News and Notes from the makers of Nexus | Sonatype Blog

Open Source Software Is Under Attack; New Event-Stream Hack Is Latest Proof

by Brian Fox, on November 27, 2018

Tags: event-stream, devsecops, npm, Javascript, supply chain attacks, 2018 State of the Software Supply Chain

Deja Vu All Over Again - Another New Apache Struts Vulnerability (CVE-2018-11776)

by Brian Fox, on August 23, 2018

Tags: struts breach, Struts2 vulnerability, Apache Struts2, Open source governances, Nexus Lifecycle

Microsoft and Github: Open source’s future is brighter than ever

by Brian Fox, on June 13, 2018

Tags: Brian Fox, Microsoft, github, open source software, developers

Making sure our users don't zip-slip and fall

by Brian Fox, on June 05, 2018

Tags: security research, Publishing to the Central Repository, The Central Repository, zip-slip, open source vulnerability, help

Enhancing SSL Security and HTTP/2 support for Central

by Brian Fox, on May 21, 2018

Tags: Maven, Central

Secure By Design: Preparing for GDPR Should Begin With Software

by Brian Fox, on May 10, 2018

Tags: Open source governances, gdpr, secure by design, data protection

Fooled twice by the same open source problem? Shame on you. The data behind CVE-2017-8046.

by Brian Fox, on March 07, 2018

Tags: open source vulnerability, Struts2 vulnerability, known vulnerability, software supply chain hygiene, spring vulnerability

