Skip Navigation

Security at Sonatype

Introduction 

Sonatype’s mission is to empower your software development teams with precise open source intelligence and to help you avoid flawed open source libraries that could increase cyber and other risks. We’re committed to being transparent about our security practices and helping you understand our approach. 

Organizational Security 

Sonatype’s Information Security Program is based on ISO 27000 and NIST standards and is constantly evolving with updated guidance and new industry best practices.

A formal governance body composed of executives meets regularly to make decisions on the program direction, policies, risks and funding. Sonatype’s security team, led by the Director of Information Security, is responsible for the implementation and management of our security program, which includes; Organizational Security, Secure DevOps, Monitoring, Incident Response, Risk and Compliance.

Sonatype SOC 2 Report
Available upon request
ISO 27001 Certification
Download Certification
Information Security Management Policy
Download Policy
2023 HDS Pen Test Letter of Attestation
Download Letter of Attestation

 

Protecting Our Customers 

The focus of Sonatype’s security program is to protect our customers, employees and our organization from harm. To this end, our passionate team of security practitioners, working in partnership with various teams across the company, take careful measures to identify and mitigate risks, implement best practices, and constantly develop ways to improve. 

All data transmitted between Sonatype’s clients and service is done so using strong encryption protocols. Sonatype supports the latest recommended secure cipher suites to encrypt data, including use of TLS 1.2 protocols and AES256 encryption.

Security By Design - At A Glance 

Sonatype's information security program is built on the principles of defense in depth and least privilege: securing our organization and products, at every layer. ISO 27001 certification achieved May 2021. 

Our information security policies include a global security policy, BC/DR, incident response, data classification, asset management, HR and compliance. Policies are reviewed annually and when material changes occur. Employees are required to complete security awareness training. 

Sonatype’s product security team has built a secure development lifecycle, which primarily leverages our own products and OWASP practices. While we strive to catch all vulnerabilities in the design and testing phases, we understand that sometimes mistakes happen. With this in mind, we have a public bug disclosure program to facilitate responsible disclosure of potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.

Sonatype performs annual penetration testing using a qualified, 3rd party penetration testing company.  We perform annual penetration testing against our core products, letters of attestation can be found here.  Reports are available upon request. Any Critical or High findings from the penetration testing are immediately routed via an escalated management process to get worked through to resolution. An external penetration testing report is available upon request."

Our BC/DR controls are tested no less than annually. Multi-factor authentication is implemented for the general population to access email, files and other services. MFA + VPN is required to access the production environment within AWS. AWS security controls include IAM, Guard Duty, VPCs with Security Groups and Cloud Trail. Our incident response planning includes; defined roles and responsibilities, escalation, communication, and regular testing. 

Conclusion 

Protecting our customers and facilitating the creation of safer software is a critical responsibility and we continue to work hard to maintain that trust. Please contact your account executive if you have any questions or concerns.