Sonatype’s mission is to empower your software development teams with precise open source intelligence and to help you avoid flawed open source libraries that could increase cyber and other risks. We’re committed to being transparent about our security practices and helping you understand our approach.
Sonatype’s Information Security Program is based on ISO 27000 and NIST standards and is constantly evolving with updated guidance and new industry best practices.
A formal governance body composed of executives meets regularly to make decisions on the program direction, policies, risks and funding. Sonatype’s security team, led by the Director of Information Security, is responsible for the implementation and management of our security program. The Director of Information Security is supported by the members of Sonatype’s Security Advisory Team, who focus on Organizational Security, Security Research, Secure DevOps, Monitoring, Incident Response, Risk and Compliance.
The focus of Sonatype’s security program is to protect our customers, employees and our organization from harm. To this end, our passionate team of security practitioners, working in partnership with various teams across the company, take careful measures to identify and mitigate risks, implement best practices, and constantly develop ways to improve.
Your application code is never transmitted to Sonatype. Instead, a hash algorithm is used to uniquely identify specific markers of the analyzed code. These markers are sent to Sonatype and used as the keys to retrieve component metadata associated with known open source components.
Sonatype's information security program is built on the principles of defense in depth and least privilege: securing our organization and products, at every layer. ISO 27001 certification is planned for early 2021.
Our information security policies include a global security policy, BC/DR, incident response, data classification, asset management, HR and compliance. Policies are reviewed annually and when material changes occur. Employees are required to complete security awareness training.
Sonatype’s product security team has built a secure development lifecycle, which primarily leverages our own products and OWASP practices. While we strive to catch all vulnerabilities in the design and testing phases, we understand that sometimes mistakes happen. With this in mind, we have a public bug disclosure program to facilitate responsible disclosure of potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.
Our BC/DR controls are tested no less than annually. Multi-factor authentication is implemented for the general population to access email, files and other services. MFA is also required to access the production environment within AWS. AWS security controls include IAM, Guard Duty, VPCs with Security Groups and Cloud Trail. Our incident response plan includes basic roles and responsibilities, escalation and communication.
All data transmitted between Sonatype’s clients and service is done so using strong encryption protocols. Sonatype supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols and AES256 encryption.
Protecting our customers and facilitating the creation of safer software is a critical responsibility and we continue to work hard to maintain that trust. Please contact your account executive if you have any questions or concerns.