ALL POSTS NEXT PAGE

Search With Google

Posts by Topic

Sonatype Says (616)
Nexus Repo Reel (539)
Everything Open Source (389)
AppSec Spotlight (388)
Maven (252)
security (156)
Sonatype (147)
Application Security (116)
News (108)
component vulnerabilities (107)
Open Source (106)
Devops (80)
devsecops (72)
Software Supply Chain (62)
Hudson (58)
Nexus Repository (54)
Nexus (53)
webinar (47)
Book (46)
m2eclipse (41)
nexus pro (40)
open source components (39)
Central (37)
Software supply chain management (37)
eclipse (37)
Docker (36)
Cyber Supply Chain Management and Transparency Act (34)
cyber supply chain management (34)
government open source software (GOSS) (34)
H.R. 5793 (33)
application supply chain management (33)
open source governance (33)
Continuous Delivery (31)
clm (30)
bill of materials (of 3rd party and open source co (29)
nexus professional (28)
open source software supply chain (28)
Cyber Chain Integrity Act (27)
Cyber Supply Chain (27)
repository (27)
Community (26)
Nexus Lifecycle (26)
repository manager (25)
java (24)
continuous integration (19)
jenkins (19)
Sonatype webinar (18)
repository management (18)
Component Lifecycle Management (17)
How-To (17)
Wayne Jackson (17)
open source governance policy (17)
Maven Studio for Eclipse (16)
Nexus OSS (16)
devops (16)
Insight (15)
Nexus Repository 3 (15)
Tycho (15)
Nexus 3 (14)
josh corman (14)
video (14)
Apache Struts2 (13)
AppSec (13)
Jason van Zyl (13)
OWASP (13)
best practice (13)
bill of materials (12)
github (12)
plugins (12)
Ed Royce (R-CA) (11)
Lynn Jenkins (R-KS) (11)
Nexus Firewall (11)
OSS governance (11)
Struts2 vulnerability (11)
Training (11)
equifax (11)
open source policy (11)
open source vulnerability (11)
software bill of materials (11)
Apache Maven (10)
DemoCamp (10)
DevOpsSec (10)
Nexus vs. Artifactory (10)
OSGi (10)
containers (10)
events (10)
Developer Onboarding (9)
Maven 3 (9)
Sonatype Professional (9)
Sonatype training (9)
npm (9)
osstop10 (9)
plugin (9)
Nexus User Conference (8)
Nuget (8)
Open source governances (8)
Red Hat (8)
Rugged DevOps (8)
Struts (8)
ant (8)
atlassian (8)
open source software (8)
Chef (7)
Compliance (7)
DevOps Culture (7)
EclipseCon (7)
Mercury (7)
Nexus IQ (7)
Private Docker Registry (7)
artifactory (7)
documentation (7)
m2e (7)
maven 3.0 (7)
open source development (7)
open source management (7)
pom (7)
release (7)
search (7)
security strategy (7)
struts breach (7)
survey (7)
#OSSsecurity (6)
Nexus Live (6)
Software composition analysis (6)
Sonatype books (6)
apache (6)
application development (6)
open source goveranance (6)
open source risk management (6)
open source security (6)
open source survey (6)
policy automation (6)
staging (6)
.net (5)
2018 State of the Software Supply Chain (5)
Agile (5)
Gradle (5)
IBM (5)
Javascript (5)
Known Vulnerabilities (5)
Kubernetes (5)
Nexus Repository OSS (5)
RubyGems (5)
Scala (5)
SonarQube (5)
The Central Repository (5)
devops automation (5)
gdpr (5)
gene kim (5)
google (5)
open source application scan (5)
open source hygiene (5)
oss (5)
puppet (5)
quality (5)
repository health check (5)
rest (5)
testing (5)
yum (5)
Aether (4)
DevOps tool chain (4)
DevSecOps, Containers, Docker (4)
DevSecOps, DevOps, Application Security (4)
EclipseCon 2011 (4)
Equifax breach (4)
GIT (4)
Gartner (4)
JIRA (4)
JavaOne (4)
MVN-101 (4)
Nexus Intelligence (4)
Nexus Office Hours (4)
Nexus Platform (4)
PCI (4)
Product Release (4)
Professional (4)
RSA Conference (4)
Sonatype Insight (4)
Sonatype Newsletter (4)
Sonatype Nexus (4)
agile development (4)
artifact repository (4)
bouncy castle (4)
build promotion (4)
builds (4)
components (4)
developer (4)
developers (4)
flexmojos (4)
guice (4)
newsletter (4)
nexus open source (4)
operations (4)
policy enforcement (4)
polyglot (4)
security-summary (4)
software supply chain governance (4)
struts2 (4)
technical (4)
3rd party software (3)
Ansible (3)
Archiva (3)
Automated Security (3)
CISO (3)
