Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

Open Source and Cloud Security Together at Last

November 12, 2020 By Kevin Miller

Today, we’re excited to announce a partnership with Fugue to bring cloud security and compliance into development work streams, helping your teams build, deploy, and manage secure applications in today's popular cloud-native environments. 

Our uniquely combined capabilities will enable developers to easily find and fix security vulnerabilities in third party libraries - already an extensive part of the Nexus experience - while simultaneously preventing security and compliance issues due to misconfigured cloud infrastructure.

The more developers understand the quality and security of their code, the better their applications. Today, with many developers deploying applications directly to the cloud, that code might be a third-party open source library they are selecting or an AWS server they are configuring. It’s now more important than ever for developers to have guidance on how to select the highest quality open source components and how to develop secure and compliant cloud infrastructure.

As our CEO Wayne Jackson said in today’s press release - “In today’s cloud-native world, developers are not just responsible for building secure applications, they’re also responsible for configuring and provisioning secure cloud infrastructure using tools like Terraform. By working with Fugue, we’re equipping developers with the right information at the right time so they can always make healthy decisions when configuring IaC.”

Phillip Merrick, CEO of Fugue, echoed Wayne's sentiment noting, “Sonatype and Fugue have a strong history of leadership in empowering developers to securely build and operate in order to keep their data safe. We’re proud to partner with them to deliver a single solution to address the full breadth of cloud security and compliance challenges."

What is IaC?

Infrastructure as Code (IaC) uses scripts to automate the provisioning of IT infrastructure. Traditionally, managing servers and infrastructure was a very manual, time consuming process. Every time a developer wanted to develop, test, or deploy a software application, they would have to wait for someone on the operations team to set up the server, operating systems, database connections, storage, and other infrastructure elements. 

Cloud native development and virtualization helped eliminate the problem of physical hardware management, and have enabled developers to stand up their own virtual servers or containers on demand and scale up or down as needed based on usage and need. 

IaC, however, introduces new security risks that you need to be aware of. Different rules apply to different applications. Healthtech companies, for example, must be HIPAA compliant. But how does a developer know what those rules are? Application drift is another huge issue. The flexibility afforded in cloud infrastructure can also lead to unplanned changes in production (called drift) that may leave you out of compliance or at risk of a security breach. As developers sit on the front lines of application and infrastructure security, how do you ensure your sensitive data is safe? 

Open Source & IaC together at last 

The new IaC offering for Nexus Lifecycle will highlight any risk developers introduce when making changes to their code or cloud configurations. With the ability to have a single policy engine and dashboard to control both open source and IaC risk, your developers and security teams will have full insight into policy, risk, and compliance across open source and cloud infrastructure. 

Only Sonatype and Fugue customers can leverage the same rules and policy definitions from design time to runtime to ensure continuity across the entire SDLC, keeping DevSecOps teams in lock step.


Developers will also receive notifications with actionable insights into policy violations for both open source and infrastructure issues in the tools they use every day, like GitHub and JIRA. Having this visibility into open source and cloud security rules all in one place allows Dev teams to accelerate innovation and simultaneously improve application security, cloud infrastructure security, and ensure compliance.

The new offering will provide access to predefined infrastructure compliance control mappings including CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, SOC 2, and more. Whatever the cloud formation guidelines you’re trying to meet, we’ll have you covered. 

When can I get my hands on this?

Sonatype will be launching our new cloud security and compliance capabilities as an add-on to Nexus Lifecycle in early 2021. This new offering will incorporate Fugue's cloud infrastructure security and compliance technology, making it possible for developers using Nexus Lifecycle to find and easily fix misconfigurations in Terraform plans before they are applied to production infrastructure, and use those same policies with Fugue to ensure continuous runtime compliance in production.  

Want to stay up to date on IaC progress, or be first in line for early access? Click here to stay informed.

Tags: Nexus Lifecycle, featured, News and Views, Product, infrastructure as code

Written by Kevin Miller

Kevin Miller is a Product Marketing Manager at Sonatype where he works to empower the development community to shift component choice and security left. He believes that putting the right tools and options in the hands of developers will help accelerate software innovation and minimize open source risk.