DevZone

A guide for open source software (OSS) security

A guide for open source software (OSS) security

| | DevZone, open source, secure software supply chain, software supply chain automation, Sonatype Lifecycle, Sonatype Repository Firewall
When you search for a dependable open source software (OSS) component to integrate into your software supply chain, evaluation of the component's security emerges as a critical task. This involves not only ...
Sonatype Blog NEW 2024
The impact of automating open source dependency management

The impact of automating open source dependency management

| | Automation, dependencies, developers, DevZone, Sonatype Lifecycle
Recently, I chatted with developers from a customer in a heavily regulated industry. They were manually updating their open source dependencies and wanted to find a better solution to save time. Keeping ...
Sonatype Blog
The impact of automating open source dependency management

The impact of automating open source dependency management

| | Automation, dependencies, developers, DevZone, Sonatype Lifecycle
Recently, I chatted with developers from a customer in a heavily regulated industry. They were manually updating their open source dependencies and wanted to find a better solution to save time. Keeping ...
Sonatype Blog NEW 2024
SBOM, VDR, and Maven: Transforming the Apache Logging experience to a common pattern

SBOM, VDR, and Maven: Transforming the Apache Logging experience to a common pattern

| | CycloneDX, DevZone, Maven, SBOM, Vulnerabilities
In late 2023, a few members of the Apache Logging Services project – known for providing the famous Log4j logging framework – received funding from the Sovereign Tech Fund (STF) to enhance ...
Sonatype Blog
npm packages spread 'Bladeroid' crypto-stealer, hijack your Instagram

npm packages spread ‘Bladeroid’ crypto-stealer, hijack your Instagram

| | DevZone, malicious code npm, npm, Sonatype Repository Firewall, Vulnerabilities
Sonatype has identified multiple open source packages named sniperv1, sniperv2, among others that infect npm developers with a Windows info-stealer and crypto-stealer called 'Bladeroid.' ...
Sonatype Blog
The curious case of 'csrf-magic': A case study in supply chain poisoning

The curious case of ‘csrf-magic’: A case study in supply chain poisoning

| | DevZone, software supply chain, Sonatype Repository Firewall, vulnerability
Back in the day, Ivanti disclosed CVE-2021-44529, a critical "code injection" vulnerability in its EPM Cloud Services Appliance (CSA) product ...
Sonatype Blog
Exploited Ivanti Connect SSRF vulnerability traced back to 'xmltooling' OSS library

Exploited Ivanti Connect SSRF vulnerability traced back to ‘xmltooling’ OSS library

| | DevZone, FEATURED, Nexus Lifecycle, Vulnerabilities, vulnerability
Over the past few weeks, vulnerabilities in proprietary Ivanti products, in particular Ivanti Connect Secure, Policy Secure, and ZTA gateways, have been making headlines for their active exploitation in the wild ...
Sonatype Blog
npm flooded with 748 packages that store movies

npm flooded with 748 packages that store movies

| | DevZone, npm, Vulnerabilities
Meet npmjs.com, a video and eBook hosting platform — not our words, but it seems that's what goes in the mind of some users (and attackers) recently seen misusing the platform to ...
Sonatype Blog
DevSecOps tools: A beginner's guide

DevSecOps tools: A beginner’s guide

| | Automation, DevSecOps, DevZone, open source, Post security/devsecops
DevSecOps, a fusion of development, security, and operations, marks a paradigm shift in software development, seamlessly integrating security throughout the software development life cycle (SDLC) ...
Sonatype Blog
'everything' matters — why the npm package sparked controversy

‘everything’ matters — why the npm package sparked controversy

| | DevZone, npm, open source, Security Vulnerabilities
The npm package 'everything' sparked some controversy slowly after its publication over the holidays this year ...
Sonatype Blog
Load more