Making Developer’s Lives Easier as We Enter The New Frontier of Dependency Management
In recent years, we at Sonatype have dedicated an extensive amount of time to studying enterprise development teams, open source projects, and how everything in the OSS ecosystem works together. In fact, in a two-year-long study with Gene Kim and Stephen Magill we examined software release patterns and cybersecurity hygiene ... Read More
Octopus Scanner Compromises 26 OSS Projects on GitHub
Updated from original May 29th post. Making a salad for lunch or dinner? What ingredients do you use? Lettuce, carrots, onions, tomatoes, dressing? If you just go by the list of ingredients, you know what you've used, but not the quality of the ingredients themselves. In the realm of software ... Read More
Octopus Malware Compromises 26 OSS Projects on GitHub
Updated from original May 29th post. Making a salad for lunch or dinner? What ingredients do you use? Lettuce, carrots, onions, tomatoes, dressing? If you just go by the list of ingredients, you know what you've used, but not the quality of the ingredients themselves. In the realm of software ... Read More
Microsoft Acquires npm: A Healthy Move for Critical Public Infrastructure
Today, news broke that GitHub and its parent company Microsoft, acquired npm and its public repository of open source JavaScript packages. In 2018 when Microsoft acquired Github, many in the developer community had a cautious, even emotional response. Given today’s announcement that GitHub is acquiring npm -- the same concerns ... Read More
The Dot Zero Conundrum and the New Frontier of Securing Open Source
Over the past two years, I’ve spoken about more than instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted ... Read More
Two Steps to Adopting Cyber Security Best Practices for Manufacturing
The manufacturing environment is changing fast. Digital transformation promises substantial increases in productivity, speed and quality. Securing modern manufacturing is essential to safety and uptime. Fortunately, guidelines such as the NIST Cybersecurity Framework for Manufacturing and IEC 62443, along with advanced visibility and cyber security solutions, can help manufacturers build ... Read More
Removing Search Guard from the Central Repository
We at Sonatype take our responsibility as stewards of the Central Repository (Central) very seriously, and for well over a decade we have been dedicated to the ideal of immutability when it comes to serving components to the community that relies on Central. As the stewards of Central, it has ... Read More
Anatomy of the RubyGems ‘rest-client’ hack, and getting creative about open source security
Over the last several years, we’ve been raising awareness of breaches to popular open source software components and the worrying trend that they are more frequently being attacked at the source - bad actors are growing bolder and the velocity of attacks increasing. Last month, the RubyGems strong_password component was ... Read More
Anonymous Access In Nexus Repository is Not A Zero-Day Vulnerability
In March, a researcher from Twistlock contacted us about two issues he identified, stemming from user access settings. As with any disclosure, we immediately looked into it ... Read More