CloudBees (3)
Continuous Deliver (3)
Cybersecurity (3)
DepShield (3)
DevOps in the Cloud (3)
DevOpsDays (3)
DevSecOps in Government (3)
Devoteam (3)
Enterprise DevOps (3)
Guelph (3)
HP Fortify (3)
Hudson Integration (3)
Insight for CI (3)
IoT Cybersecurity Improvement Act of 2017 (3)
Java.net (3)
Jetty (3)
Maven training (3)
Nexus Repository Pro (3)
Nexus new release (3)
Nexus vs. Archiva (3)
OSS security (3)
OpenShift (3)
Polyglot Maven (3)
REST API (3)
RIM (3)
SDLC (3)
Software Liability (3)
Software Supply Chains (3)
Sonar (3)
Sonatype vs. Black Duck (3)
Tutorial (3)
all day devops (3)
android (3)
automated open source governance (3)
automation (3)
best practices (3)
central maven repository (3)
central repository (3)
configuration (3)
crowd (3)
development (3)
development survey (3)
eliminate open source security risk (3)
governance (3)
gpl (3)
groovy (3)
heartbleed (3)
ivy (3)
javadoc (3)
jboss (3)
ldap (3)
maven shell (3)
microservices (3)
nexus 1.6 (3)
nexus IQ server (3)
nexus repository manager (3)
open source policies (3)
open source security risks (3)
p2 (3)
peaberry (3)
reference architecture (3)
remote code execution (3)
rpm (3)
rundeck (3)
scripting (3)
software security (3)
software supply chain hygiene (3)
sonatype momentum (3)
spring (3)
supply chain management (3)
support (3)
thenexus (3)
vulnerability disclosure (3)
2 minutes (2)
2014 survey (2)
2015 (2)
A9 (2)
AppSecUSA (2)
Application Vulnerabilities (2)
Bamboo (2)
Black Duck (2)
Black Hat (2)
Bower (2)
Brian Fox (2)
CI/CD (2)
CVE (2)
Cisco (2)
Community Spotlight (2)
Component Manager (2)
DAST (2)
DZone (2)
Dashboard (2)
Department of Defense (2)
DevOps Enterprise Summit (2)
DevSecOps journey (2)
Docker Swarm (2)
FDA (2)
FS-ISAC (2)
FS-ISAC controls (2)
Gary McGraw (2)
HA (2)
HackNYC (2)
Helios (2)
High Availability (2)
IDE integration (2)
IoT (2)
JAX 2010 (2)
JavaZone (2)
Jez Humble (2)
MSE (2)
Mark Driver (2)
Matthew McCullough (2)
Maven 101 (2)
Maven 201 (2)
Maven Mechanics (2)
Maven Release plugin (2)
Medical Device Security (2)
Microsoft (2)
NMaven (2)
NPM support (2)
NXRM (2)
Nexus 3.0 (2)
Nexus Pro CLM Edition (2)
OSS logistics (2)
Policies (2)
Puppet Labs (2)
PyPI (2)
Release Management (2)
Research in Motion (2)
SAST (2)
SSL (2)
SSL Connectivity (2)
SVN (2)
State of DevOps (2)
State of the Software Supply Chain (2)
Supermicro (2)
Tomcat (2)
Toolapalooza (2)
analyst report (2)
analytics (2)
api (2)
appengine (2)
application health check (2)
archives (2)
artifacts (2)
audio (2)
aws (2)
bitbucket (2)
books (2)
brian (2)
challenge (2)
chariot solutions (2)
cloud (2)
compliance as code (2)
component governance (2)
component vulnerability (2)
continuous deployment (2)
cultural transformation (2)
customer education (2)
customers (2)
data protection (2)
dependencies (2)
devops tools (2)
docker security (2)
editor (2)
enterprise (2)
epub (2)
event-stream (2)
failsafe (2)
flex (2)
german (2)
help (2)
httpclient (2)
indexer (2)
information security (2)
interview (2)
junit (2)
known vulnerability (2)
license risk (2)
license risks (2)
licensing (2)
management (2)
national vulnerability database (2)
nexus 2 minute challenge (2)
nexus oss (2)
open source growth (2)
open source review boards (2)
open source risk (2)
open source risks (2)
oss index (2)
owasp top 10 (2)
password (2)
pax (2)
performance (2)
plexus (2)
podcast (2)
respository managers (2)
rsac 2018 (2)
ruby (2)
security breach (2)
security research (2)
security vulnerabilities (2)
settings (2)
shift left (2)
smart proxy (2)
snapshot (2)
software supply chain automation (2)
source (2)
summit (2)
supply chain attacks (2)
surefire (2)
tips (2)
trusted software alliance (2)
verizon data breach report (2)
visual studio (2)
vulnerabilities (2)
vulnerability (2)
vulnerable components (2)
windows (2)
women in devops (2)
xml (2)
(ISC)2 (1)
2017 (1)
2017 All Day DevOps (1)
2018 All Day DevOps (1)
451 Research (1)
ABN-AMRO (1)
API tooling (1)
