<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

Nexus OSS Meets NuGet

The NuGet package manager has become the standard for developing software on the Microsoft platform which includes.NET and the NuGet Gallery that has emerged as a large public open source package repository. Sonatype Nexus, on the other hand, is the standard repository or component manager software running on servers from small open source projects and teams to multi-national Fortune 500 companies.

Bash 2014 - This Is Not a Party

I can honestly say that although referred to by the media as Shellshocked, I am neither shocked nor awed.

I can’t say that I am a fan of the latest glorification of bugs like Heartbleed and Shellshock in a fashion similar to tropical storms, but if it gets more people to pay attention to the exponential growth of our reliance on software I can’t say I am too worked up about it either.

One thing that is unarguable is that this just happens to be the latest (and if you are reading this before you have patched stop right now, patch, and then come back to finish).

I think both Heartbleed and Shellshock are just two issues that masked an even bigger problem:

  • our ability to rapidly create the next newest and greatest thing is increasingly outpacing our ability to understand what is really in our software, and

  • our ability to understand where we have deployed our software.

You see, it is these two things that point to the bigger issue. We all know there will be new problems, the next biggest security threat, but we have no hope of “fixing” this problem if we don’t know both what is in our software and where that software is deployed.

I wonder how many IT administrators are rapidly trying to answer the two critical crisis questions (a blog from July)to figure out how many systems where bash is installed, and then rapidly apply the patch? We are still seeing updates to software that's vulnerable from Heartbleed.

This is truly indicative of our inability to have even the most basic understanding of our software supply chain (a failing of many of even the most mature SDLCs). In the case of Heartbleed and Shellshock, those that do are much more secure than those that do not, and this doesn’t take an army of security professionals to figure out. I would be willing to bet a majority of companies spend more money being able to manage physical assets (sometimes to every pen) than software assets, even though the amount of software related asset growth is through the roof.

You can read all about Shellshock and how big of a deal it is elsewhere, I don’t think I need to add another voice to this chorus, but I do want to highlight there is a bigger issue. You can’t patch what you don’t know you have. And if you have it, you need to know where it is.

If you spend a little more time understanding your software supply chain (and yes it is a supply chain), you might not be scrambling as much to fix your systems the next time (and yes there will be a next time).

(image credit: http://bit.ly/1wMOvet)

What Happened Sept 16th?

We led an invasion last week armed with a flying drone, glowing lightsabers, and the latest knowledge on open source security vulnerabilities. Our mission? Lead, share, educate, moderate, and have some fun. Our coordinates? This year’s AppSecUSA 2014 event in Denver, Colorado.

Skeleton Key

A skeleton key is capable of opening any lock regardless of make or type. Do you know anyone who has one? I do. Lots of them.

11,000 Voices

AppSec USA

Time for Full Open Source Disclosure

We are not the first industry to face this challenge. But many are convinced our problem is much smaller than it really is or that it does not exist. They simply ignore it. Or choose to do nothing about it. Meanwhile, the problem is multiplying like rabbits.

Gartner Goes Development-Centric

Recently, Gartner published a new research report that says by 2016, “the vast majority of mainstream IT organizations will leverage nontrivial elements of open source software (directly or indirectly) in mission- critical IT solutions. However, most will fail to effectively manage these assets in a manner that minimizes risk and maximizes ROI.”

Nexus 3.0 Technology Preview (Milestone 1 Release)

The Nexus development team at Sonatype is pleased to announce the release of the first milestone build (M1) of Nexus 3. This release is a technology preview covering the open source version, Nexus OSS, focused specifically on the new user interface. Nexus Pro will be covered in the upcoming M2 release.