Last week, CIO.com shared a story of an inflection point in application security. Lucian Constantin discussed how there needs to be a shift from manual open source risk analysis to more automated approaches. His article stated, “The notion of using manual audits, manual approvals and traditional governance to deal with that level of [open source […]
The Wake-up Call They had downloaded over 200,000 open source components in the past year. And their open source policy…the one established to protect against license risks and security vulnerabilities? It covered about 3% of them. This is how Nigel Simpson, Director of Architecture at a major media and entertainment company, described his organization’s “huge” […]
In two minutes, we can show you if there are any open source risks within your Java application. And it’s free. That’s right, at Sonatype, we could not be more in favor of the code reuse that occurs millions of times a day thanks to the availability of open source and third-party components. At the […]
Customers using CLM want to surface known security vulnerabilities and license risk in the same place developers or executives already go to assess the overall quality of their application. To support this growing interest from our customers, we are introducing our next important milestone: Sonatype CLM’s integration with SonarQube.
I remember it clearly. Sitting down for breakfast, I opened the Sydney Morning Herald to see the latest headlines in Australia for the day. As I shuffled through the paper, I finally landed upon the Technology section and then noticed pages and pages of “help wanted” adds.
In our recent open source developer survey we asked, what are the TOP FOUR characteristics considered when selecting a component? And since components are the building blocks used when creating an application, selecting the right one is an important choice. Not surprisingly, the most important characteristic for the selection are the features and capabilities provided by the component. After all, if the component doesn’t fulfill your requirements then why use it?
Heartbleed has put the security community on notice: it is time to take a harder look at the security status of open source components and frameworks. After doing a little industry research on downloads from the (Maven) Central Repository, I’m sitting here with my jaw hanging open. Over 46 million Java-based open source components containing known vulnerabilities were downloaded from the Central Repository in 2013*.
Last week, I joined the Sonatype engineering team at the yearly summit where we got together and discussed the future roadmap for Nexus and CLM, talk with engineers who are doing the hands-on work on the projects and in general got caught up with each other. It’s always good to get this kind of face-to-face […]
Applications are becoming the primary security threat vector. Since applications are constructed from 3rd party components, there continues to be a tremendous amount of industry effort and impetus behind managing open source components effectively. And now we can add the Financial Services / Information Sharing and Analysis Center (FS-ISAC) to the list.
In the Nexus Live event John Nagro and Tom McLaughlin from HubSpot detailed how they are using
Nexus as a repository for their development and release components. They
found that they need to be able to quickly create another virtual
machine as part of their build infrastructure to react to changes in
datacenter locations and other parameters.