Academy Software Foundation (1)
Advanced Binary Matching (1)
AnDevCon II (1)
Apache httpd (1)
Apple (1)
Application Delivery Toolchain (1)
Application Insight (1)
Archiva vs. Nexus (1)
Artifactory vs. Nexus (1)
Automated Policies (1)
BOSS index (1)
Banking (1)
Black Duck Software (1)
Black Duck vs. Sonatype (1)
Blob Stores (1)
Bloomberg (1)
BoF (1)
CLM dashboard (1)
CSO (1)
Checksum (1)
Cigital (1)
Cleanup (1)
Component Management (1)
Container Security (1)
Contegix (1)
Continuous Advantage (1)
Crosskey (1)
Cyberliability (1)
DOES London (1)
DecSecOps (1)
DevOps Days (1)
DevOps Dozen (1)
DevOps Express (1)
DevOps transformation (1)
DevOps.com (1)
DevSecOps Community Survey (1)
DevSecOps Maturity model (1)
Development strategy (1)
Devnexus 2010 (1)
Devops adoption (1)
Devops maturity (1)
Eclipse Day (1)
Eclipse Foundation (1)
Eclipse Indigo (1)
Eclipse Summit Europe (1)
Emerging Technologies (1)
Enterprise Repository Management (1)
Enterprse (1)
Extended Coverage (1)
Failover (1)
FannieMae (1)
Forrester (1)
Forrester SCA (1)
Fortify (1)
GSA (1)
GetChef (1)
GetSatisfaction.com (1)
Git LFS (1)
Golden Repository (1)
Google Container Registry (1)
GovReady (1)
Guest (1)
HP Partnership (1)
HTTPS/SSL (1)
Harry Weller (1)
Hudson Professional (1)
IT Supply Chain (1)
Imperva (1)
InfoSec (1)
Information Security Study (1)
Innovators (1)
IntelliJ IDEA, (1)
Intuit (1)
JAX (1)
JAXenter (1)
JRuby (1)
JaCoCo (1)
Jason van Gumster (1)
Java8 (1)
Java9 (1)
JenkinsCI (1)
Jim Bird (1)
Kaiser Permanente (1)
Larry Maccherone (1)
Linux (1)
Linux Foundation (1)
MVN 201 (1)
Matrix (1)
Matrix Professional (1)
Maven Enforcer plugin (1)
Maven Jetty plugin (1)
Maven best practices (1)
Maven by Example (1)
Maven meetup (1)
Mesosphere (1)
Mirco Hering (1)
NEA (1)
NSA (1)
Nexus 1.9 (1)
Nexus 2.1 (1)
Nexus 2.3 (1)
Nexus 2.7 (1)
Nexus Best Practices (1)
Nexus CLM (1)
Nexus Jenkins Plugin (1)
Nexus Milestone (1)
Nexus REST API (1)
Nexus UX Design (1)
Nexus artifacts (1)
Nexus competitors (1)
Nexus solutions (1)
Nexus vs BlackDuck (1)
Nexus vs Whitesource (1)
Nexus vs. Artifactory 2015 (1)
OSGi Alliance (1)
OSS compliance (1)
OSS projects (1)
OSSRH (1)
OSVDB (1)
OneOps (1)
Open Shift (1)
OpenChain (1)
OpenEJB (1)
Oracle (1)
Packer (1)
Paris (1)
Philadelphia (1)
Procurement (1)
Product Strategy (1)
Publishing to the Central Repository (1)
RCP applications (1)
Rebellabs (1)
Reporting (1)
Repository Health Check Software Bill of Materials (1)
Roller (1)
Ruby Gems language (1)
Ruby binary support (1)
Ruby on Rails (1)
S3 (1)
SANS (1)
SCA, (1)
Selenium (1)
Software Development Infrastructure (1)
Sonatype Development Insight for Eclipse (1)
Sonatype Suite (1)
Sonatype competitors (1)
Sonatype vs BlackDuck (1)
Sonatype vs Whitesource (1)
Sonatype webinars (1)
Sucess Metrics, DevSecOps, Dashboard (1)
Supply Chain Intelligence (1)
TPG (1)
Teamwork (1)
Terraform (1)
The Q&A Corner (1)
ThreadFix (1)
Twistlock (1)
Twitter (1)
VictorOps (1)
Vor Security (1)
WalMart (1)
XebiaLabs (1)
Xstream (1)
YouTube (1)
Yum Hosted (1)
advanced maven (1)
air (1)
announcement (1)
apache software foundation (1)
appdev (1)
application health (1)
application healthcheck (1)
archetypes (1)
artifactId (1)
asf (1)
audio. interview (1)
awards (1)
backup (1)
backups (1)
bash (1)
bechtolsheim (1)
benchmarks (1)
binary repository (1)
blackboard (1)
blackhat (1)
board of directors, (1)
book review (1)
bookmarking (1)
branding (1)
bugzilla (1)
build (1)
build managers (1)
business (1)
byldan (1)
capture the flag (1)
ceo (1)
checkstyle (1)
cheeseburger risk (1)
ci (1)
clean code (1)
clean up policies (1)
clojure (1)
cloudhopper (1)
cnbc (1)
code (1)
code scanning (1)
codehaus (1)
codes (1)
component characteristics (1)
component development (1)
component licensing (1)
component policies (1)
conference (1)
confluence (1)
congress (1)
continuous (1)
continuous development (1)
continuous security (1)
crypto-mining (1)
cryptocurrency (1)
