3 min

Software supply chain management company Sonatype used its appearance at the CloudNativeSecurityCon event in Seattle this month to detail its latest updates.

The core message is as follows – the addition of cloud to Sonatype’s on-premises and ‘fully disconnected deployment’ options make it a more versatile software composition analysis and application security testing solution.

The company says it is now the only Application Security Testing (AST) and Software Composition Analysis (SCA) tool available that offers cloud, self-hosted and disconnected deployment options.

Why does that matter?

Because it’s all about giving maximum control and flexibility to users. 

Sonatype’s secret sauce includes proprietary intelligence and AI behavioural analysis to help organisations manage their software supply chains at scale to deliver products faster and with safer open source

Deployment options 

Cloud – Software supply chain management is now in the cloud with enterprise-grade security and minimal effort. Customers can protect their software supply chains without needing to deploy and manage infrastructure, a good option making it ideal for organizations looking to streamline their infrastructure and rapidly scale. 

Self Hosted – This solution offers maximum flexibility. Organisations can choose to host on their own servers/on-premises or in a cloud environment of their choice.

Disconnected – The Nexus Disconnected Environment (NDE) is the only open source and dependency management solution available for so-called ‘air-gapped’ environments (so for example, for government and affiliated organisations that want to manage their open source software supply chain).

“As the use of open source software in modern applications continues to increase, so does the risk from malware and other vulnerabilities. Software supply chain attacks have jumped an astonishing 742% per year, on average, over the past three years,” said Mitchell Johnson, chief product development Officer at Sonatype. 

Software soothsayers

According to the soothsayers at magical analyst house Gartner, public cloud spending is estimated to exceed 45% of all enterprise IT spending by 2026.

“As enterprises and governments recognise the incredible need to protect our software supply chains and better understand the open source software they’re using, Sonatype is the only platform on cloud with the industry’s first behavioral AI-driven component firewall that can automatically block malicious malware from entering your software development lifecycle (SDLC) – tThe platform also provides security policy automation with instant developer feedback at all stages of the development process,” notes  Johnson and team.

​​Sonatype positions itself as an industry pioneer and inventor of componentised software development.

Headline hurt factor

“With malicious attacks evolving, cyber attacks increasing and high-profile breaches like Log4j continuing to make headlines, the demand for cybersecurity tools is skyrocketing. It’s clear that modern organisations cannot excel without managed security,” said Chris Rommel, executive vice president at VDC Research. 

Rommel suggests that by expanding the ways organisations can implement DevSecOps and utilise software composition analysis tools, Sonatype is helping to drive the industry forward, making it easier for companies in all industries to protect their software supply chains.

Company president at Sonatype Alex Berry claims that use of his firm’s platform means there is no trade-off between software risk management and productivity. 

“Over 2,000 organizations and 15 million software developers already use this technology to deliver and maintain secure software,” notes Berry.

Sonatype works on every element of an organisation’s software development life cycle, including third-party open source code, first-party source code and containerised code. It identifies critical security vulnerabilities and code quality issues and reports results directly to developers so they can be fixed.

Free image: Wikipedia Commons