Security at Sonatype
Sonatype helps organizations confidently build and operate software by providing trusted open source intelligence that reduces security, operational, and compliance risk. Our focus is on protecting our customers, by helping them avoid vulnerable or risky open source components and by safeguarding the data they entrust to us.
Transparency is a core part of that commitment.
To make it easy for customers and partners to assess our security and compliance posture, Sonatype offers a self-service Trust Center where you can securely access current security, compliance, and risk documentation at any time.
A Mature, Governed Security Program
Sonatype’s Information Security Program is aligned with internationally recognized ISO 27000 and NIST frameworks and continuously evolves to address emerging threats, regulatory expectations, and industry best practices. This approach helps ensure customer data is protected by a mature, risk-based, and continuously improving security program.
Our security program is governed by a formal executive committee that provides oversight of strategy, risk posture, policy approval, and investment decisions. A dedicated Information Security team is responsible for day-to-day execution and continuous improvement across the following domains:
Organizational & Enterprise Security
Secure Software Development & DevSecOps
Security Monitoring, Detection & Response
Risk Management & Compliance
Business Continuity & Resilience
Third-Party & Cloud Security
Sonatype recognizes that strong security extends beyond our own environment. We maintain a formal Third-Party Risk Management program to assess and manage risks associated with vendors, partners, and cloud service providers that may access, process, or support Sonatype systems and data.
All third-party services are subject to risk-based security reviews prior to onboarding and periodically thereafter. These reviews evaluate factors such as data sensitivity, business criticality, security controls, compliance posture, and incident response capabilities. Identified risks are tracked, mitigated, or formally accepted in accordance with Sonatype’s risk management framework.
Cloud service providers supporting Sonatype products are required to meet applicable security and compliance standards, and independent assurance (such as SOC or ISO reports) is reviewed as part of our due diligence process.
Trust Center & Compliance Transparency
Sonatype maintains a secure, self-service Trust Center that provides customers with on-demand access to security and compliance materials, including:
SOC 2 Type II Reports
Security Policies and Standards
Independent Penetration Testing Attestations
Compliance Certifications and Program Status
Protecting Our Customers
Safeguarding customer data is a core priority of Sonatype’s security program. Our security teams work closely with engineering, operations, and business teams to identify risk early, apply strong security controls, and continuously strengthen our security posture. Key protections include:
-
Encryption of data in transit using strong, industry-standard cryptography
-
Support for modern secure cipher suites, including TLS 1.2+ and AES-256
-
Multi-factor Authentication, Role-based access controls and least-privilege enforcement
-
Continuous monitoring and logging of security-relevant activity
Security by Design
Sonatype’s security program is built on the principles of defense in depth, least privilege, and secure-by-design development. Security requirements are embedded across our products, infrastructure, and internal operations.
Our security governance framework is supported by a comprehensive set of policies and standards, including but not limited to:
-
Global Information Security Policy
-
Secure Software and Systems Development Policy
-
Data Classification and Handling
-
Incident Response and Vulnerability Management
-
Business Continuity and Disaster Recovery
Policies are reviewed at least annually or upon material change. All employees receive ongoing security awareness training, with role-specific training provided where appropriate.
Product Security & Vulnerability Management
Sonatype’s Product Security team operates a secure software development lifecycle (SDLC) aligned with OWASP and industry best practices. We apply automated and manual security controls throughout design, development, testing, and deployment—and leverage Sonatype’s own products as part of our secure supply chain practices.
In addition to proactive testing, Sonatype maintains a public vulnerability disclosure program to support responsible reporting. All reported vulnerabilities are validated, risk-rated, and tracked through remediation in accordance with defined service-level expectations.
Testing, Monitoring, and Resilience
Sonatype conducts regular testing and monitoring to validate the effectiveness of our security controls, including:
-
Annual independent third-party penetration testing of core products
-
Continuous security monitoring and centralized logging
-
Formal incident response processes with defined escalation and communication paths
-
Annual testing of Business Continuity and Disaster Recovery plans
Critical and high-risk findings are escalated promptly and remediated in accordance with management oversight and risk-based prioritization.
Our production environments leverage cloud-native security controls, including AWS IAM, network segmentation, threat detection, and audit logging, to support a strong security baseline.
Our Ongoing Commitment
Protecting our customers and enabling the creation of safer software is a responsibility we take seriously. Sonatype continuously invests in people, processes, and technology to strengthen our security posture and maintain the trust our customers place in us.
For detailed security and compliance information, please visit our Trust Center. If you have additional questions, your Sonatype account team will be happy to assist.
Sonatype Trust Center
