with proprietary software (which is certainly not all secure), not all open source was created equal. Yet with Sonatype’s fifth annual State of the Software Supply Chain Report revealing that UK enterprises downloaded over 21,000 software components with a known vulnerability in the last year alone, the question – sweeping though it is – should not be shrugged off.
It is possible to manage your open source software supply chain to reduce the risk of vulnerabilities and breaches. The problem is, not everyone is following this advice, according to the 2019 State of the Software Supply Chain Report, which was released yesterday by DevOps automation firm Sonatype.
The situation highlights the challenge of securing open source software, which underlies virtually every IT system in government.
While open-source software is an integral part of software development today, security continues to be an issue. A recently released report revealed a 71 percent increase in open-source security related breaches over the last five years. In addition, 25 percent of organizations reported a confirmed or suspected open-source software related breach.
Neben Best Practices rund um Open-Source-Projekte wurden ebenso diverse Open-Source-Komponenten untersucht. Die Ergebnisse des Berichts stammen aus der Analyse von 36.000 Open-Source-Projektteams und 3,7 Millionen Open-Source-Releases.
There’s been a 71% increase in open source-related breaches over the past five years, with UK firms downloading on average 21,000 software components known to be vulnerable over the past 12 months, according to Sonatype.
The average UK enterprise has downloaded over 21,000 software components with a known vulnerability in the past year alone, according to new data from Sonatype the DevSecOps automation specialist.
Sonatype CMO Matt Howard discusses the relevance and value of this application security conversation.The reason why this topic resonates so well across sectors and regions? "Because software is the last path for differentiation in every industry," Howard says, "and whether you know it or not, every business in the world today is largely a software company."
This weekend marks exactly a year since the introduction of the EU's GDPR legislation shook up the world of data protection and sent businesses around the world into a flurry of compliance activity.
The 2019 SD Times 100 recognizes those companies and organizations that are the leaders, innovators and influencers in the software development market. They have flown ahead of the flock with new, innovative projects or by establishing leadership positions, or by influencing how and what we create. Sonatype was named in the Security category.
How do agencies make sure the crowdsourced code that underlies nearly every piece of tech on the market is safe to use?
WhatsApp's reputation as one of the world's most secure messaging apps took a battering this week, when it emerged that hackers had managed to install spyware on some users' phones by simply calling them through the app.
Maple Lawn-based Sonatype took home the Emerging Growth Company of the Year award during the ACG National Capital’s 2019 Corporate Growth Awards Gala.
A critical security vulnerability in WhatsApp allowed malicious actors to inject surveillance malware into users' devices, the online messaging service has revealed, stating that the flaw impacted only a limited number of users.
Over the last 20 years, the cybersecurity industry has often said each breach is going to be the wake up call the industry needs. It’s happened so many times that it’s practically a running joke. But now, things are starting to change .
Firms are starting to make the development process more secure with DevSecOps. How does it work?
The UK government is mulling plans to introduce a mandatory IoT security labelling scheme – although it is suggesting voluntary implementation to start with – as it launched a five-week consultation that closes June 5.
These employers offer interesting work, great pay and benefits, chances to learn and grow, and a sane work/life balance.
In this graphic, research firm CB Insights identified the most highly-funded companies in each of the 50 states, plus Washington, D.C. Some - Sonatype was named the most highly-funded company in Maryland.
No one likes to fail; we'd much rather succeed than not. Failure, though, is part of the human condition—and, as a new book says, maybe we're better off because we can't avoid it, wrote Sonatype's Mark Miller, editor of a new 180-page book from DevSecOps Days Press titled Epic Failures in DevSecOps.
Sonatype's Tyler Shields discuss “Incident Response and Recovery” at the National Cyber Security Alliance (NCSA) and Nasdaq Cybersecurity Summit .
Wayne Jackson is a veteran tech entrepreneur who has overseen a billion-dollar sale and raised hundreds of millions in funding rounds. Speaking to Business Insider, Jackson revealed his four secrets to raising finance from investors.
Forrester recently released its “Forrester Wave Software Composition Analysis SCA for Q2 2019,” highlighting the leaders in this fast-growing category. Security Boulevard had a chance to sit down with three of the companies highlighted in the Wave report, including Sonatype, to talk about why SCA is so important.
