<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

GitHub Integration with Nexus Lifecycle

Sonatype's development team regularly schedules "innovation days" that allow team members time to focus on building projects that we believe will benefit our Nexus community.  In one of the recent innovation days, I built a new integration between GitHub, Jenkins, and Nexus Lifecycle that we are making available to you through our new Nexus Exchange community -- the new home for integrations built by our own development team and the community at large.  

Shift Security Practices Left: New Nexus Plugin for Jenkins Pipelines

Shift Security Practices Left: New Nexus Plugin for Jenkins Pipelines

Many organizations are quickly maturing their CI/CD practices in the hopes of winning the innovation battle. But where do security and governance practices fit in? As organizations embrace DevOps, quality and security cannot become an afterthought. The good news is that many DevOps practitioners agree as evidenced by our recent DevSecOps survey. The data shows that mature DevOps organizations are automating security practices earlier in the development process compared to less mature DevOps organizations.

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

Nexus Lifecycle and IntelliJ IDEA

Our roots are deeply secured to the development community at Sonatype. While Nexus products now span roles and responsibilities across an organization, we’re always looking to consider the needs of our developer tribe. We make it a point to continually add developer-focused features to our suite of products as part of this commitment. We also work to ensure our products integrate with today’s modern developer tool stack. 

Why CEO’s Choose Harry

We are excited to see GrowthCap just announced NEA’s Harry Weller as their Investor of the Year. Harry and our CEO, Wayne Jackson, started working together in 1998 when he invested in Riverbed Technologies, followed by an investment in SourceFire, and most recently teaming up for the third time with Sonatype. We’re honored to be partnered with Harry and NEA to be developing an awesome future for software development organizations with our software supply chain and repository management solutions.

Getting Rugged DevOps Right

Two Perspectives

Jack, an accomplished application security pro, tells me, “The developers won’t talk to us. It’s like we speak a different language. They are releasing new builds so fast, how could they check each one for security vulnerabilities? We can’t move as fast as they do.”

Did you wake up to an alert about the Java Deserialization vulnerability?

This week I woke up to find several emails from Nexus Lifecycle indicating that the products in my portfolio were potentially vulnerable due to their inclusion of Apache commons-collection. If you have no idea what I’m talking about, stop now and go read this factual and un-sensationalized account of the situation. I’ll wait.