How to safeguard your software supply chain

NVD overload: Unveiling a hidden crisis in vulnerability management

Comparing and converting between SBOM formats

Secure Software Development Attestation Form: Sonatype helps you comply

What are SBOM standards and formats?

Women in cybersecurity: On the shoulders of giants

Embracing the AI revolution: Navigating the impact on developers

What are the elements of an SBOM?

npm packages spread 'Bladeroid' crypto-stealer, hijack your Instagram

Unlocking the power of binary repositories: A DevOps team’s best friend

The curious case of 'csrf-magic': A case study in supply chain poisoning

A demand for real consequences: Sonatype's response to CISA's Secure by Design

Sonatype unveils state-of-the-art Artificial Intelligence Component Detection

Why SBOMs are essential for every organization

Mastering SBOMs: Demonstrations

How DevOps evolved into DevSecOps: Embracing security in software development

Mastering SBOMs: Best practices

Exploited Ivanti Connect SSRF vulnerability traced back to 'xmltooling' OSS library

DevSecOps maturity model: A beginner's guide

npm flooded with 748 packages that store movies

Fake 'distube-config' npm package drops Windows info-stealing malware

What is the OWASP Top 10?

DevSecOps tools: A beginner's guide

'everything' matters — why the npm package sparked controversy

Unraveling the Struts2 security vulnerability: A deep dive

Struts2 CVE-2023-50164 by the numbers

OpenSSF responds to CISA, advocates for a multifaceted approach to software identification

CVE-2023-50164: Another vulnerability in the widely used Apache Struts2 component

Decrypting the Ledger connect-kit compromise: A deep dive into the crypto drainer attack

The Top 5 trends every DevOps leader needs to know for 2024

The Top 5 trends every CISO needs to know for 2024

What goes great with SLSA? Sonatype.

How can SLSA help secure your software supply chain?

DevSecOps: A beginner's guide

The history of Maven Central and Sonatype: A journey from past to present

Why DevOps recommends Shift Left principles

How the SEC charges against SolarWinds highlight the cybersecurity liability of software companies

Software dependencies: A beginner's guide

Dependency mapping: A beginner's guide

Open source risk management: Safeguarding software integrity

How manufacturing best practices can improve open source consumption and software supply chains

Top 10 open source projects hit by HTTP/2 'Rapid Reset' zero-day

Introducing our 9th annual State of the Software Supply Chain report

SAST vs. DAST: Enhancing application security

npm packages caught exfiltrating Kubernetes config, SSH keys

New npm PoC packages target PayPal Zettle, Airbnb developers

Unlocking the power of generative AI in software development: Insights from Sonatype's survey

How to navigate DevOps principles: Analyzing Shift Left and Secure Right

A guide for open source software (OSS) security

Enhancing software supply chain security: New Sonatype product capabilities

Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module

Getting started with the Secure Software Development Framework (SSDF)

How to use Repository Health Check 2.0

Cyber Resilience Act: The future of software in the European Union

“Quoi...? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer

A closer look: Differentiating software vulnerabilities and malware

npm manifest confusion – What is it and do you really need to worry about it?

How to measure the maturity of your software supply chain

PyPI attackers still at it: Malicious packages drop trojans and info-stealers

Sonatype named a leader in The Forrester Wave™ for software composition analysis

Better software development: Insights from the SBOM Scorecard

How to improve your software supply chain with a software security framework

How software composition analysis can help you go from good to great

DevSecOps Leadership Forum: Revolutionizing financial services

Sonatype named in the 2023 Gartner® Magic Quadrant™ for Application Security Testing

Sonatype sponsoring Red Hat Summit on May 23-25 in Boston

Software packages, do we even need them?

Wicked Good Development Episode 32: Java queens at Devnexus 2023

Can the open source community save Europe from the Cyber Resilience Act?

Supply chain security inside and out

7 software license types explained: Open source and closed source

Explore a refreshed Sonatype Platform: New features, new product names

The impact of security testing on an organization

Protecting software developers from malware with AI/ML insights

Wicked Good Development Episode 31: Testcontainers with Oleg Šelajev

Malware Monthly - March 2023

Another SolarWinds? The latest software supply chain attack on 3CX

Sonatype Repository Firewall is an easy solution for a big problem

Post-conference tech spec: Why building your ship (application) with raw materials is a bad idea

Sonatype Lifecycle enhancements boost speed, security, and productivity

Wicked Good Development Episode 30: JUG, AKA the JAVA User Group

New design, new feature: Maven Central improvements for developers

Cyber-readiness and changing federal government SBOM requirements

Manage open source risk with improved malware detection

ChatGPT data leak and Redis race condition vulnerability that remains unfixed

Sonatype's SBOM generation capabilities outpace the competition

[New live series] Dev Chat with Dan Conn: Beware of malware

Top 8 malicious attacks recently found on PyPI

Meet Frank Tingle: Values Champion

Wicked Good Development Episode 29: White House unveils National Cybersecurity Strategy

What is hashing? A look at unique identifiers in software

Malware Monthly - February 2023

Wicked Good Development Episode 28: Simon Brown on visualizing software architecture

White House National Cybersecurity Strategy: Landmark action for a critical threat

New on Sonatype Learn: Easy Source Control Management (SCM) Onboarding

How stolen information stealers are fueling an underground market

Meet an open source developer - A.J. Brown

Attacker floods PyPI with 1000s of malicious packages that drop Windows trojan via Dropbox

Transitioning your software supply chain management (SSCM) to the cloud

Is cyber liability insurance a moral hazard in the US?

