<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

The Trump White House Takes Aim at Cybersecurity

“The executive branch has for too long accepted antiquated and difficult–to-defend IT”, declared President Donald Trump in a new Executive Order released on Thursday, May 11th, 2017.

The Magnitude of Risk and Importance of a Plan

Over the past few years, we have witnessed mega-breaches that have impacted IT systems across our financial services industry, healthcare sector, and government.  The vast majority of these breaches take advantage of weaknesses in software applications, according to the current and recent years of the Verizon Data Breach and Investigations report.  The White House believes it is imperative that the United States modernize its IT infrastructure in order to better defend it.  

DevSecOps: Slaying the Myths of Container Security

Containers are clearly appealing for companies and development teams who want to deliver and iterate on their software faster and efficiently. This is achieved through more consistent, simple and repeatable deployments, rapid rollback, and simpler ways of orchestrating and scaling distributed applications.

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

When it Comes to Application Security, “Doing Your Homework”​ Matters

They say software is eating the world, very true, but it has become even more clear that OSS components are eating the software world. This amazing revolution is driving unimagined gains in innovation and efficiency in our ability to deliver software. Think Uber, here is a new leader in the transportation industry without owning a single vehicle. Every major Enterprise and even most medium and small companies are software producers – and free and open software components are driving this dramatic shift in our world.

How DevOps Killed the Market for Software Composition Analysis

The niche market for Software Composition Analysis (SCA) tools has died.  The culprit: DevOps.

In today's world, developers are king.  Innovation is the throne upon which they sit.  Anything seen as an inhibitor to DevOps agility is the enemy, and therefore, must be terminated.

SCA tools are waterfall-native by design.  Thus, it is impossible to integrate SCA security controls into DevOps-native work flows in an automated and scalable way.  

From a Commodore 64 to DevSecOps

We all know the story: a farm, a kid, a Commodore 64, and a modem maxing out at 300 bps. A few unexpected phone bills later, and young Ian Allison is figuring out how to game the system so he can keep using his newfound  gateway to the world of tech. According to Ian, that is where he began building the foundation of skills for his career in computer security.

DevSecOps: Better Software, Faster

“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.