Wayne Jackson sold his first startup for more than $1 billion, led a successful IPO with another firm, and recently raised $80 million for his latest tech venture. He has some simple advice on growing a successful tech business: Find your niche.
Sonatype announced a partnership with HackerOne to create The Central Security Project (CSP).The program brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository, the world’s largest collection of open source components.
HackerOne and software supply chain management tool Sonatype have teamed up to help security researchers have a single place to report security bugs with The Central Security Project, a new effort that “brings together the ethical hacker and open source communities to streamline the process for reporting and resolving vulnerabilities discovered in libraries housed in The Central Repository, the world’s largest collection of open source components.
Vulnerabilities in open source code represent a risk for businesses, but the process of reporting them is cumbersome and that can leave software open to risk. Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process and turn to public lists or social media, where bad actors can easily find the details before fixes are created.
As enterprises increasingly turn to open source code to cut dev efforts and costs, IT industry vendors recommend that they secure dependencies and deploy patches to safeguard apps.
In a significant industry milestone, Sonatype and HackerOne have teamed up to make the open source community safer for all who use it.
New survey shows where "elite" DevOps organizations are better able to incorporate security into application security.
Every Monday morning CBR fires five questions at a C-suite tech industry interviewee - Sonatype's CTO Brian Fox was in the hot seat answering questions about his past, and where he sees the future going.
What's the difference between an elite and a less mature DevSecOps program? Sonatype's Derek Weeks unveils the results of the 2019 DevSecOps Community Survey.
Featuring the responses of more than 5,500 participants, the 2019 DevSecOps Community Survey offers detailed insights into the DevOps and DevSecOps ecosystem.
The lack of open source governance programmes, the inability of a large number of organisations to implement elite DevSecOps programmes, and the inability of organisations to impart application security training to employees have resulted in a 71 percent rise in open source breaches over the past five years.
A survey of 5,558 IT professionals published today by Sonatype in collaboration with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit and Twistlock finds 27 percent of organizations have mature DevOps practices in place, while another 48 percent are still working on improving them.
As DevOps practices are maturing rapidly, organizations with elite DevSecOps programs are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors.
For the last three years, half of developers have agreed security is important, but they don't dedicate enough time to it, according to Sonatype's 2019 survey of more than 5,550 IT professionals.
There has been a surge in open source breaches over the past five years, with just over a quarter of companies reporting a confirmed or suspected breach in the past year alone.
Security breaches related to open-source security projects are on the rise and a lack of time being made available to developers to resolve vulnerabilities is believed to be to blame.
Security breaches linked to open source software components have risen by 71% over the past five years, as securing applications continues to be a challenge for many organizations, according to Sonatype.
Open source continues to proliferate. Sonatype helps take open source into the enterprise, allowing enterprises to govern it with things like security policies. Enterprise adoption of open source is accelerating and so will Sonatype.
There are really only two repositories of any scale for software components today: the Nexus repo managed by Sonatype and the Artifactory artifact repo managed by JFrog. In a big move toward keeping DevOps open and secure, the Sonatype people have released a plugin that will allow their Nexus Firewall to work with Artifactory as well as Nexus.
Kenna Security and Sonatype have announced a partnership to provide risk assessment and vulnerability intelligence for open source projects.
.png)
Whether you’re a developer, a CTO or a tech lead, I bet you have at some point faced a dilemma of adding a third-party dependency to your software. With all the benefits, they sure do come with some obvious trade-offs. Enter Sonatype Nexus.
Tyler Shields is someone who has made the leap from technical security expert to business leader. At Veracode, CA and now Sonatype, Tyler is someone who can clearly enunciate the path forward for business leaders on what they should be doing in regard to DevSecOps, open source security and minimally viable security.
“A number of the breached sites failed to disclose the attacks, indicating that they weren’t aware of the hack, or opted not to reveal it, and thus could fall foul of GDPR and be subject to serious fines. Either way, it’s likely to be concerning for consumers, who will bear the brunt of the attacks," Isaid lkka Turunen, global director at software firm Sonatype.
Details of the top five venture capital recipients in Maryland, ranked by funding received last year.
