Featured Article

Ransomware in PyPI: Sonatype Spots 'Requests' Typosquats

By Ax Sharma on August 02, 2022 vulnerabilities

Sonatype has spotted multiple typosquats of the popular Python library, 'requests' that contain ransomware scripts.

Java Serialisation - the gift that keeps on taking (Part 2)

By Steve Poole on March 30, 2022 open source security

8 minute read time

Part two of our Java serialization series: the unexpected consequences of design and how the data stream can be compromised.

Read More...

NIST: Adopt a Secure Software Development Framework (SSDF) to Mitigate Risk of Software Vulnerabilities

By Jason Green on June 11, 2020 government open source software (GOSS)

2 minute read time

NIST recommends a SSDF framework to assess open source component cybersecurity risks, including an SBOM and automated security controls in the SDLC.

Read More...

What Does the New CVSS 3.1 Scoring Model Mean for Enterprise Security?

By Ax Sharma on February 17, 2020 vulnerabilities

3 minute read time

Learn how CVSS 3.1 is different from earlier versions and why changes to this security rating matters.

Read More...

The “Big Hack” That Actually Happened - Chinese Military Implicated in Equifax Breach

By Matt Howard on February 11, 2020 vulnerabilities

3 minute read time

Members of the Chinese Military were implicated in the attack on Equifax's software supply chain. It's time to take software supply chain hygiene seriously.

Read More...

How to Use Sonatype OSS Index to Identify Security Vulnerabilities

By Casey Dunham on January 09, 2020 github

8 minute read time

OSS Index enables developers to quickly find vulnerabilities in any library with an easy-to-use search feature. Learn more, and how to access the plugins.

Read More...

Are You a Fool with a Tool?

By DJ Schleen on November 22, 2019 security

3 minute read time

Buckminster Fuller cautioned against prioritizing tools. DevOps should always include discussions of culture, strategy, and process for the best outcomes.

Read More...

A More Secure Web Needs Developers, Defenders, Advocates, and OSS

By Katie McCaskey on September 13, 2019 security

2 minute read time

The largest gathering of Infosec professionals met in Washington, D.C. to discuss the future of web security. Open source software is at the core of it.

Read More...

Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

By Brian Fox on August 23, 2019 open source security

3 minute read time

Last month, the RubyGems strong_password component was breached and injected with malicious code. This is only the latest example of bad actors attacking developers at the source.

Read More...

NIST Proposes Standards to Secure Government SDLC

By Katie McCaskey on July 31, 2019 government open source software (GOSS)

3 minute read time

NIST has proposed a set of standards to address the growing need for better software security. Public comment is open until August 5, 2019.

Read More...

Software composition analysis

Container Security

CODE QUALITY ANALYSIS

Repository MANAGEMENT

Complete Platform

Book a Demo

For Professionals

For Industries

Content

CUSTOMER Portal

Integrations & Free Tools

About us

Contact Us

Sonatype Blog

Ransomware in PyPI: Sonatype Spots 'Requests' Typosquats

Java Serialisation - the gift that keeps on taking (Part 2)

NIST: Adopt a Secure Software Development Framework (SSDF) to Mitigate Risk of Software Vulnerabilities

What Does the New CVSS 3.1 Scoring Model Mean for Enterprise Security?

The “Big Hack” That Actually Happened - Chinese Military Implicated in Equifax Breach

How to Use Sonatype OSS Index to Identify Security Vulnerabilities

Are You a Fool with a Tool?

A More Secure Web Needs Developers, Defenders, Advocates, and OSS

Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

NIST Proposes Standards to Secure Government SDLC

Products

Free Tools

Solutions

Resources

Customer Portal

Company