Sonatype Expands Support for Open Source Communities with Key Partnerships


Company joins the Open Source Security Foundation and OpenChain Project, sponsors Python Software Foundation  

October05, 2021 -- Fulton, Md. -- Sonatype, the leader in developer-friendly tools for software supply chain automation and security, today announced three partnerships with important open source community foundations and projects as part of its ongoing mission to give back, support, and help protect open source ecosystems. 

“As the maintainers of the largest repository of open source components in Maven Central, we have a unique view into how great the demand for open source has become. However, as that demand has grown, bad actors have recognized the power of open source and are seeking to use that against the industry. As these software supply chain attacks become more commonplace, open source developers have become the frontline of this new battle,” said Brian Fox, CTO of Sonatype.” One of our key missions at Sonatype is to help organizations continuously harness all of the good that open source has to offer, without any of the risk. Partnering with, and supporting, institutions like the Open Source Security Foundation, the OpenChain Project, and the Python Software Foundation enables us to learn from the community while combining efforts with other members to share best practices that ultimately make open source safer and more effective.” 

Python Software Foundation Sponsorship 

The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. With 310,000+ packages on PyPi totaling over 435 million yearly downloads, the Python Software Foundation is focused on cherishing the tooling and infrastructure needed for one of the world’s largest programming languages.

Sonatype is proud to sponsor the Python Software Foundation to help further that mission,  and support the protection of the python community and open source development with free Python security tools and leading predictive vulnerability intelligence against malicious packages targeted to the PyPI ecosystem. By leveraging machine learning and AI to continuously scan all new releases of Python components to detect malicious activity before it hits development machines, Sonatypeis reporting findings to PyPI to proactively uncover and remove malicious packages.  Using Sonatype’s next-generation Release Integrity capabilities, we’ll make the world safer for all consumers of Python Packages.

Open Source Security Foundation

OpenSSF is a cross-industry collaboration focused on metrics, tooling, vulnerability disclosures, security tooling, best practices and more, to secure the open source ecosystem and improve the security of open source software (OSS). The foundation brings together leaders from around the world to provide a forum for truly collaborative, cross-industry efforts. Sonatype is honored to now be a part of that forum, as it shares a very similar vision of enabling open source use, while minimizing the risk associated with it. 

By officially joining OpenSSF Sonatype can better collectively work with other members to keep open source ecosystems safe and secure, as we all figure out how to battle both new and old attacks on the community.

OpenChain Project

The OpenChain Project maintains the International Standard for open source license compliance which allows companies of all sizes and in all sectors to adopt the key requirements of a quality open source compliance program. 

Sonatype’s engagement will focus on raising awareness among user companies regarding open-source license compliance and security, while ensuring they have freedom of choice when considering commercial automation solutions around ISO/IEC 5230 conformance activities. ISO/IEC 5230 is the International Standard for open-source license compliance.

For more information on how Sonatype is involved with, and supporting open source communities, follow SonatypeDev on Twitter for updates or check out free resources for developers. 

About Sonatype 

Sonatype is the leader in developer-friendly, full-spectrum software supply chain automation providing organizations total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code, and containerized code. The company supports 70% of the Fortune 100 and its commercial and open source tools are trusted by 15 million developers around the world. With a vision to transform the way the world innovates, Sonatype helps organizations of all sizes build higher quality software that's more aligned with business needs, more maintainable and more secure. 

Sonatype has been recognized by Fast Company as one of the Best Workplaces for Innovators in the world, two years in a row and has been named to the Deloitte Technology Fast 500 and Inc.