Brian Fox, Author at Security Boulevard

Why Sonatype is Acquiring MuseDev

Ask any software developer, and they will tell you the truth about two things: Conventional code analysis and application security tools are overly noisy and generally not well integrated into the developer workflow. Tools that don’t actually make life easier for developers are perceived as friction and commonly ignored. Rather ... Read More

Why Namespacing Matters in Public Open Source Repositories

Yesterday we saw the disclosure of a report showing how a security researcher was able to successfully infiltrate 35+ name brand companies, primarily via npm. Ironically, the mechanism used to perpetrate the attack, what’s being called namespace confusion or dependency confusion, is one that I’m quite familiar with and has ... Read More

Dear Bintray and JCenter Users – Here’s What You Need to Know About The Central Repository

If you’re freaking out because JFrog announced it's sunsetting Bintray and JCenter, and are concerned about moving your Java components into The Central Repository, I want to first and foremost say - don’t worry. We’re here for you and I personally want to make sure you feel prepared for that ... Read More

Making Developer’s Lives Easier as We Enter The New Frontier of Dependency Management

In recent years, we at Sonatype have dedicated an extensive amount of time to studying enterprise development teams, open source projects, and how everything in the OSS ecosystem works together. In fact, in a two-year-long study with Gene Kim and Stephen Magill we  examined software release patterns and cybersecurity hygiene ... Read More

Octopus Scanner Compromises 26 OSS Projects on GitHub

Updated from original May 29th post. Making a salad for lunch or dinner? What ingredients do you use? Lettuce, carrots, onions, tomatoes, dressing? If you just go by the list of ingredients, you know what you've used, but not the quality of the ingredients themselves. In the realm of software ... Read More

Octopus Malware Compromises 26 OSS Projects on GitHub

Updated from original May 29th post. Making a salad for lunch or dinner? What ingredients do you use? Lettuce, carrots, onions, tomatoes, dressing? If you just go by the list of ingredients, you know what you've used, but not the quality of the ingredients themselves. In the realm of software ... Read More
The economics of open source by C J Silverio | JSConf EU 2019

Microsoft Acquires npm: A Healthy Move for Critical Public Infrastructure

Today, news broke that GitHub and its parent company Microsoft, acquired npm and its public repository of open source JavaScript packages. In 2018 when Microsoft acquired Github, many in the developer community had a cautious, even emotional response. Given today’s announcement that GitHub is acquiring npm -- the same concerns ... Read More

The Dot Zero Conundrum and the New Frontier of Securing Open Source

Over the past two years, I’ve spoken about more than instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted ... Read More
Two-Steps-to-Adopting-Cyber-Security-Standards-for-Manufacturing-BLOG

Two Steps to Adopting Cyber Security Best Practices for Manufacturing

The manufacturing environment is changing fast. Digital transformation promises substantial increases in productivity, speed and quality. Securing modern manufacturing is essential to safety and uptime. Fortunately, guidelines such as the NIST Cybersecurity Framework for Manufacturing and IEC 62443, along with advanced visibility and cyber security solutions, can help manufacturers build ... Read More

Removing Search Guard from the Central Repository

We at Sonatype take our responsibility as stewards of the Central Repository (Central) very seriously, and for well over a decade we have been dedicated to the ideal of immutability when it comes to serving components to the community that relies on Central. As the stewards of Central, it has ... Read More