Propelled by the injection of funding, Sonatype’s “record 2018” which included a 67 percent increase in new business sales, a 132 percent customer net renewal rate, 211 new enterprise customers and a 50 percent increase in employees. Looking into 2019, the company expects to see at least 50 percent year-over-year growth across the company, as it expands product offerings and continues to scale its team.
Despite Apache Struts releasing multiple updates to its software in the nearly two years since the Equifax breach, Sonatype published research which found that between July and December 2018, two-thirds of the Fortune 100 companies downloaded the same vulnerable version of Apache Struts that was used in the infamous breach.
Sonatype, which already works with Fannie Mae and Tomitribe, announced Tuesday a new working relationship with Equifax to monitor the use of the credit agency’s open-source libraries across its network to help prevent another breach.
On Tuesday, Sonatype announced that the company would be partnering with Equifax in order to help the credit reporting agency prevent future breaches. The company will monitor Equifax’s network-wide open source libraries.
2019 will be the beginning of the end for AppSec as we know it. While 2018 was in many regards the year of DevSecOps, we still only scratched the surface of its effect on the industry. 2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is.
The Washington Business Journal takes a look at the small handful of up-and-coming companies in the Washington area, including Sonatype, that have broken out of the pack and have a real shot at leaping to unicorn status. They are all valued at more than $250 million — and, by all accounts, are growing.
.png)
Sonatype's vice president for international Wai Man Yau, said the EU has been the driving force for some of the most crucial pieces of digital legislation, such as the General Data Protection Regulation (GDPR), and that the UK risks being left behind. "No government would want to risk the security of businesses and citizens," he said, "and so both the UK and the EU nations have a vested interest in working together to boost cyber security levels.
.png)
Sonatype’s DepShield is another free tool for scanning your repos for open-source vulnerabilities. It searches your repo against the Sonataype OSS Index and opens GitHub issues with details about any problems it finds.
.jpg)
Following an outstanding 2018 for Sonatype, Inc., company CMO, Matt Howard & CFO, Dave Miller join Olivia Voznenko at the Nasdaq to share the inside scoop behind Sonatype's successful 2018. Also, they discuss what the year 2019 has in store for Sonatype just before ringing the closing bell.
Sonatype DepShield is a free GitHub app which can automatically identify vulnerabilities in open source dependencies. Depshield enables GitHub developers to take essential governance and security measures in their own hands. Depshield is powered by Sonatype's OSS Index and integrates publicly available open source vulnerability data into GitHub's public repositories. This allows developers to identify, and eventually fix, possible issues as soon as possible.
"2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie. 75 percent of developers will begin expecting security intelligence about their code to come from GitHub plugins - and across the development lifecycle. AppSec must live where developers live, and developers must understand security. 2019 will usher this in as non-negotiable business imperative. …. 2019 will set in motion, a massive three to five year transformation that will leave current AppSec professionals out of a job by 2024, unless they seriously understand DevOps." – Derek Weeks, VP and DevOps Advocate, Sonatype.
On the 12th of December, following the comprehensive timeline report detailing what happened during the Equifax Breach, the Subcommittee on oversight and investigations released an additional report identifying the core strategies organizations can take to address modern cybersecurity risks.Following the increase both in security disclosures and events the Energy and Commerce subcommittee set about identifying what the common characteristics of these security events are and what, if any, priorities organizations can set from a strategic perspective to control and address these risks going forward.
Sonatype's Bill Karpovich appeared on Fox Business News to discuss the recent House report on the Equifax breach published by the Energy and Commerce Subcommittee on Oversight and Investigations.
Every year, we select the private information technology companies we believe have enough momentum to become very large and successful businesses. We produce this annual list to surface the businesses that have product-market fit and the greatest long-term prospects.
The open source community is under attack as hackers grow bolder than ever.
Earlier this year, I detailed a new battlefront for open source software based on the fact that bad actors are increasingly polluting public wells like npm. which millions of thirsty developers drink from — to the tune of 6 billion downloads per week — and was recently compromised when a bad actor injected malicious code into the popular JavaScript component, event-stream.
Enterprises cannot want to transform but be resistant to change, especially when it comes to adopting and integrating open source.
“[IBM pledging support for Linux] was a major move towards legitimizing this movement,” Bill Karpovich, EVP of open source software firm Sonatype and a former executive for IBM Cloud, told Business Insider. “[IBM has] always had a business model that supports open source…They’re putting their money where their mouth is. With this acquisition, they certainly are putting big dollars on the open source model.”
