GDPR Compliance? Lessons Learned from Equifax

by Matt Howard

I’ve spent a ton of time over the past few weeks chatting with different folks about GDPR and how this soon to be enforced EU regulation is contributing to a rising tide of interest in best practices for IT risk management and open source governance.

With GDPR due to become enforceable on 25 May 2018, indeed every company in the world doing business in the EU has been studying GDPR and it’s potential ramifications for quite a while.  What’s new however, is the fact that many of these companies are all of the sudden interested in understanding how to implement open source governance programs in the wake of the recent Struts2 breach at Equifax.

Simply stated, from the time that Equifax first discovered the breach in late July — the company waited 40 days to disclose the exploit to the public.  This leisurely approach toward public notifcation would not fly in the EU under GDPR rules that are set to take effect in May 2018.  Under GDPR — Equifax would have been required to notify the public within 72 hours or face penalties up to €10M ($12M) — or up to 2% of prior year revenue — whichever is higher.

Yes, that’s right.  Under GDPR rules, Equifax would have been fined $60M for taking their sweet old time to disclose the breach.  That’s a whopping $1.5 million dollars per day.

Of course, in the US we do not currently have a federal law requiring companies to inform the public about data breaches.  Legislation proposed in 2015 would have set a 30 day disclosure deadline — but the bill failed — most likely because a majority of congress felt that we already have ample regulation in place in form of PCI.

The white hot irony of course is that Equifax most likely would have passed a PCI audit with flying colors — yet they still got hacked and lost personal data on 140 million Americans and 40 million Brits becuase of poor open source governance.

In the face of GDPR, and in the aftermath of Equifax, companies are beginning to understand two things:

  1. web application firewalls, network and end point security tools, and hardened operating systems by themselves are not sufficient to defend against an attack that is aimed at the application layer and exploits known vulnerabilities in popular open source components like Struts.
  2. true data protection requires end-to-end software supply chain hygiene.

As the U.K’s Information Commissioner’s Office (ICO) states in their FAQ, “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place”.  An innovative solution to automatically manage open source risk wouldn’t be a bad idea either — just ask Equifax.

Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017

Egham, UK, December 7, 2017

Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017

Security Risks Drive Growth in Overall Security Spending

Gartner, Inc. forecasts worldwide enterprise security spending to total $96.3 billion in 2018, an increase of 8 percent from 2017. Organizations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy.

“Overall, a large portion of security spending is driven by an organization’s reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide,” said Ruggero Contu, research director at Gartner. “Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years.”

This is validated by Gartner’s 2016 security buying behavior survey*. Of the 53 percent of organizations that cited security risks as the No. 1 driver for overall security spending, the highest percentage of respondents said that a security breach is the main security risk influencing their security spending.

As a result, security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments (see Table 1).

Table 1

Worldwide Security Spending by Segment, 2016-2018 (Millions of Current Dollars)

Segment

2016

2017

2018

Identity Access Management

3,911

4,279

4,695

Infrastructure Protection

15,156

16,217

17,467

Network Security Equipment

9,789

10,934

11,669

Security Services

48,796

53,065

57,719

Consumer Security Software

4,573

4,637

4,746

Total

82,225

89,133

96,296

Source: Gartner (December 2017)

Gartner analysts said that several other factors are also fuelling higher security spending.

Regulatory compliance and data privacy have been stimulating spending on security during the past three years, in the U.S. (with regulations such as the Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, and Overseas Citizenship of India) but most recently in Europe around the General Data Protection Regulation coming into force on May 28 2018, as well as in China with the Cybersecurity Law that came into effect in June 2016. These regulations translate into increased spending, particularly in data security tools, privileged access management and SIEM. 

Gartner forecasts that by 2020, more than 60 percent of organizations will invest in multiple data security tools such as data loss preventionencryption and data-centric audit and protections tools, up from approximately 35 percent today.

Skills shortages, technical complexity and the threat landscape will continue to drive the move to automation and outsourcing. “Skill sets are scarce and therefore remain at a premium, leading organizations to seek external help from security consultants, managed security service providers and outsourcers,” said Mr. Contu. “In 2018, spending on security outsourcing services will total $18.5 billion, an 11 percent increase from 2017. The IT outsourcing segment is the second-largest security spending segment after consulting.”

