Micro Focus Extends Partnership with Sonatype to Bring Best-In-Class Open Source Security to all Fortify Customers


Expanded relationship underscores the urgency for enterprises to manage open source risk as part of a comprehensive application security program

WASHINGTON, D.C. - Micro Focus Cybersecurity Summit 2018 - September 25, 2018 - Today, Sonatype, the leader in automated open source governance and application security, and Micro Focus, creator of Fortify Application Security Portfolio, announced an expanded strategic partnership to provide more enterprises with best-in-class open source governance and security.

Since 2014, the companies have been working together exclusively, in support of Micro Focus’ application security as a service offering, Fortify on Demand (FoD), and collaborating across joint enterprise clients to provide 360-degree application security. This enhanced relationship will bring the combined power of Fortify and Sonatype to even more customers, with a new integration optimized specifically for Fortify’s on premises application security solutions and Software Security Center (SSC). Fortify SSC and Sonatype customers gain the advantages of a single, integrated application security platform, without compromising depth and capability in managing open source risk and vulnerabilities.

Most security breaches today occur because of application vulnerabilities and, according to Forrester Research, typical software applications are comprised 80-90% from open source libraries.  These facts are changing the way enterprises are thinking about security overall and makes open source libraries a critical dimension of any serious application security initiative. 

With Sonatype’s heritage in the developer community and ability to seamlessly integrate into the DevOps workflow, the partnership also allows enterprises to accelerate their DevSecOps initiatives and proactively address security concerns by “shifting left” in the development lifecycle.  For example, with Sonatype’s platform developers are presented with the insight they need directly within their development tools to select the highest quality libraries from the beginning; policies are then used to automate governance throughout the DevOps pipeline.

“From our own research and experience we know that the average enterprise is using over 150,000 open source libraries across their application portfolio. Last year’s Equifax breach was a wake-up call for those who are not intelligently managing and monitoring their open source consumption,” said Sonatype EVP Bill Karpovich.

Scott Johnson, General Manager of Fortify at Micro Focus, added, “Organizations globally are making application security a priority, but it’s a complex and evolving process that is most effectively delivered through an integrated platform. Continuous scanning, analysis and tracking of open source libraries is an increasingly important part of an enterprise’s application security program. It’s natural for us to expand our relationship with Sonatype, and directly integrate this capability into Fortify SSC.”  

With the expanded partnership, Sonatype becomes Fortify’s first hybrid open source partner with integrations with both SSC for on premise and FoD for AppSec as a service. Together, the companies will broaden the open source library scanning in the current FoD integration, and Sonatype will offer a turnkey integration of its Nexus Lifecycle for on premises and cloud hosted Fortify SSC customers.  Additional cross-portfolio integrations are also planned for 2019.

The new partnership and Fortify SSC integration will be officially unveiled at the Micro Focus Cyber Security Summit in Washington, D.C which begins today, Tuesday, September 25th. Stop by the Sonatype booth for a live demo.

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at www.sonatype.com.