Why Software Composition Analysis (SCA) Demands Precision

3 minute read time

Software Composition Analysis: Getting to the Signal Through the Noise, by 451 Research, demonstrates Sonatype's leadership in software composition analysis.
Read More...

Software Composition Analysis: A Matter of Perspective (and Experience)

2 minute read time

The SCA market is young - leaving everyone wrestling with a critical question: is it a security-centric, developer-centric, or a legal-centric endeavor? At Sonatype, we believe it's all of the above.
Read More...

Software Composition Analysis: Precision Definitely Matters (Just Ask Our Competitors)

3 minute read time

Just two years ago, SCA was more about helping traditional security professionals identify suspects across a broad spectrum of open source ecosystems. Much has changed since then. Today,
Read More...

Malicious Intent: Open Source Developers, Please Protect Your Users

By Brian Fox on February 14, 2018 software bill of materials

1 minute read time

Pay attention to your own digital security as you would if you were protecting millions of others. Malicious code found in npm package conventional-changelog.
Read More...

The Hijacking of a Known GitHub ID: go-bindata

By Brian Fox on February 07, 2018 Software Supply Chain

2 minute read time

the creator of go-bindata deleted their @github account and someone else created a new account under the same name
Read More...

The Power of Data in DevSecOps

By Derek Weeks on January 28, 2018 OSS governance

2 minute read time

Better data improves mean times to repair in DevSecOps pipelines.
Read More...

DevSecOps Goes Mainstream

By Derek Weeks on January 14, 2018 open source governance

1 minute read time

Traditional security techniques using ownership and control rather than trust will not work in the digital world.
Read More...

How DevOps Killed the Market for Software Composition Analysis

By Matt Howard on February 28, 2017 Application Security

1 minute read time

SCA tools are waterfall-native by design. It is impossible to integrate SCA security controls into DevOps-native work flows in an automated and scalable way.
Read More...