The UK government has launched a voluntary Code of Practice for internet-connected devices. The IoT Code of Practice is a world first and aims to boost the security of devices such as smart watches and virtual assistants.
A shot heard around the world was fired last week when Bloomberg published its article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” In it, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 U.S. companies by including compromised microchips in Supermicro motherboards, which those companies then used across data centers. Once installed in the data centers, those microchips could be accessed by the bad actors who could then control the motherboards from afar. As the article states, this was “the most significant supply chain attack known to have been carried out against American companies.” Regardless of whether the Bloomberg story is valid, supply chain attacks are already happening in the wild, and this should be a wake-up call for all of us.
September was quiet volume-wise for District term sheets, but some high-value deals moved big chunks of money into the local startup scene. At least 10 D.C.-area startups raised a combined $120 million in funding, led by a massive venture round by Maryland software company Sonatype.
A new report from Sonatype has revealed a dangerous new trend where hackers are capitalising on the popularity of open source and injecting vulnerabilities directly into open source components.
As the number of open source components used in software supply chains shoot up, hackers are going along for the ride. Increasingly threat actors are planting bad code in open-source repositories in the hopes to harvest the flaws later when used in larger banking, manufacturing and healthcare DevOps projects.
Sonatype today released its fourth annual State of the Software Supply Chain report which found that software developers downloaded more than 300 billion open source components in the past 12 months and that 1 in 8 of those components contained known security vulnerabilities.
Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach.Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components over the last 12 months.
TPG is leading an $80 million minority-stake investment in software developer Sonatype Inc.The investment round included participation from Accel, Goldman Sachs Group Inc. and Hummer Winblad Venture Partners, according to a press release. Sonatype, of Fulton, Md., runs a repository of open-source components developers can download and integrate into new software. Customers for its components include technology professionals in the government, financial services, technology, health-care and manufacturing sectors, according to the firm’s website.
Fulton, Maryland-based Sonatype, a provider of automated open source governance, has secured $80 million in funding. TPG led the round with participation from Accel, Goldman Sachs Group and Hummer Winblad.
While they may not qualify as the supergiant rounds that we’ve tracked lately, Masterclass and Sonatype each raised significant amounts of capital from investors this week, helping us to understand their respective categories: edtech and software security.
Sonatype, a Maryland-based cybersecurity company, announced Friday that it has raised $80 million from investors. The funding round was led by San Francisco-based private equity fund TPG Growth, with participation from Accel, Goldman Sachs and Hummer Winblad.
Sonatype, a cybersecurity-focused open-source company, has raised $80 million from investment firm TPG.The company said the financing will help extend its Nexus platform, which it touts as an enterprise ready repository manager and library, which among other things tracks code and helps to keep everything in the devops pipeline up-to-date and secure.
Sonatype, a company that helps companies build more secure software, will be announcing an $80 million funding round led by TPG.
The funding is a minority investment led by TPG, a San Francisco private equity firm with $84 billion under management, with additional participation by existing investors Accel, Goldman Sachs Group and Hummer Winblad.
More than 60 Greater Baltimore companies made this year's Inc. 5000 list of the nation's fastest-growing businesses.
Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code. Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.
Sonatype operates on the principles of better, safer, and faster delivery with software supply chain automation. The company acquired the OSS Index last year and has now launched an automated and re-designed Open Source Software Index that provides developers with information on OSS dependencies and vulnerabilities for more informed product development.
When it comes to governance, risk and compliance (GRC), it seems the world is constantly playing catch-up.
The Tech Tribune staff has compiled the very best tech startups in Maryland. In doing our research, we considered several factors including but not limited to:
The 2018 DevSecOps Community Report is out and for those following the growth of DevOps and it's subsequent drive into the security community, under the moniker of DevSecOps, the results won't be surprising. In fact, I set out to write some hot-takes from the report that would really dig into an existential evaluation of security in a DevOps world, but in the end, the takeaways from the report are far more pedestrian. Don't read that as not meaningful — in fact, I think the survey results are very meaningful and informative for our path forward.
For every company in every industry, competition is as likely to come from an unknown startup as it is from long - established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is. Just ask broadcast and cable television companies about Netflix. Ask Hilton and Marriott about Airbnb. The fear of death can be a powerful motivator.
