Sonatype Selected by Equifax to Support OS Governance Press Release

blog-logo Sonatype Blog

A Lesson in Why “Security by Press Release” Is Detrimental

By Akshay 'Ax' Sharma on November 02, 2018 vulnerabilities
Last week news broke about a 3-year old jQuery vulnerability that was just discovered, and had just been patched - sending many into a frenzy. The reality, however, is this is an old vulnerability
Read More...

Dirty Rivers Flow Downstream, Leading to Dirty Reservoirs

By Sylvia Fronczak on November 02, 2018 devsecops
A reservoir is created by rivers and streams that flow into it. What if one of those rivers is polluted? It pollutes the whole thing. Similarly, in software, if we add dependencies that are
Read More...

Software Composition Analysis: Precision Definitely Matters (Just Ask Our Competitors)

Just two years ago, SCA was more about helping traditional security professionals identify suspects across a broad spectrum of open source ecosystems. Much has changed since then. Today,
Read More...

I Am A Serial Cryptominer: An Open Letter to Software Developers

By Hack Overflow on June 14, 2018 Devops
An open letter to the DevOps community from a cryptocurrency miner.
Read More...

Making sure our users don't zip-slip and fall

By Brian Fox on June 05, 2018 The Central Repository
Sonatype has provided The Central Repository for over a decade and we take security of the users very seriously. Once we became aware of the zip-slip vulnerability, we wanted to to ensure Central
Read More...

WSJ on Struts: Companies Still Downloading Flaw Linked to Equifax Breach

The Wall Street Journal discusses open-source governance, Struts and how companies are still downloading the flaw that led to the Equifax Breach
Read More...

Struts One-Two Punch Knocks Out India

The social security system of India, AADHAAR, was just breached due to a Struts related vulnerability exploited on their website. If you are not familiar with AADHAAR, it offers a 12-digital personal
Read More...

Open Source Governance Hits the C-Suite

By Derek Weeks on April 11, 2018 open source management
The Wall Street Journal’s Adam Janofsky wrote an article entitled, How Companies Can Manage Risks Tied to Open-Source Software*. Coverage of this topic sheds light on a topic for executives, that has
Read More...

Fooled twice by the same open source problem? Shame on you. The data behind CVE-2017-8046.

By Brian Fox on March 07, 2018 known vulnerability
Organizations keep software applications safe, not by chance, but by preparation. Open source vulnerabilities like Struts 2 and Spring are going to happen, companies need continuous monitoring to
Read More...