Kenna Security and Sonatype Partner to Enhance Risk-Based Vulnerability Management with Open Source Intelligence


New relationship underscores the need for enterprises to manage open source risk as part of an integrated and comprehensive security program

SAN FRANCISCO, Calif. and FULTON, Md. – February 26, 2019 – Today, Sonatype, the leader in automated open source governance and Kenna Security, a leader in predictive cyber risk, announced a strategic partnership to enhance the risk-based vulnerability management strategies of modern enterprises with best-in-class intelligence on open source components.

Constantly evolving security threats mandate automated security processes. Organizations are turning to both Kenna Security and Sonatype to better assess, manage and remediate the most critical vulnerabilities in the shortest amount of time. Over 10 million developers rely on Sonatype to mitigate inherent risk in open source, and hundreds of enterprises trust Kenna Security to prioritize risk and protect more than 13 million assets.  

This new integration combines Sonatype’s open source vulnerability and policy detections with Kenna Security’s risk-based vulnerability management platform. Together these tools provide the companies’ joint customers deep analysis of open source security via Sonatype’s unrivaled vulnerability and license exposure data.

Sonatype’s data is automatically integrated into the Kenna Security Platform to be analyzed against internal and external threat intelligence and then prioritized for remediation based on overall risk to the organization. This further enables risk prioritization across multiple tools in an application security program to provide the best ROI for customers.

Kenna Security and Sonatype customers can now:

  • Ensure truly critical vulnerabilities are identified, prioritized, and remediated with minimal overhead.
  • Leverage best in class open source security and license data to guide remediation and lessen the risk associated with software supply chain issues.
  • Effectively prioritize vulnerabilities by risk across an entire suite of application security products, ensuring ROI for invested development effort.
  • Decrease the mountain of false positives by correlating the best possible data available between differing vendor technologies.
  • Integrate, normalize, and de-duplicate a wide range of security data from all connected data sources for the most comprehensive application context available.

Supporting Quotes

Ed Bellis, CTO and Cofounder, Kenna Security

“Developers find open source software attractive because it enables a collaborative approach. Unfortunately, these components have posed a growing threat, and many vulnerability management strategies are incomplete if they cannot address them. We support Sonatype’s approach to address open source risk and know that both companies’ customers will gain significant value leveraging a risk-based approach to vulnerability management.”

Bill Karpovich, EVP, Sonatype

“Based on proprietary research, we know that 80-90% of all modern applications are made up of open source components and that, on average, enterprises use over 150,000 open source libraries as part of that development process. It’s impossible to truly know what’s in your applications without automation. Together, Kenna Security and Sonatype enable shared customers to mature their application security program with a single, integrated platform that puts their needs at the forefront and doesn’t compromise depth and capability.”

About Kenna Security
Kenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at