On June 14, entrepreneurs of the greater Washington area came together in celebration of their accomplishments for the 2018 EY Entrepreneur of the Year Mid-Atlantic Awards at the Ritz Carlton in Tysons Corner.
On June 14, entrepreneurs of the greater Washington area came together in celebration of their accomplishments for the 2018 EY Entrepreneur of the Year Mid-Atlantic Awards at the Ritz Carlton in Tysons Corner.
Three Maryland companies will go on to Palm Springs, California, to vie for the national title of EY Entrepreneur of the Year, after winning awards for the mid-Atlantic region.
DevOps toolchains, often comprised of existing or acquired software tools, are critical for rapid, reliable and efficient application delivery. Having an integrative, holistic approach to tooling fosters team interaction. These tools working together provides a dramatic improvement to the application lifecycle.
Microsoft just announced the acquisition of GitHub. What does this mean for developers, companies, the DevOps market, and CloudBees?
A força de trabalho atual é distribuída - em vários escritórios pequenos, adotando funcionários que trabalham em casa e espalhados pelos continentes - e a TI sempre esteve na vanguarda dessa mudança, abraçando entusiasticamente as novas tecnologias de comunicação que tornam essa prática possível. Mas as ferramentas e técnicas que usamos para gerenciar uma força de trabalho remota e forjá-las em uma equipe quando não se encontra no cafezinho todos os dias ainda estão, de alguma forma, em suas infância. E, muitas vezes, não ajudam a superar determinados obstáculos.
DevOps is intended to dramatically increase the pace of application development and support. This is expected to allow more mistakes to get through to production environments, but that’s OK because they can be corrected right away rather than have to wait for the next development cycle to play out.
Yesterday, after days of speculation, it was confirmed that Microsoft would acquire GitHub for $7.5 billion.
In hindsight, there were two likely causes for last year's massive breach: the decision to use Apache Struts, and a failure to patch in a timely fashion. Both are still a recipe for disaster.
Microsoft has announced that it will be acquiring GitHub for US$7.5billion in an all-stock transaction, representing the tech giant’s largest purchase since professional networking site LinkedIn in 2016 for US$26.2billion.
Microsoft has acquired the software development platform GitHub for $7.5bn in stock, it was announced today. The deal is due to be completed by the end of the year.
The 2018 SD Times 100 is here, and we celebrate the achievements of these companies as they take or retain their position as thought leaders and influencers in the software development industry.
The days of workplaces located in a single office are done. Today's workforce is distributed — across multiple small offices, embracing work-at-home-employees, and spread across continents — and IT has always been at the forefront of that change, eagerly embracing new communications technologies that make it possible. But we're only a few years into this shift, and the tools and techniques we've used to manage a workforce and forge them into a team when they don't meet at the water cooler every day are in some ways still in their infancy.
The days of workplaces located in a single office are done. Today's workforce is distributed — across multiple small offices, embracing work-at-home-employees, and spread across continents — and IT has always been at the forefront of that change, eagerly embracing new communications technologies that make it possible. But we're only a few years into this shift, and the tools and techniques we've used to manage a workforce and forge them into a team when they don't meet at the water cooler every day are in some ways still in their infancy.
Identity is big, really big, especially when it is customer-facing. There are a lot of moving parts to build, pieces to hook up, and external functionality to integrate. The whole makes the identity ecosystem which was once a dream of a few but is fast becoming a reality for many.
Kubernetes (K8S) is an open-source container orchestration tool that can automatically scale, distribute, and handle faults on containers. Originally created by Google and donated to the Cloud Native Computing Foundation, Kubernetes is widely used in production environments to handle Docker containers (although it supports other containers tools such as rkt) in a fault-tolerant manner.
SJ Technologies partnered with Sonatype for the DevSecOps Community 2018 Survey. The survey was wildly popular, receiving answers from more than 2,000 respondents representing a wide range of industries, development practices, and responsibilities. One-third of respondents (33%) came from the technology industry, and banking and financial services was the second most represented group (15%). 70% of all respondents were using a container registry. With so many respondents utilizing containers, a deeper dive into container security is in order.
