<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

GitHub Integration with Nexus Lifecycle

Sonatype's development team regularly schedules "innovation days" that allow team members time to focus on building projects that we believe will benefit our Nexus community.  In one of the recent innovation days, I built a new integration between GitHub, Jenkins, and Nexus Lifecycle that we are making available to you through our new Nexus Exchange community -- the new home for integrations built by our own development team and the community at large.  

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

DevSecOps: Better Software, Faster

“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.

LEGO, Death Stars, and Millennium Falcons, Oh My

Summary: Sonatype now offers a new revolutionary way to instantly give your teams access to vulnerability, license, and quality related data for the components they are consuming.

Continuous Delivery: The Atlassian Way

At the recent DEVNEXUS conference in Atlanta, Sonatype’s Mark Miller (@TSWAlliance) caught up with Ian Buchanan (@devpartisan) for our 2016 DevOps Leadership Series. Ian discussed his experiences at Atlassian, including continuous delivery, ChatOps, and use of tools like Bamboo, Nexus, Puppet, and Datadog.

Faster, Smarter DevOps

Call it DevOps or not, if you are concerned about releasing more code faster and at a higher quality, the resulting software delivery chain and process will look and smell like DevOps. But for existing development teams, no matter what the velocity objective is, getting from here to there is not something that can be done without a plan.

Manufacturing Without a Warehouse = Development Without an Artifact Repository

Can you imagine a large manufacturer like Toyota, Samsung or General Electric managing all their parts without one or numerous warehouses? Probably not, because it's simply inefficient or even impossible to manage.