<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TT8R4P" height="0" width="0" style="display:none;visibility:hidden">

Sonatype Blog

Stay updated on the latest news from the makers of Nexus

The Trump White House Takes Aim at Cybersecurity

“The executive branch has for too long accepted antiquated and difficult–to-defend IT”, declared President Donald Trump in a new Executive Order released on Thursday, May 11th, 2017.

The Magnitude of Risk and Importance of a Plan

Over the past few years, we have witnessed mega-breaches that have impacted IT systems across our financial services industry, healthcare sector, and government.  The vast majority of these breaches take advantage of weaknesses in software applications, according to the current and recent years of the Verizon Data Breach and Investigations report.  The White House believes it is imperative that the United States modernize its IT infrastructure in order to better defend it.  

DevSecOps: Eat Carrots, Not Cupcakes

You Are What You Eat.  

When it comes to food, we all know what’s considered “good” and what’s “bad”.

Struts2 Exploited Again.  Did Anyone Bother to Tell You?

This week we saw the announcement of yet another Struts 2 Remote Code Exploit (RCE) vulnerability. What's notable about this instance is that POC code seems to have been released into the wild either just before, or immediately after the disclosure.  As was the case with previous Struts1 vulnerabilities, exploits are being observed at large scale in the wild.

Whenever critical vulnerabilities emerge -- attackers have first mover advantage. Therefore, the only thing that matters is speed.

  • How long before you even become aware?  
  • How long does it take you to assess your exposure?
  • How quickly can you remediate the vulnerability?

In today's world, different companies utilize different tools and processes to manage open source governance and security risk within the software development lifecycle.  Forward leaning organizations empowered with DevOps-native intelligence will respond in hours or days.  Traditional organizations equipped with waterfall-native intelligence will struggle to respond in weeks or months.

It's now been 3 days since the Struts2 fix and disclosure.  Here's the official description available from the Mitre database as of Friday, March 10th:

DevSecOps: Better Software, Faster

“The big problems are where people don't realize they have one in the first place.” - W. Edwards Deming, patron saint of DevOps.

LEGO, Death Stars, and Millennium Falcons, Oh My

Summary: Sonatype now offers a new revolutionary way to instantly give your teams access to vulnerability, license, and quality related data for the components they are consuming.

Mapping the JavaScript Genome for DevOps

From artisan to automation.  High performing organizations are using DevOps principles to boost productivity, streamline software supply chains, and improve quality.  These organizations are swiftly moving away from their artisanal approaches of crafting software to the high-velocity, automated practices where applications are more manufactured than developed.

Nexus Repository Rising: Say Hello to the New Pro

Free Birds, Free Coffee, and Free Willy.  Software development  is hard enough, so we’re making it easier.  You see, a few years ago Sonatype made a promise that Nexus Repository should provide universal component support for free.  This month, we are continuing to live up to that promise by expanding component support in Nexus Repository OSS to include PyPI and RubyGems packages. Nexus Repository now offers free support for seven components types.  For those who thought we only supported Java components, you must be thinking of the other guys.