EY has announced the finalists for the Entrepreneur of the Year 2018 Award in the Mid-Atlantic Region. The awards program recognizes entrepreneurs excelling in areas such as innovation, financial performance and personal commitment to their businesses and communities.
Cybersecurity Ventures has released its first annual Cybersecurity 500 list, including 14 of Maryland’s hottest and most innovative companies.
The Maryland Tech Council (MTC), Maryland’s largest technology trade association, announced the winners of its 30th Annual Industry Awards during a celebration and ceremony at The Hotel at the University of Maryland attended by more than 550 business leaders from around the state.
The Maryland Tech Council (MTC), Maryland’s largest technology trade association, announced the winners of its 30th Annual Industry Awards during a celebration and ceremony at The Hotel at the University of Maryland attended by more than 550 business leaders from around the state.
In a recent episode of the Continuous Discussions (#c9d9) podcast, a group of industry experts discussed why DevSecOps is officially more than just a buzzword, tips on how to get everyone in the organization to own security and some of their own challenges and experiences baking security into the software delivery pipeline.
In two weeks GDPR will become law. Unfortunately, far too many organisations are ill prepared when it comes to their compliance readiness. The first large scale breach following 25th May will demonstrate just how unprepared the industry is when it comes to their cybersecurity hygiene.
To succeed in today's marketplace, companies need to innovate, driving everyone from tractor manufacturers to airlines to become software development shops. The pace of innovation precludes building everything from scratch, resulting in 80-90% of a modern application consisting of open source components. This translates to global downloads of open source components in the tens of billions.
More than half of the Fortune 100 could be at risk of falling prey to the same kind of hack that caused devastation at Equifax last year, and it all comes down to poor open source component governance.
Last year's huge security breach in the systems of US-based credit reporting agency Equifax was not a once-off anomaly of poor cyber hygiene.
The flawed software that led to the data breach at Equifax Inc. is still being downloaded and used at thousands of companies, raising concerns that proliferation of unpatched versions could lead to greater exposure to cyberattacks.
Under-fire credit reporting agency Equifax has released updated figures clarifying the types and volumes of data stolen in its massive 2017 breach.
Despite the Equifax breach that exposed the personal data of more than 145 million Americans, Fortune is reporting that thousands of companies have the same computer security holes in their networks that places the sensitive data of consumers at risk.
Equifax said on Friday that in response to requests for additional information, it's shared more breach details with several U.S. Congressional committees. Notably, the data broker said that its breach investigators found that consumers had uploaded images of various government-issued identity documents that were exposed in the attack, including 38,000 driver's licenses, 12,000 Social Security or taxpayer ID cards, and 3,200 passports.
When the news emerged that Equifax had succumbed to a colossal data breach from mid-May through July of last year, consumers were livid—in part because the ransacking was entirely preventable. Hackers stole 148 million people’s names, Social Security numbers, birthdates, home addresses, and more sensitive information, as of the major credit bureau’s last count in March, and worse yet, it happened two months after software fixes for the vulnerabilities at fault had been made available.
International Data Corporation (IDC) today published an IDC Innovators report identifying three technology providers that are considered key emerging vendors in the agile code development market. The three companies named as IDC Innovators are CloudBees Inc., GitLab Inc., and Sonatype, Inc.
If there was one key takeaway for developers from RSA 2018, the cybersecurity industry's massive gathering in San Francisco that ended last week, it was that organizations are shifting security "left" in earnest
Sonatype published findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals. The survey shares practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions. Survey respondents with mature DevOps practices were 338% more likely to integrate automated security than organizations with no DevOps practice.
As evident by the speaker tracks and hallway discussions here this week at the RSA Conference, the marriage of DevOps and security principles driving the DevSecOps movement is finally gaining traction in the security community.
Cybersecurity has long been said to be a hot industry in the D.C. metro area.In a three-year period from 2011 to 2014, the D.C. metro area saw three cybersecurity acquisitions totaling $4.1 billion. And currently, there are more than 77,500 filled cybersecurity jobs in the D.C. metro area, and another roughly 41,700 job openings in the field, according to records maintained by the Commerce Department’s National Institute of Cybersecurity Education.
IT professionals are recognizing the weaknesses of DevOps and are looking for ways to improve. Security is the main gripe many people have. This has led to increased popularity in DevSecOps. Sonatype recently released a survey where they talked with over two thousand IT professionals about DevOps and where they utilize security.
