Sonatype Reports 78% Year-over-Year Growth

Equifax and GDPR accelerate global demand for managed software supply chains in Q3

Fulton, MD – October 18, 2017 – Sonatype, the leader in software supply chain automation, today announced continued growth across every aspect of its Nexus software business. Comparing Q3 year-over-year results, Sonatype reported:

78% growth in total annual contract value (ACV) sold
200% increase in Nexus Lifecycle utilization to 720,000 applications per month
60% increase in active users of Nexus Repository Manager to 1.8 million developers
Sonatype also reported a strong 119% net dollar retention rate (DRR). The company attributes its global growth to customer adoption of automated open source governance into DevOps processes, a desire to comply with impending General Data Protection Regulations (GDPR), and an urgency among IT leaders to avoid Equifax-like breaches.

“Software runs the things that run our world, and recent high-profile breaches like the one at Equifax are serving as a wake-up call for all organizations, many of which suffer from poor software development hygiene,” said Wayne Jackson, CEO of Sonatype. “Our performance over the last 12 months is a testament to the growing realization from developers to the C-suite of a need to embrace DevSecOps automation early and everywhere across the SDLC.”

According to Gartner analysts Neil MacDonald and Ian Head in the October 2017 report 10 Things to Get Right for Successful DevSecOps, “By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016.”

Earlier this year, the company announced the acquisition of Vor Security to expand language coverage across open source ecosystems and further strengthen the Nexus platform. The company also added management talent with Letitia Long and Steve Hills joining the board of directors and Bill Karpovich joining as SVP of strategy and corporate development.

Media Contact
Katie Hanusik, 703-287-7824

Lecciones a aprender del caso Equifax

By Matt Howard
I’ve spent a ton of time over the past few weeks chatting with different folks about GDPR and how this soon to be enforced EU regulation is contributing to a rising tide of interest in best practices for IT risk management and open source governance.

With GDPR due to become enforceable on 25 May 2018, indeed every company in the world doing business in the EU has been studying GDPR and it’s potential ramifications for quite a while. What’s new however, is the fact that many of these companies are all of the sudden interested in understanding how to implement open source governance programs in the wake of the recent Struts2 breach at Equifax.

Simply stated, from the time that Equifax first discovered the breach in late July — the company waited 40 days to disclose the exploit to the public. This leisurely approach toward public notifcation would not fly in the EU under GDPR rules that are set to take effect in May 2018. Under GDPR — Equifax would have been required to notify the public within 72 hours or face penalties up to €10M ($12M) — or up to 2% of prior year revenue — whichever is higher.

Yes, that’s right. Under GDPR rules, Equifax would have been fined $60M for taking their sweet old time to disclose the breach. That’s a whopping $1.5 million dollars per day.

Of course, in the US we do not currently have a federal law requiring companies to inform the public about data breaches. Legislation proposed in 2015 would have set a 30 day disclosure deadline — but the bill failed — most likely because a majority of congress felt that we already have ample regulation in place in form of PCI.

The white hot irony of course is that Equifax most likely would have passed a PCI audit with flying colors — yet they still got hacked and lost personal data on 140 million Americans and 40 million Brits becuase of poor open source governance.

In the face of GDPR, and in the aftermath of Equifax, companies are beginning to understand two things:

web application firewalls, network and end point security tools, and hardened operating systems by themselves are not sufficient to defend against an attack that is aimed at the application layer and exploits known vulnerabilities in popular open source components like Struts.
true data protection requires end-to-end software supply chain hygiene.
As the U.K’s Information Commissioner’s Office (ICO) states in their FAQ, “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place». An innovative solution to automatically manage open source risk wouldn’t be a bad idea either — just ask Equifax.






Seguridad IT y Contravigilancia