Meet an open source developer - Lex Vorona

Wicked Good Development Episode 27: Build breaking and more with ABN AMRO's Ingmar Vis

Comparing SBOM standards: SPDX vs. CycloneDX

Meet an open source developer - Allie Sierra

5 tools to automate SBOM creation

Malware Monthly - January 2023

Make sure your company is prepared for evolving software liability regulations

Malicious ‘aptX’ Python package drops Meterpreter shell, deletes ‘netstat’

Are unnecessary vulnerabilities polluting your software supply chain?

Wicked Good Development Episode 26: Tom Cools

Meet an open source developer - Theresa Mammarella

Sonatype's 2022: A year-end recap

Project highlights for World Open Source Day: My open source tools

Sonatype celebrates World Open Source Day 2023

Sonatype Lifecycle and Firewall now available in the cloud

The shifting landscape of open source supply chain attacks - Part 3

The shifting landscape of open source supply chain attacks - Part 2

The shifting landscape of open source supply chain attacks - Part 1

A guide to deployment models: Self-hosted, cloud, and air-gapped

Going online with the OWASP Vulnerability Management Guide Working Group

Wicked Good Development Episode 25: The struggle with open source licensing

Intro to malware analysis: Analyzing Python malware

Malware Monthly - December 2022

Dependency management: Versions choice and the software supply chain

Sonatype Lifecycle boosts open source security and dependency management

Best practices in dependency management: Cooking a meal of gourmet code

Meet Richard Panman: Values Champion

2023 predictions: What will happen in software supply chain governance?

PyTorch namespace (dependency) confusion attack

SCA and SAST: What do they do and how can they help developers like you?

How does developer morale affect my software supply chain?

PGP vs. sigstore: A recap of the match at Maven Central

EU Cyber Resilience Act: Good for software supply chain security, bad for open source?

Caroling through the season: The sounds of the 4shells

Wicked Good Development Episode 23: Demystifying tech debt

Malware Monthly - November 2022

Developers need two things: The Sonatype Platform and a full pot of coffee

Congratulations to the Sonatype 2022 Elevate Awards winners

Cybersecurity and beyond: Why secure procurement is a must for your organization

Wicked Good Development Episode 22: Fall 2022 Maven Central updates

5 key open source software security risks and how to prevent them

The top 10 2022 All Day DevOps sessions

U.S. government's guidelines for securing software: Suppliers

Wicked Good Development Episode 21: James McLeod shares his journey to FINOS and beyond

Wicked Good Development: Key takeaways from the State of the Software Supply Chain

What do Log4Shell and a global pandemic have in common?

Perception versus reality: A data-driven look at open source risk management

Open source best practices for higher quality code to fundamentally strengthen your project

The magic behind over 101,000 Malicious packages discovered and blocked

Meet Ankita Lamba: Values Champion

14 All Day DevOps (ADDO) sessions you won’t want to miss

What the OpenSSL vulnerabilities are… and aren't (CVE-2022-3786 and CVE-2022-3602)

The no-fix mediums? Not having a high priority doesn’t mean low danger

This Week in Malware - Over 70 packages discovered

Webinar recap: Best practices for managing (and supercharging) your software supply chain

A new OpenSSL vulnerability is coming - Get ready to patch

An open source maintainer's best practice: How to use SBOMs to root out project vulnerabilities

Wicked Good Development Episode 16: Ted Neward's Philosophy 101

This Week in Malware - Nearly 40 packages discovered

Stop the low-quality contribution plague

How is the Sonatype Safety Rating determined?

Introducing our 8th annual State of the Software Supply Chain

Open source best practices: Key documents to help welcome new contributors to your project

This Week in Malware - Over 50 packages discovered

How to become a new open source contributor

This Week in Malware - Over 100 packages discovered

What is container security, and how can you boost yours?

Weaponizing open source through job recruiting

This Week in Malware - 135 packages target npm and PyPI registries

Despite what some vendors say, please don't ignore Log4j

This Week in Malware - Over five dozen more packages discovered

Wicked Good Development Episode 15: Russ Eling talks founding OSS Consultants and open source compliance

How you can manage and eliminate technical debt

Celebrating Sonatypers

Arming the defender force and securing the software supply chain: Helping developers implement CISA best practices - Part 1

This Week in Malware - Almost 100 packages

Being the 'B' in LGBTQIA+

Pursue growth with a software engineering internship at Sonatype

Rule over your dependencies and scan at your own open source risk

This Week in Malware—Ongoing Dependency Confusion

Living six months of core values

On the road again: Here comes September

This Week in Malware - A PyPI phishing follow-up plus 120 packages

Why developers are becoming the weakest link in supply chain attacks

This Week in Malware - 450 packages and a phishing campaign against PyPI maintainers

Wicked Good Development Episode 14: The Secret Life of Maven Central

Setting boundaries: How procurement relates to security (Part 1)

This Week in Malware — Cryptominers flood npm, PyPI, and more dependency confusion

More than 200 cryptomining packages flood npm and PyPI registry

This Week in Malware - Fileless Linux cryptominer, 100 packages

PyPI package 'secretslib' drops fileless Linux malware to mine monero

This Week in Malware — Typosquats in PyPI, dependency confusion packages

Wicked Good Development Episode 13: Hacks and Ax, July edition

Ransomware in PyPI: Sonatype spots 'Requests' typosquats

Open source licensing shift: Fedora blocks Creative Commons CC0

StringJS typosquat deploys Discord infostealer obfuscated five times

This Week in Malware — John Deere dependency confusion attempt and more

John Deere dependency confusion attempt flagged by Sonatype

Wicked Good Development Episode 12: Devoxx Poland developer conference recap

This Week in Malware — July 15th edition