January 06, 2022 By Andrew Yorra In a stern warning issued Tuesday, the Federal Trade Commission (FTC) put companies on notice that any failure to protect against Log4shell could become costly. This announcement underlines the new requirement that every company must take under the Federal Trade Commission Act (the “FTC Act”). As a result, reasonable steps to mitigate a known software vulnerability are now a legal obligation…
December 31, 2021 By Rishav Mishra The Log4j vulnerability may not have changed everyone’s world, but it certainly provided an end of year wake up call for the entire software development world. Notably, it’s highlighted that critical systems are more than just connections and software. They are software components. As more and more customers have crucial software projects in development within their organization, these vulnerabilities are an ongoing concern…
December 30, 2021 By Chris Good The clock continues to tick as exploits for the recently discovered Log4j vulnerability are expected to continue well into the coming months, and even years. Companies are rushing to scan applications to locate vulnerable components affected by the Log4j attacks…
December 29, 2021 By Ax Sharma Yesterday, Apache released Log4j version 2.17.1, which squashes a newly discovered code execution bug, tracked as CVE-2021-44832. Our Log4j vulnerability resource center has since been updated to reflect ongoing download trends and statistics for 2.17.1. But the quasi-alarming code execution bug isn’t as trivial to exploit as the original critical Log4Shell vulnerability (CVE-2021-44228) that set the internet on fire…
December 22, 2021 By Jason Nalewak There is an old fable that talks about the circle of life in the plains of Africa where every morning a gazelle wakes up and knows that it must run faster than the lion or it will be eaten. The current Apache log4j remote shell execution (RCE) exploit that is playing out during the writing of this blog post is a stark example of how that fable has some truth to it. I think a more realistic truth would change the gazelle’s logic slightly to say that it doesn’t necessarily have to outrun the fastest lion…
December 21, 2021 By Ax Sharma As the log4j vulnerability disclosures come out, and ongoing exploitation in the wild is on, we have been closely monitoring developments and tracking the gap between the disclosures and how fast the patching occurs, in the Log4j resource center…
December 15, 2021 By Ilkka Turunen In light of the wave of security vulnerabilities and exploitation affecting Log4j, we here at Sonatype have been working to keep on top of the ever-evolving situation as the attacks mutate, and as new discoveries are made in other logging frameworks…
December 14, 2021 By Ilkka Turunen On Friday, the news broke about Log4Shell, an easy-to-exploit vulnerability being exploited across the world. We have kept our blog from Friday up to date with the latest news, mitigations and strategies that you can take as a maintainer or operator of software using log4j.
December 10, 2021 By Ilkka Turunen News broke early Friday morning of a serious 0-day Remote Code Execution exploit in log4j - CVE-2021-44228- the most popular java logging framework used by Java software far and wide. This type of vulnerability is especially dangerous as it can be used to run any code via your software and requires very low skills to pull off from an attacker. Log4j is near ubiquitous in Java applications, so immediate action is needed from software maintainers to patch.
March 16, 2021 By Brian Fox Ask any software developer, and they will tell you the truth about two things: Conventional code analysis and application security tools are overly noisy and generally not well integrated into the developer workflow. Tools that don’t actually make life easier for developers are perceived as friction and commonly ignored. Rather than slowing developers down with process-heavy security gates or circuitous code quality alerts, we believe developers are better served by providing them with gentle, timely, and effective nudges that actually help them improve the quality and security of the applications they are building.
March 16, 2021 By Alexander Dale “Containers are changing the data center the same way containers changed global trade.” – Jim Zemlin, Executive Director, Linux Foundation Today, we announced the newest addition to the Nexus Platform - Nexus Container - a solution we’re especially excited about bringing to the market and our customers. Why? We all know that securing containers and Kubernetes deployments from build to run-time requires a holistic approach to defense.
March 04, 2021 By Brent Kostak As news continues to cascade on a recent dependency hijacking software supply chain attack, detection of dependency confusion, a.k.a. namespace confusion, copycat packages are on the rise. These counterfeit packages, presenting the same attack method which compromised over 35 major companies’ internal systems including Microsoft, Apple, Tesla, and Netflix, are surfacing in npm and potentially other open source registries (PyPI, RubyGems, NuGet, etc).
February 12, 2021 By Ax Sharma Just three days ago on February 9th, Sonatype released our findings on Alex Birsan’s research in which he used the “dependency or namespace confusion” technique to push his malicious proof-of-concept (PoC) code to internal development builds of over 35 major tech organizations including Microsoft, Apple, Tesla, Uber and others.
December 14, 2020 By Ax Sharma In the past week the US Treasury, US Department of Commerce and cybersecurity company FireEye experienced breaches tied to their reliance on software supply chains and a compromise of a SolarWinds software application. Officials stated that the exploit path demonstrated all signs of a nation-state sponsored cyberattack.
September 16, 2020 By Alyssa Shames It’s no secret that container usage has increased rapidly in the last few years. As reported in our 2020 State of the Software Supply Chain Report, “Pulls of container images topped 8 billion for the month of January. This means annualized image pulls from the repository should top 96 billion this year. To keep pace with demand, suppliers pushed 2.2 million new images to DockerHub over the past year – up 55% since our last report.” However, this popularity increases the likelihood that adversaries will look to containers as an attack vector to steal data, install ransomware, or perform crypto-mining attacks.
June 26, 2020 By Derek Weeks If money “makes the world ’go round” -- then today, software developers are the ones pushing and spinning the globe. Every day developers ensure that digital money (and other financial products and services) is securely routed around the planet as intended. And the happy ones do it best.
March 17, 2020 By David Rudolph As a Sonatype Nexus customer, your success has always been our relentless focus. In this moment, with the global spread of COVID-19, we add the health and well-being of you and your family to this concern. I am emailing to share a few thoughts and the important steps we have already taken to ensure our business continuity for you, while promoting the well-being of our employees.
February 07, 2020 By Daniel Hernández In this article we are going to explore how you can publish your Java artifacts (.ear, .jar, .war) to Nexus 3 using Jenkins and Maven. For this I have created a docker compose file which comes with Nexus and Jenkins. Let's take into considerations these assumptions and details about how the example works:
February 04, 2020 By Peter Morlion What does a continuous delivery pipeline look like? Which pieces do we need to have in place for us to achieve true continuous delivery? Kamalika Majumder lays out the anatomy of a continuous delivery pipeline. What Companies Need Companies are always looking for shorter release cycles continuous integration QA security In essence, they want to sell faster and sell better quality products. This applies to all companies, whether they’re selling services or actual products.
January 30, 2020 By Ember DeBoer This is an excerpt from Out of the Wild: A Beginner's Guide to Package and Dependency Management, a Sonatype Guide. This is the final installment. (Read part one and part two.) So, why do I need a Binary Repository Manager? Binary repository managers serve a couple of important functions as part of a modern software development lifecycle. First, they can serve as a local copy, or “proxy,” repository for the language-specific package repositories/registries we discussed earlier. Creating these proxy repositories in a repository manager to store and cache your OSS components locally—rather than downloading them directly from an online repository every time you kick off a build—can provide some of the following benefits, as stated in our own Repository Management Basics course:
January 29, 2020 By Matt Howard Recently, I moderated round table discussions between dozens of CISOs at Evanta CISO Summits in Chicago and Atlanta. My colleague, Michelle Dufty, moderated a similar event in San Francisco. The purpose of the sessions was to have an authentic conversation about the emerging practice of DevSecOps and explore the following unconventional idea:
