Sonatype’s New Software Release Determines OSS Risk and Provides Immediate Path to Resolution


An Industry First, Developers Can Now Avoid Security Risks Without Missing Business-Critical Software Delivery Deadlines

Fulton, MD – November 17, 2014 – Sonatype, a software company that enables developers to easily build software applications while significantly reducing security, compliance, and licensing risks, today released a new version of its Component Lifecycle Management (CLM) software. An industry first, developers can now avoid security risks without missing business-critical delivery deadlines

While the availability of open source components has dramatically accelerated application development and release schedules, developers are using billions of open source components of unknown origin and risk annually. As a result, many applications containing high profile, known vulnerabilities, such as Struts2, are being released into the wild on a daily basis. To date, there has been no way to track and trace these known bad components nor their dependencies AND keep pace with today’s agile development requirements. Now, that is no longer the case.

“Developers frequently complain that the security world doesn’t get it,” said Wayne Jackson, CEO Sonatype. “Application security must work at the speed of development or it won’t work. And businesses rely on this speed to compete and thrive. We always have the developer community top-of-mind as we enhance our CLM software to keep applications secure without putting release schedules at risk and slowing the speed of business.”

This new version of CLM provides unprecedented visibility across development teams working with Java, NPM, and NuGet open source components. CLM also provides visibility to where risk resides across market-leading DevOps tools including Maven, Nexus, Hudson, Jenkins, Bamboo, Sonar, Eclipse, etc.

Product benefits include:

  • Perpetual software Bill of Materials: the CLM Dashboard keeps track of every single open source component used, across every application in development or in production, across each stage of the development lifecycle—with the ability to immediately track and trace the use of each component. Additionally, CLM tracks new risks and policy violations against that comprehensive view of component use.
  • Immediately identify risks in new components: When new open source components with vulnerabilities are introduced into apps under development, CLM's dashboard instantly identifies the risk, the application it resides in, and its stage of the application development lifecycle (build, integration, testing, release). No other product can identify new risks in real-time across the SDLC.
  • Immediately identify new risks in existing components: When new vulnerabilities are announced in open source components that already exist within applications being develop or that reside in production, CLM can instantly identify what applications contain those risky components and where they are. No other solution has the ability to track and trace component use over time in development and on into production.
  • Flag violations: When new risks are identified, CLM can notify application development or application security specialists.
  • Decision support to remediate risks: once risks are identified, safer alternative versions of components are immediately presented to developers to begin remediation. No other offering presents recommendations on alternative, safe versions of components to use, nor allows for developers to choose and immediately replace the vulnerable component inside the application.
  • Multi-lingual support: CLM's new dashboard can be used to perpetually manage risk across Java (and soon .NET and npm) application development environments.

Sonatype CLM perpetually monitors risks across the entire software lifecycle. As soon as a vulnerable OSS component is selected for use in an application by a development team, or when a new open source vulnerability is disclosed, it’s instantly flagged for development and application security professionals, and integrated decision support is provided to remediate the risk. A huge leap forward for over-burdened developers -- detection and correction takes minutes versus traditional application security and manual open source governance approaches that take days to weeks.

Sonatype’s new software is available for purchase today. For more information, please visit:

About Sonatype:

Every day, developers rely on millions of third party and open source building blocks — known as components -- to build the software that runs our world. Sonatype ensures that only the best components are used throughout the software development lifecycle so that organizations don't have to make the tradeoff between going fast and being secure. Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: