Sonatype Adds Third-Party and Open Source Component Visibility to HP Fortify on Demand


Provides Customers Unprecedented Software Application Security

SAN FRANCISCO, CA – February 24, 2014 — Sonatype, the software company that enables developers to rapidly build secure software while also eliminating compliance and licensing risk, today announced that its component lifecycle management (CLM) analysis technology has been integrated with HP’s cloud-based software security solution – HP Fortify on Demand.

In today’s IT environment, companies struggle to ensure that all software applications are sufficiently assessed for potential security vulnerabilities introduced by relying on third party and open-source components. For example, one typical enterprise application alone can be composed of up to 90 percent 3rd party and open source building blocks. These reusable components allow for improved speed, efficiency and innovation. However, relying on these open-source components, without proper insight and governance, can leave organizations vulnerable to crippling security attacks, licensing liability, and compliance exposure.

As part of the integration, Sonatype provides component analysis that identifies the third party and open-source components commonly used as building blocks in modern applications. HP Fortify on Demand delivers comprehensive, accurate and affordable software analysis that identifies security vulnerabilities in any application —web, mobile, infrastructure or cloud. Together, these capabilities make for a more complete software security solution by reducing an enterprise’s exposure to risk caused by the rapid adoption of open-source software components.

"Given the dramatic shift to component-driven software development, there is an urgent need to address open source component usage,” said Wayne Jackson, CEO Sonatype. “In combining HP Fortify on Demand’s ability to identify custom software risks with Sonatype’s ability to identify 3rd party and open source software risks, companies are able to achieve unprecedented application security.”

Existing HP Fortify on Demand customers can now leverage the Sonatype CLM analysis technology to create a ‘bill of materials’ listing all components used in an application, identify which components have known vulnerabilities or license risk, and prioritize remediation.

“While open source enables organizations to reduce the time and resources needed to develop enterprise software solutions, these components can expose those offerings to unseen vulnerabilities,” said Jason Schmitt, director of product management, Fortify, HP. “HP Fortify on Demand integrates the open-source analysis capabilities of Sonatype, to give customers peace of mind that their open-source based applications are secure.”

With automated governance, monitoring, and alerts, Sonatype Component Lifecycle Management allows enterprises to accurately identify flawed components and proactively fix these components throughout the software development lifecycle. Five of the world’s largest banks, multiple multinational corporations, and several of the United States’ largest government agencies have recently enlisted Sonatype to assist them in addressing what is, for many, an application security crisis.

Learn more at

About Sonatype

Sonatype’s software protects the world’s enterprise software applications from security, compliance, and licensing risks, while reducing application development and deployment time. Every day, millions of developers build software applications from open source building blocks, known as components. Customers rely on Sonatype software to select and use the best components from the start of the development lifecycle so that trustworthy applications can also meet release deadlines. Policy automation, ongoing monitoring, and proactive alerts ensure these applications remain secure over time. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. Visit: