Category Archives: AppSec Spotlight

Continuous Delivery: How to Transform Application Release


February 8, 2016 By
Derek Weeks
CA World DevOps Panel Discussion

This past November at CA World 2015, we participated in a panel discussion on transforming application development and release with Continuous Delivery and DevOps practices. The well-attended panel discussion addressed many practical and easy ways for companies to get started with Continuous Delivery and DevOps.

Continue reading...

Legos, Death Stars, and Millennium Falcons, Oh My


February 2, 2016 By
Jeff Wayman

The Lego Death Star has about 1/10th of the parts of a Toyota; 3803 to be exact. If you’ve ever assembled the Lego Death Star, or anything lego related, you know having the right parts is critical. Even more impressive is what the group over at Titans Creations did. This group of Lego fans (known as My Own Creation[ers]) built a scale model (mini-figure scale) of the Millennium Falcon. Coming in at around 10,000 parts it’s one of the more, if not most impressive custom models to date.

Continue reading...

Rugged DevOps: Solving Big Problems


January 27, 2016 By
Derek Weeks
Screen Shot 2016-01-27 at 10.39.16 AM

In part one of this series, “Rugged DevOps: Survival is Not Mandatory”, I shared news that 1 in 16 open source and third-party components downloaded last year included a known vulnerability. That may not seem like too many until you realize the average company downloads well over 200,000 components annually. These components are electively downloaded by development teams, often unaware of the vulnerabilities that come with them.

Continue reading...

Rugged DevOps: Survival is Not Mandatory


January 25, 2016 By
Derek Weeks
Rugged Devops

Deming, the patron saint of DevOps once advised, “It is not necessary to change. Survival is not mandatory.” To survive, application development teams are constantly pressured to deliver software even faster. But fast is not enough. The best organizations realize that security, quality and integrity at velocity are mandatory for survival. Hence, DevOpsSec

Continue reading...

What’s in Your Software


January 15, 2016 By
Matt Howard
Screen Shot 2016-01-15 at 9.01.37 AM

I can’t tell you how excited I am to be a part of the Sonatype team that is literally reinventing how quality software gets made. As the new guy leading marketing, my first test was to explain Sonatype to my mom. She’s a smart cookie — but she’s 82 years old — and doesn’t know very much about software.

Continue reading...

Getting Rugged DevOps Right


December 3, 2015 By
Derek Weeks
Screen Shot 2015-12-03 at 12.28.19 PM

Two Perspectives Jack, an accomplished application security pro, tells me, “The developers won’t talk to us.  It’s like we speak a different language.  They are releasing new builds so fast, how could they check each one for security vulnerabilities?  We can’t move as fast as they do.” Then in the next moment, Diane, a DevOps […]

Continue reading...

Nexus Firewall: Quality at Velocity


November 17, 2015 By
Mike Hansen
fw2 small

The quantitative research summarized below, covering over 7,000 repositories across nearly 100 countries, highlights some of the challenges with quality at modern development velocities. By leveraging automation in your repository manager, you can improve application quality and reduce unplanned work while lowering exposure to risk. Repository managers like Nexus, Artifactory and Archiva have been serving […]

Continue reading...

Did you wake up to an alert about the Java Deserialization vulnerability?


November 13, 2015 By
Brian Fox
Java-Deserialization-01

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.

Continue reading...

Improving Container Security: Docker and More


November 12, 2015 By
Derek Weeks
Screen Shot 2015-11-12 at 2.02.09 PM

This blog was contributed by Chenxi Wang, Chief Strategy Officer at Twistlock.   Earlier this week, Sonatype announced a strategic partnership with Twistlock.  The relationship is incredibly important to furthering automation and security across the software supply chain as it relates to container technologies.  For this reason, we invited Chenxi Wang, Chief Strategy Officer from […]

Continue reading...

Automated Nexus Reports on Licenses, Security, and More


August 5, 2015 By
Derek Weeks
Screen Shot 2015-08-05 at 2.12.57 PM

You have been using Nexus repository managers for years, but did you know they offer a free reporting feature that details your component licenses, known security vulnerabilities, versions, age, and adoption rates? Your Nexus repository manager can be the first line of defense against security vulnerabilities and the perfect platform to assess your exposure to open […]

Continue reading...