A Clear Path Forward Toward More Secure and Maintainable Open Source Software

It’s rare to see a community truly come together for the common good, but that’s exactly what happened yesterday within our open source community.  We cherished the opportunity to participate in a ...

Open source and diversity in tech: [email protected]

There is proven value in hiring a diverse workforce; doing so benefits both company performance and your bottom line. An October 2021 Gartner survey highlights diversity as a top human resource concern ...

Why Companies Should Contribute to Open Source – and How to Do It

Contributing to open source software is beneficial to a business, its developers, and the open source software (OSS) packages they rely on. By giving back, a company can be confident the foundational ...

A Non-Programmer Introduction to the Software Supply Chain (Electron)

A topic that comes up frequently at Sonatype is something called the “software supply chain.” The term is based on how supply companies send parts to manufacturers who assemble them into things ...

Software Supply Chains: an Introductory Guide

The vast majority of developers today don’t develop software from the ground-up and instead rely on third-party resources when creating software. By using pre-built libraries and open source components, engineers can expedite ...

This npm Package Could Have Brought Down Cloudflare’s Entire CDN and Millions of Websites

Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain ...

Kaseya Ransomware: a Software Supply Chain Attack or Not?

Following the 4th of July weekend, our industry finds itself digesting the details of yet another large-scale and high-profile ransomware attack. This time its the exploitation of Kaseya’s network monitoring and remote ...

What Does NIST’s Definition of Critical Software Mean to You?

On May 12th, President Biden signed the 2021 Cybersecurity Executive Order (EO).  Since then, I’ve thought a lot about what it really means for federally focused sellers and buyers of software and ...

How Does Securing the Software Supply Chain Fit the DoD CIO Zero Trust Architecture?

A major buzzword passed around this year is the term “zero trust.”  As with similar phrases that have come before, there are different definitions depending on who you ask and what area ...

Are You Still Wondering About Dependency Confusion Attacks?

Recently, the Biden White House released an Executive Order detailing new requirements to address cybersecurity and secure software development, as it relates to national security. This order addresses a variety of issues ...