The economics of open source by C J Silverio | JSConf EU 2019

Microsoft Acquires npm: A Healthy Move for Critical Public Infrastructure

Today, news broke that GitHub and its parent company Microsoft, acquired npm and its public repository of open source JavaScript packages. In 2018 when Microsoft acquired Github, many in the developer community had a cautious, even emotional response. Given today’s announcement that GitHub is acquiring npm -- the same concerns ... Read More

The Dot Zero Conundrum and the New Frontier of Securing Open Source

Over the past two years, I’ve spoken about more than instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted ... Read More

Two Steps to Adopting Cyber Security Best Practices for Manufacturing

The manufacturing environment is changing fast. Digital transformation promises substantial increases in productivity, speed and quality. Securing modern manufacturing is essential to safety and uptime. Fortunately, guidelines such as the NIST Cybersecurity Framework for Manufacturing and IEC 62443, along with advanced visibility and cyber security solutions, can help manufacturers build ... Read More

Removing Search Guard from the Central Repository

We at Sonatype take our responsibility as stewards of the Central Repository (Central) very seriously, and for well over a decade we have been dedicated to the ideal of immutability when it comes to serving components to the community that relies on Central. As the stewards of Central, it has ... Read More

Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security

Over the last several years, we’ve been raising awareness of breaches to popular open source software components and the worrying trend that they are more frequently being attacked at the source - bad actors are growing bolder and the velocity of attacks increasing. Last month, the RubyGems strong_password component was ... Read More

Anonymous Access In Nexus Repository is Not A Zero-Day Vulnerability

In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it ... Read More