Sonatype Blog
Conversations about software supply automation, devsecops, open source, continuous delivery, and application security.
Dependency mapping: A beginner’s guide
Aaron Linskens | | Application Security, dependencies, open source, software supply chain, Vulnerabilities
Organizations everywhere use open source to expedite development, lower costs, and improve performance. Our annual State of the Software Supply Chain reports consistently reaffirm that open source comprises up to 90% of ...
Open source risk management: Safeguarding software integrity
Aaron Linskens | | licenses, open source risk management, secure software supply chain, Sonatype Lifecycle, Vulnerabilities
In the constantly shifting terrain of software supply chains, open source software (OSS) fulfills a dual mandate, propelling innovation forward and serving as the cornerstone of operational efficiency ...
How manufacturing best practices can improve open source consumption and software supply chains
The biggest problem facing software organizations today is an inability to track, monitor, and improve the usage of open source software. This isn’t about security alone. From DevOps to DevSecOps, there are ...
Top 10 open source projects hit by HTTP/2 ‘Rapid Reset’ zero-day
Executive summary In this blog post we list at least 10 open source packages affected by the HTTP/2 'Rapid Reset' vulnerability, disclosed by Cloudflare this week ...
Introducing our 9th annual State of the Software Supply Chain report
Aaron Linskens | | FEATURED, News and Views, Open Source Security, Report/Survey/Whitepaper releases, State of the Software Supply Chain
In our fast-paced digital world, striving for excellence is an ongoing journey marked by the relentless pursuit of innovation, efficiency, and a focus on the essential contributors: the developers. Our 9th annual ...
SAST vs. DAST: Enhancing application security
As the threat landscape continues to evolve, organizations face a formidable challenge: ensure the security of their software applications ...
SAST vs. DAST: Enhancing application security
As the threat landscape continues to evolve, organizations face a formidable challenge: ensure the security of their software applications ...
npm packages caught exfiltrating Kubernetes config, SSH keys
The Sonatype Security Research team is currently tracking an ongoing campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external ...
New npm PoC packages target PayPal Zettle, Airbnb developers
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ...
Unlocking the power of generative AI in software development: Insights from Sonatype’s survey
Aaron Linskens | | DEVOPS, FEATURED, generative AI, News and Views, secops, software supply chain, survey data
Over the past year, generative artificial intelligence (AI) rapidly emerged as a game-changing technology, similar to the disruptive force of cloud computing in the 2000s. As often happens during the initial phases ...