What We Learned from Studying 36,000 OSS Projects | Press Release

blog-logo Sonatype Blog

Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.

The Dot Zero Conundrum and the New Frontier of Securing Open Source

By Brian Fox on September 24, 2019 code quality
Sonatype is combining a new type of behavioral analysis with machine learning and proprietary data, creating early warning capabilities to detect malicious releases of open source components.
Read More...

Removing Search Guard from the Central Repository

By Brian Fox on September 11, 2019 The Central Repository
Due to an intellectual property dispute between two third parties, Sonatype is legally required to remove disputed artifacts related to Search Guard from the Central Repository and OSSRH until
Read More...

Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

By Brian Fox on August 23, 2019 open source security
Last month, the RubyGems strong_password component was breached and injected with malicious code. This is only the latest example of bad actors attacking developers at the source.
Read More...

Anonymous Access In Nexus Repository is Not A Zero-Day Vulnerability

By Brian Fox on July 02, 2019 Nexus Repository
A researcher contacted us about an issue in Nexus Repository, stemming from user access settings. This was not a zero day, but a product feature UX change, to make it easier to be more secure - we
Read More...

Open Source Software Is Under Attack; New Event-Stream Hack Is Latest Proof

By Brian Fox on November 27, 2018 vulnerabilities
Open source software is under attack, and the malicious attack on the popular npm event-stream 3 package, is just the latest proof.
Read More...

Deja Vu All Over Again - Another New Apache Struts Vulnerability (CVE-2018-11776)

By Brian Fox on August 23, 2018 Nexus Lifecycle
Another remote code execution vulnerability in Apache’s Struts2 Framework was disclosed on August 22, 2018. Everything you need to know and how to find out if you're affected.
Read More...

Microsoft and Github: Open source’s future is brighter than ever

By Brian Fox on June 13, 2018 github
With Microsoft’s resources behind a great company like GitHub, the future of secure, quality open source looks brighter than ever.
Read More...

Making sure our users don't zip-slip and fall

By Brian Fox on June 05, 2018 The Central Repository
Sonatype has provided The Central Repository for over a decade and we take security of the users very seriously. Once we became aware of the zip-slip vulnerability, we wanted to to ensure Central
Read More...

Enhancing SSL Security and HTTP/2 support for Central

By Brian Fox on May 21, 2018 Central
TLS and HTTP/2 changes coming to central
Read More...