Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/7/2020
06:10 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Sonatype Introduces Next Generation Dependency Management for Software Developers

Advanced Development Pack enables developers to choose the right components.

Fulton, MD – Wednesday, Oct. 7, 2020 - Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today unveils its breakthrough Advanced Development Pack that fundamentally changes how teams manage code dependencies. Designed after studying development and cybersecurity hygiene practices across 30,000 software teams, this new offering available to Nexus Lifecycle customers, ensures developers select the highest quality OSS components that are used to build 90% of a modern application.

The Advanced Development Pack’s pioneering dependency management enables developers to choose components based on project quality, ease-of-upgrade, and advanced knowledge of abnormal committer behavior, giving them confidence they’ve chosen the highest quality component available. It helps developers understand:

  • the cost of migrating to a newer or safer version and whether it is possible to do so without breaking their code
  • The performance of OSS projects they are choosing when it comes to release frequency, cadence of dependency updates, development team size, and popularity - helping guide choices to a higher quality pool of components
  • The frequency in which dependencies have become vulnerable and are remediated - helping them better grasp the cost and threat of relying on such packages
  • When suspicious behavior has been observed in project code commits - providing an early warning to malicious injection attacks from adversaries

With more than 67% of developers regularly impacted when dependency upgrades break the functionality of their application, Sonatype’s Advanced Development Pack removes the guesswork, and tells developers exactly which dependencies provide the least costly upgrade path in terms of effort. Enhanced capabilities include: 

  • Breaking changes - in an industry first - enabling developers to instantly see which component version upgrades will require the least effort with the fewest breaking changes.
  • Release integrity - a first-of-its-kind early warning system using AI and ML to automatically identify and block next-gen software supply chain attacks relying on typosquatting and malicious code injection. In the past 90 days, the malicious code detection bots supporting this feature have discovered 43 new malicious packages including electorn and loadyaml.
  • Project Hygiene Rating - dubbed the Consumer Reports of OSS Projects - this first-of-its-kind health & hygiene rating system enables developers to select projects with the very best track records of release frequency, popularity, vulnerability remediation times, developer staffing, and other performance attributes.  The exemplar, neutral, and laggard ratings assigned to each component were determined by a deep analysis of 30,000 OSS projects over a five year period.
  • Transitive Solver - tackling a project’s overall risk and not just individual dependencies, Sonatype’s transitive solver provides comprehensive remediation advice for solving both direct and transitive dependencies - all without violating policies or failing builds.
  • Component Chooser - think of this as Google for open source - it is an engine that helps developers search and compare OSS components in order to select the highest quality options. Component quality takes into account the project's hygiene rating, security and license compliance, and awareness of where else the component is being used within the developer’s organization. This feature - currently in beta - will be generally available in 2021. 

"Developer ownership of the security and reliability of their code is increasingly important. With the Advanced Development Pack, we’re bringing the most comprehensive set of data on OSS projects to their fingertips." said Brian Fox, CTO of Sonatype. "As a developer myself, my aim has always been to deliver the highest quality code to customers in the shortest period of time.  But when breaking changes, compliance issues, version control, and cybersecurity vulnerabilities pop-up, delivery timelines are challenged.  By reducing these speed bumps to delivery, we’re going to make a lot of developers happier and enable them to spend more time innovating and less time fixing their code.” 

About Sonatype 

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,200 enterprise customers, and is trusted by more than 10 million software developers.  Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, Twitter, or LinkedIn.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11484
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.
CVE-2020-11485
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the u...
CVE-2020-11486
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution.
CVE-2020-11487
PUBLISHED: 2020-10-29
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead ...
CVE-2020-11488
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to i...