Category Archives: AppSec Spotlight

Nexus Firewall: Quality at Velocity

November 17, 2015 By
Mike Hansen
fw2 small

The quantitative research summarized below, covering over 7,000 repositories across nearly 100 countries, highlights some of the challenges with quality at modern development velocities. By leveraging automation in your repository manager, you can improve application quality and reduce unplanned work while lowering exposure to risk. Repository managers like Nexus, Artifactory and Archiva have been serving […]

Continue reading...

Did you wake up to an alert about the Java Deserialization vulnerability?

November 13, 2015 By
Brian Fox

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.

Continue reading...

Improving Container Security: Docker and More

November 12, 2015 By
Derek Weeks
Screen Shot 2015-11-12 at 2.02.09 PM

This blog was contributed by Chenxi Wang, Chief Strategy Officer at Twistlock.   Earlier this week, Sonatype announced a strategic partnership with Twistlock.  The relationship is incredibly important to furthering automation and security across the software supply chain as it relates to container technologies.  For this reason, we invited Chenxi Wang, Chief Strategy Officer from […]

Continue reading...

Automated Nexus Reports on Licenses, Security, and More

August 5, 2015 By
Derek Weeks
Screen Shot 2015-08-05 at 2.12.57 PM

You have been using Nexus repository managers for years, but did you know they offer a free reporting feature that details your component licenses, known security vulnerabilities, versions, age, and adoption rates? Your Nexus repository manager can be the first line of defense against security vulnerabilities and the perfect platform to assess your exposure to open […]

Continue reading...

The Cost to DevOps: 27 Mufflers

July 16, 2015 By
Derek Weeks
Screen Shot 2015-07-29 at 2.51.00 PM

Imagine that you are designing the 2016 Range Rover line of sport utility vehicles. Like all gas powered vehicles, each one needs an exhaust muffler. Range Rover likely has narrowed in on a preferred provider of mufflers. But imagine what would happen if the designers and factory line workers could pick from any one of 27 past versions of that muffler from their preferred provider for the new model year.

Continue reading...

Rework is Choking Software (2015 State of the Software Supply Chain Report)

June 23, 2015 By
Derek Weeks

“Software may be eating the world, but rework is choking software”, tweeted John Jeremiah (@j_jeremiah). To shed more light on what is choking software, new data was released last week in the 2015 State of the Software Supply Chain Report.

Continue reading...

Better and Fewer Suppliers (2015 Software Supply Chain Report)

June 17, 2015 By
Derek Weeks
Screen Shot 2015-07-29 at 2.56.10 PM

Today I want to focus on the huge ecosystem of open source projects (“suppliers”) that feed a steady stream of innovative components into our software supply chains. In the Java ecosystem alone, there are now over 108,000 suppliers of open source components. Across all component types available to developers (e.g., RubyGems, NuGet, npm, Bower, PyPI, etc.), estimates now reach over 650,000 suppliers of open source projects.

Continue reading...

We Lack Building Codes for Building Software Code [VIDEO]

June 15, 2015 By
Mark Miller
Screen Shot 2015-07-29 at 11.34.31 AM

At Josh Corman’s presentation during AppSecEU 2015, he brought up the analogy of buildings codes, those laws and regulations that mandate how architectural buildings are built. It’s the reason earthquakes in some regions of the world are so devastating, while even stronger ones in other areas cause minimal damage.

Continue reading...

The 2015 State of the Software Supply Chain Report

June 11, 2015 By
Derek Weeks
Screen Shot 2015-07-29 at 2.58.40 PM

In April of this year, I embarked on a six-week journey diving deep into an analysis of the world’s software supply chains. I evaluated the practices of 106,000 organizations, the 100,000+ suppliers they relied on, and the billions of software components that fueled their agile, continuous delivery and DevOps practices.

Continue reading...