Sonatype polled 2,076 IT professionals to discover practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions, and the results of the survey showed that breaches related to open source components grew at a staggering 50% since 2017, and 121% since 2014.
The RSA Conference in San Francisco is a hotbed of news, analysis and reports on the security industry, with research from the Cloud Security Alliance (CSA) and automation software provider Sonatype being of particular interest.
Sonatype President Bill Karpovich on concerns other companies are vulnerable to the same cyber attack as Equifax.
Breaches related to open source components have grown 50 percent since 2017, and an eye-opening 121 percent since 2014, according to a new survey from open source governance and DevSecOps automation specialist Sonatype.
Modern software development is trending more toward a componentized approach because developers would rather assemble something using a variety of well-built pieces of third-party code than reinvent the wheel every time they create something new. The approach has done wonders for speed and agility, but it's increasing a lot of enterprise attack surfaces because too few organizations are keeping up with the vulnerabilities these components pose.
Breaches related to open source components in applications have soared by 50% since 2017, according to a new study from Sonatype urging developers to adopt DevSecOps practices.
A new survey from Sonatype has revealed that DevOps teams are automating security 338 per cent more often as open source breaches jump by 55 per cent. The firm published the findings from its 5th annual DevSecOps Community Survey of 2,076 IT professionals which shared practitioner perspectives on evolving DevSecOps practices, shifting investments and changing perceptions.
Die Umfrage von Sonatype vermittelt die Praxisperspektiven der Fachleute im Hinblick auf die Entwicklung von DevSecOps-Verfahren, die Verschiebung von Investitionen, sowie sich verändernde Wahrnehmungen. Bei Umfrageteilnehmern, die ausgereifte DevOps-Verfahren einsetzen, lag die Wahrscheinlichkeit, automatisierte Sicherheit zu integrieren um 338 Prozent höher, als bei Unternehmen, die keine DevOps-Verfahren im Einsatz haben.
Within a month of launching a scan for known vulnerabilities in JavaScript and Ruby libraries, the GitHub code repository site identified an incredible 4 million security flaws in the half-a-million repositories on its platform.
For many years, technology startup activity in the metropolitan Washington D.C. area has been respectable but very narrowly focused. Most of these startups, including cybersecurity companies, have traditionally targeted the federal government as their primary customer because the government has always been a much easier sell than the broad commercial market.
Sonatype, a provider of development and operations (DevOps) tools designed to help organizations automate their software supply chains, now offers its Nexus Firewall to developers using the open-source version of its Nexus Repository software storage, distribution and organization tool.
No one ever became a programmer so they could mange open-source licenses. But, that's what many developers must do these days. Black Duck Software, the open-source software logistics and legal solutions provider, and North Bridge found in 2015 that 66 percent of companies create open-source software. That's great, but all that code comes with a wide variety of licenses, each with its own set of requirements. What's a developer or company to do?
The software industry has failed to sufficiently protect the public from data theft and misuse. It’s time for the U.S. government to get serious about regulation.
Looking for a new gig and not willing to take a pay cut? You’re in luck. There are a handful of jobs that boast solid median base pay as well as a strong track record of pay growth. Glassdoor’s Local Pay Reports show that there are now a wide variety of positions that have been seeing big increases in pay from year to year (and even month to month).
Next month, we're proud to participate in two special events focusing on DevSecOps. Ahead of DevSecOps Days and our webinar with John, we wanted to share some tips and emerging trends for DevSecOps that experts shared on another industry panel - the one held at the recent DevOps Enterprise Summit in San Francisco 2017.
Hi, Spring fans! Welcome to another installment of This Week in Spring! This week I’m in blizzard-besieged Boston, Massachusetts, for the epic Spring One Tour Boston event. Unfortunately, due to this crazy snow storm/blizzard, the event’s been postponed one day as we all grapple with the weather. Hope you were able to join the Spring Boot 2.0 launch webinar! If not the replay will be available here and don’t forget to check out the launch blog!
At this point, the concept of DevOps should be familiar to everyone. But with the rise of cybersecurity attacks, organizations have seen the need to incorporate security into the mix. Thus, the idea of DevSecOps.
Linux will turn 30 in three years. We look at how far the major Linux distributions – or distros – have come over the past year and what they might be able to bring in the future.
