Sonatype Delivers Premium Open Source Controls to GitHub | Press Release


An Imminent Need to Secure the Federal Software Supply Chain

The security landscape for the US Government is changing, it's time to shift left. In today’s world, understanding what’s in your supply chain is critical to national security. Read this whitepaper to understand the current state of DevSecOps in Federal Government.

Epic Failures in DevSecOps, Volume 2

It's not easy to get people to fess up to an epic failure, but that's what we've done. In this edition of "Epic Failures in DevSecOps, Volume 2", eleven DevOps/DevSecOps practitioners tell you of their struggles, what problems they were dealing with and what the final outcome was to their journey.

2019 State of the Software Supply Chain Report

The top 295 (out of 36,000) OSS projects are revealed in the 2019 State of Software Supply Chain report. With research partners Gene Kim and Dr. Stephen Magill, we examined the world's best software development teams to understand their techniques, team structures, and release patterns. 

Gartner Report: Technology Insight for Software Composition Analysis

Open-source and third-party software are often leveraged during application development to boost productivity and provide supporting infrastructure — but convenience comes with risks. Security and risk management leaders must proactively control open-source use to better manage risk. Read the Gartner Report where we believe you'll learn how to manage the risk better.

Software Composition Analysis: Getting to the Signal Through the Noise

Sonatype recently worked with global research and advisory firm, 451 Research, to better understand software composition analysis (SCA) differentiators and highlight key areas that organizations must consider carefully to ensure the right tools and processes are in place. There are many vendors and disparate tools in the SCA market today -- but not all are able to automate your governance initiatives at scale.

Test Drive a DevSecOps Reference Architecture

Successful DevSecOps practices encompass people, processes, tools, and measurement. But where should you start, how can you validate your existing practices, or what are the possibilities? View, modify, and save a version of this Reference Architecture customized to your needs.

DevSecOps Community Survey 2019

Our 6th annual DevSecOps community survey, represents the voice of 5,558 IT professionals and demonstrates that DevOps practices are maturing rapidly, security is being automated earlier in the development lifecycle, and management of software supply chains is a critical differentiator.

Open Source Security Intelligence

Precise intelligence is critical when using open source components. Read a side-by-side comparison of Nexus vs. one competitor conducted by a large publicly traded utility company that was looking for a tool to help them rapidly identify and remediate application security risks across their entire SDLC whenever new open source vulnerabilities are publicly disclosed.

A Lesson in Precision: CVE Data is not the Gold Standard

Precise intelligence is critical when using open source components. Read a side-by-side comparison of Nexus vs. WhiteSource conducted by a large health information technology organization that was looking for a tool that would help them remediate application security risks across their entire SDLC.

Feedback Loops: Voices of All Day DevOps, Volume 1

Over the years, All Day DevOps has explored the stories of over 275 community practitioners around the world - and as we know, with any journey, there is never a single path to success. The challenges they faced, their frustrations, their opportunities, and their accomplishments were all captured and available in this ebook to help you in your transformation.

Name-based data matching is only moderately better than not scanning at all

Precise intelligence is critical when using open source components. Read a side-by-side comparison of Nexus vs. JFrog conducted by a top tier financial services corporation that was looking for a tool that would help them remediate application security risks across their entire SDLC.

2019 DevSecOps Reference Architectures

See what tools your peers are using to scale DevSecOps and where your choices stack up as you consider shifting security left.

The Total Economic Impact of The Sonatype Nexus Platform Executive Summary

Consumers expect organizations to offer expanded value through software applications, businesses must ensure they are providing not only a user-friendly experience but a secure one too.

2018 State of the Software Supply Chain Report

In this world, speed is critical, open source is everywhere, and security concerns are sometimes relegated to the back seat — which is why we’re once again examining the state of the open source software supply chain.

Epic Failures in DevSecOps, Volume 1

Through short stories from expert practitioners, observe patterns the DevSecOps community can learn from to safely push the boundaries of software development.

Evolve Faster Than The Threat

By automating RMF security objectives, agencies can operate at the speed of mission and significantly accelerate system delivery and continuous security.

2018 DevSecOps Reference Architectures

View the common set of tools peers use: Sonatype Nexus, Sonatype Nexus Lifecycle, HP Fortify, SonarQube, Jenkins, Twistlock, JIRA, Contrast, aqua, OWASP Zap, Find Bugs, Gaunltl, OWASP Depedency check, NESSUS, ThreadFix.

Accelerate Innovation with Automated Security

As the number of breaches continue to rise, DevOps organizations are making investments to better protect themselves by doing more than just building stronger castle walls. These organizations are taking steps to integrate and automate security across the development lifecycle to build quality into their software.

2018 DevSecOps Community Survey Report

Based on responses from 2,076 participants, findings show that while open source breaches are increasing, developers are also thinking about security more.

Use DevOps and Supply Chain Principles to Automate Application Delivery Governance

Forrester describes how application delivery organizations are applying automated supply chain management practices to improve both application delivery governance and business results.

Why Precision Matters in Managing Open Source Software

Software developers use open source and third party components to be more competitive and speed time to innovation. Because of this, open source usage is massive and it’s growing. However not all open source components are created equal. Read how you can use the Nexus platform to accelerate DevOps without sacrificing software quality.

JavaScript: Thou Shall Not Depend On Me

Six researchers from Northeastern University offer a comprehensive study of JavaScript library usage and the resulting security implications.  Analysis of 133,000 websites, reveals  37% of them include at least one library with a known vulnerability.

2017 DevSecOps Community Survey

Traditional waterfall-native security practices often don’t fit in the DevOps native world. This survey gives a better sense of how organizations are adapting, what challenges they’ve overcome, and what approaches they are prioritizing.

30+ Nexus Integrations to Accelerate DevOps

No single tool can deliver on the promise of DevOps. Instead it’s a collection of tools, easily integrated, tightly managed, and effectively automated. Learn how Nexus integrates with more DevOps tools you use everyday.

Improve RMF Practices Through Automation

Learn how Federal agencies can employ software supply chain automation to closely align with each step of their Risk Managment Framework practice.

Four Strategies for Securing Federal Applications at the Speed of DevOps

Agencies need security protocols that can keep pace with development practices - without holding them back. Discover how SSCA can help agencies achieve greater agility through DevOps while ensuring the code they're using is free of vulnerabilities.

DevOps and Continuous Delivery Reference Architectures

We have assembled 40 real-world DevOps and Continuous Delivery reference architectures from our user community.  Each of them offers insight to the user's organizational structure, tools chain, and DevOps processes. Constant themes across the tool chain reveal use of: Jenkins, Sonatype Nexus, Git, Docker, Puppet/Chef, ServiceNow, and Sonar.

Appropriate Software Security Control Types for Third Party Service and Product Providers

Third party software is the new perimeter for every financial institution. According to Gartner, “since enterprises are getting better at defending perimeters, attackers are targeting IT supply chains. Read the guidelines published by FS-ISAC to manage risk associated with open source libraries and components.

Ready to Try Nexus Products?

Sonatype, A Better Way to Build