css (1)
damon edwards (1)
darkReading (1)
data breaches (1)
data privacy (1)
data security (1)
default (1)
delta (1)
deming (1)
department of homeland security (1)
dependency injection (1)
deployment (1)
deserialization (1)
detection (1)
developer centric (1)
development infrastructure (1)
development tool chain (1)
deveops (1)
devop days (1)
devops best practices (1)
devops conferences (1)
devops connect (1)
devops in government (1)
devops sec (1)
devosp (1)
devsecops day (1)
devsecops days (1)
dhs (1)
discovery (1)
docker cloud (1)
dotnet (1)
download (1)
droid (1)
eclipse magazine (1)
eclipse plugin (1)
eclipseCon 2010 (1)
education (1)
edwards deming (1)
elearning (1)
emma (1)
encryption (1)
enforcer plugin (1)
engineering (1)
engineers (1)
enteprise (1)
enterprise software (1)
enunciate (1)
esxi (1)
featured (1)
feedback (1)
funding (1)
g2one (1)
game show (1)
giants (1)
google cloud platform (1)
government (1)
grad (1)
grafeas (1)
grails (1)
grandfathering (1)
gwt (1)
hackers (1)
header (1)
heartbleed bug (1)
hipchat (1)
hippo (1)
history (1)
hosted repositories (1)
how to video (1)
hurricane (1)
iPad 3G (1)
ide (1)
images (1)
index (1)
industry guidelines (1)
industry stats (1)
innovation (1)
insight for jenkins (1)
installation (1)
integration (1)
internet of everything (1)
iq server (1)
jQuery (1)
java 7 (1)
java one (1)
jetspeed (1)
jfokus (1)
john willis (1)
jsr330 (1)
jug (1)
justin (1)
knowledge (1)
lean enterprise (1)
legal (1)
legos (1)
lessons learned (1)
lgentries (1)
licenses (1)
lifecycle (1)
m2ecl (1)
manual policies (1)
manual review processes (1)
masa (1)
maturity model (1)
maven ant how-to conversion (1)
maven stack (1)
maven3 (1)
meetup (1)
migration (1)
minecraft (1)
minishift (1)
mirrors (1)
mixin (1)
mobile (1)
monitor (1)
multi-level staging (1)
mythbusters (1)
nader (1)
neglected 90 (1)
neo4j (1)
new features (1)
new release (1)
new updated version central search (1)
nexus 2.6 (1)
nexus api (1)
nexus futures (1)
nexus index (1)
nexus repositories (1)
nginx (1)
notpetya (1)
npmgate (1)
nvd (1)
oauth (1)
object oriented (1)
onboarding (1)
online developer conference (1)
open source business (1)
open source nexus (1)
open ssl (1)
openid (1)
oreilly (1)
ossindex.net (1)
outreach (1)
pdf (1)
philosophy (1)
phoenix project (1)
pivotal spring (1)
plain text (1)
plug-in (1)
policy violations (1)
poodle (1)
port (1)
portals (1)
press (1)
private repository (1)
product management (1)
python (1)
raible (1)
real world experiences (1)
rebrand (1)
recipe (1)
recruiting (1)
registry (1)
remote (1)
report (1)
repositories (1)
repository manager market share (1)
responsible disclosure (1)
risk analysis (1)
risk management (1)
root cause analysis (1)
ruby gems (1)
rugged (1)
ruggeddevops (1)
saas (1)
salesforce (1)
seam (1)
secrets management (1)
secure by design (1)
secure software supply chain (1)
securing CI/CD (1)
security advisory (1)
security and licensing risk (1)
security design (1)
security risks (1)
securosis (1)
sharing economy (1)
simplifyops (1)
simpligility technologies (1)
software development (1)
software hackers (1)
software supply chain API (1)
software supply chain. devops (1)
software testing (1)
sonatype awards (1)
sonatype meetup (1)
sonatype open source development survey (1)
sonatype pro (1)
source code (1)
speed (1)
spring framework vulnerability (1)
spring vulnerability (1)
springsource (1)
ssc (1)
stackoverflow (1)
stats (1)
studio (1)
survey data (1)
sysadmin (1)
target (1)
thought leaders (1)
tim pettersen (1)
tool chain (1)
transaction manager (1)
user token (1)
username (1)
ux (1)
vc (1)
velocity (1)
version (1)
videos (1)
virtual conference (1)
visualstudio (1)
vmware (1)
wait wait (1)
waterfall (1)
web applications (1)
web attacks (1)
webinars (1)
webpack (1)
weld (1)
zip-slip (1)

see all

The Latest in DevSecOps

Recent Posts

Posts by Topic

The Latest in DevSecOps

Get Blog Updates

Recent Posts

Posts by Topic