Sonatype Introduces Next Generation Dependency Management | Press Release

Bloomberg Industry Group and Nexus

Dramatic Improvements to Open Source Governance and a Strengthened Software Supply Chain Using Nexus Lifecycle

Bryan Batty is the Director of Product and Infrastructure Security at Bloomberg Industry Group, a subsidiary of Bloomberg L.P., the news organization and the Bloomberg terminal. Bloomberg’s focus is on legal, tax, and accounting news, and tax and accounting software.

Batty runs the product security and infrastructure security teams, working closely with developers and the infrastructure teams to make sure that what is being put into production, and into operations, is done in a secure manner, including looking for existing vulnerabilities within their existing infrastructure.

We caught up with Batty to talk about the process of software development at Bloomberg, and specifically, the management of their software supply chain, in this four part conversation. 

“If you start out with a tool like Sonatype’s Nexus Lifecycle, it's going to work out well. You’ll know immediately the version of a component, whether it has a license that you want to use, or if it has known vulnerabilities.”
— Bryan Batty, Director of Product and Infrastructure Security, Bloomberg Industry Group

Part One: Software Composition Analysis

"Over the last couple of years the phrase has become “Software Composition Analysis” [SCA] for scanning third party libraries, open source libraries for license violations, and for known security vulnerabilities. Among other things SCA needs to review is code quality and age of the library that you're using...” 

Read Part One

Part Two: Building a Secure Pipeline and a Software Bill of Materials (SBOM)

"Start with the source control system. If you had nothing else, at least know that you can version your software, and that two different people working on it at the same time aren’t going to step on each other's toes." 

Read Part Two

Part Three: Measuring Success

"If we are able to get those numbers down, then eventually there will be less time we actually spend remediating security and more time building security into the application."

Read Part Three

Part Four: Selecting Sonatype

"If you are faced with an emergency where you have to upgrade, you don't want to try to upgrade 15 years worth of versions. You should be right at the current version when building new applications or updating existing applications."

Read Part Four


Ready to Try Nexus Products?

Sonatype, A Better Way to Build