More and more people are mining cryptocurrency to cash in on the craze. But some are actually hacking into computers to leverage other people's mining power. Sonatype's Senior Vice President Bill Karpovich explains the danger of these miners and how hackers exploited IBM several years ago.
“If 2017 was the year of ransomware, 2018 is going to be the year of crypto-jacking,” said Bill Karpovich, Vice President of strategy at software security company Sonatype.
Hot on the heels of the French legislators, the government in the UK is now announcing tougher guidelines device manufacturers in its Security by Design review. Crucial here is the move to build security into smart devices from the very beginning and ensure software is automatically updated.
Sonatype’s CTO Brian Fox, talks to TEISS on how and why BitPay’s Copay wallet was compromised, why it’s new territory, and what the industry as a whole should be looking to do to secure their software supply chains to make sure it doesn’t happen again.
Amid rising concerns about the security of IoT devices, the government today announced its intent to make manufacturers of IoT devices responsible for the security of their products, while also proposing new rules to ensure that buyers are aware of security features in such devices at the time of purchase.
Free and open source software is far more than just another way to develop code. In fact, the rise of the open source revolution represents a fundamental change in the way we use information to create a better world.
DevOps is a philosophy of IT operations that binds the development of services and their delivery to the core principles of W. Edwards Deming’s points on Quality Management. When applied to software development and IT organizations, Deming’s principles seek to improve the overall quality of software systems as a whole.
The number of buggy open source components downloaded in the UK has soared by over 100% over the past year, according to new research from Sonatype. The DevSecOps automation firm revealed that one in eight open source components downloaded in the country last year contained known security vulnerabilities – a 120% year-on-year increase.
The Maryland Tech Council announced the finalists for its 30th anniversary industry awards.
DevOps Radio is a CloudBees-sponsored podcast series. Hosting experts from around the industry, the show dives into what it takes to successfully develop, deliver and deploy software in today’s ever-changing business environment. From DevOps to Docker, each episode features real-world insights and a few stories, tips, industry scoop and more.
The French government has drawn up proposals to hold software manufacturers accountable for security vulnerabilities. The proposed legislation would make manufacturers liable for the security of a product while it is on the market, and with the possibility of requiring its software to be made open-source at end-of-life.
If you’ve got DevOps chops, you already know you’re in demand. And if you’re an IT leader hiring for a DevOps shop, you know the challenges in finding good people. Like DevOps itself, the DevOps job market continues to evolve. And let’s be honest: This isn’t an area of consensus in IT, as the ongoing debate about titles such as “DevOps Engineer” attests.
Today's software development teams haveÊincreasingly embraced the use of open source and third-party components in building their projects instead of actually starting from scratch. But while open source usage has added significant value to software development, enabling speed and innovation in teams, it has also introduced a host of security vulnerabilities.
The term “DevOps” is typically credited to this 2008 presentation on agile infrastructure and operations. Now ubiquitous in IT vocabulary, the mashup word is less than 10 years old: We’re still figuring out this modern way of working in IT. Sure, people who have been “doing DevOps” for years have accrued plenty of wisdom along the way. But most DevOps environments – and the mix of people and culture, process and methodology, and tools and technology – are far from mature.
It’s a truism of the Digital Age that anything can be hacked. It’s also a truism that things aren’t always what they seem. Those notions hold true for CCleaner, which, with 115 million monthly active users, is the most popular Windows system-cleaning and -optimizing software in the world. New findings about an attack on older versions of CCleaner, first disclosed last week, indicate that hackers targeted the popular third-party consumer utility in order to infiltrate corporate computer systems.
In the wake of the hacking last week of U.S. consumer credit reporting agency Equifax Inc., security experts bemoaning are calling for big changes, including big penalties for the data brokers that hold so much information critical to everyone’s financial life.
Sonatype of Fulton appointed Letitia Long and Steve Hills board members.
In June, Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++. Sonatype, well known as the creators of artifact repositories Apache Maven and Nexus, have extended their previously Java, JavaScript, .Net and Python centric component intelligence capabilities to include the new open-source ecosystems. The new capabilities are packaged in a new product, Nexus Lifecycle XC and, like the existing Nexus Lifecycle product, are delivered via the Nexus IQ server.