Gartner predicts that by 2019, total enterprise spending on security outsourcing services will be 75 percent of the spending on security software and hardware products, up from 63 percent in 2016.

Enterprise security budgets are also shifting towards detection and response, and this trend will drive security market growth during the next five years. “This increased focus on detection and response to security incidents has enabled technologies such as endpoint detection and response, and user entity and behavior analytics to disrupt traditional markets such as endpoint protection platforms and SIEM,” said Mr. Contu.

Gartner analysts will further discuss where to deploy technology to add value to security, risk and privacy programs at the Gartner Identity & Access Management Summit, 5-6 March 2018 in London. Follow news and updates from the events on Twitter using #GartnerIAM.

Gartner’s guide to successful DevSecOps

Published: December 4th, 2017 – Christina Cardoza

In a recent survey conducted by Gartner, the organization found that the highest-ranked strategy for a successful DevOps approach was collaboration with information security. “In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame,” Gartner’s research director Ian Head, and distinguished analyst Neil MacDonald, wrote in a report.

The analysts have taken lessons learned from the organization and its clients, and released 10 steps they believes will set businesses on a successful DevSecOps path.

“Adapt your security testing tools and processes to the developers, not the other way around:” According to the analysts, the Sec in DevSecOps should be silent. That means the security team needs to change their processes and tools to be integrated into DevOps, instead of trying to enforce their old processes be adopted.
“Quit trying to eliminate all vulnerabilities during development.” “Perfect security is impossible. Zero risk is impossible. We must bring continuous risk- and trust-based assessment and prioritization of application vulnerabilities to DevSecOps,” Head and MacDonald wrote in their report. DevSecOps should be thought of as a continuous improvement process, meaning security can go beyond development and can be searching and protecting against vulnerabilities even after services are deployed into production.
“Focus first on identifying and removing the known critical vulnerabilities.” Instead of wasting time trying to break a system, find focus on known security issues from pre built components, libraries, containers and frameworks; and protect against those before they are put into production.
“Don’t expect to use traditional DAST/SAST without changes.” Scan custom code for unknown vulnerabilities by integrating testing into the IDE, providing autonomous scans that don’t require a security expert, reducing false positives, and delivering results into a bug tracking system or development dashboard.
“Train all developers on the basics of secure coding, but don’t expect them to become security experts.” Training all developers on the basis of security issues will help prevent them from creating harmful scenarios. Developers should be expected to know simple threat modeling scenarios, how to think like a hacker, and know not to put secrets like cryptographic keys and passwords into the code, according to Head.
“Adopt a security champion model and implement a simple security requirements gathering tool.” A security champion is someone who can effectively lead the security community of practice, stay up to date with maturity issues, and evangelize, communicate and market what to do with security and how to adapt.
“Eliminate the use of known vulnerable components at the source.” “As previously stated, most risk in modern application assembly comes from the use of known vulnerable components, libraries and frameworks. Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components,” Head and MacDonald wrote.
“Secure and apply operational discipline to automation scripts.” “Treat automation code, scripts, recipes, formation scripts and other such infrastructure and platform artifacts as valuable source code with specific additional risk. Therefore, use source-code-type controls including audit, protection, digital signatures, change control and version control to protect all such infrastructure and platform artifacts,” according to the report.
“Implement strong version control on all code and components.” Be able to capture every change from what was changed, when the change happened and who made the change.
“Adopt an immutable infrastructure mindset.“ Teams should work towards a place where all the infrastructure is only updated by the tools. This is a sign that the team is maturing, and it provides a more secure way to maintain applications, according to Head.
In addition, the analyst predict by 2021, DevSecOps will be embedded into 80% of rapid development teams. “Integrating security into DevOps to deliver “DevSecOps” requires changing mindsets, processes and technology. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent,” they wrote.

Sonatype Reports 78% Year-over-Year Growth

Equifax and GDPR accelerate global demand for managed software supply chains in Q3

Fulton, MD – October 18, 2017 – Sonatype, the leader in software supply chain automation, today announced continued growth across every aspect of its Nexus software business. Comparing Q3 year-over-year results, Sonatype reported:

78% growth in total annual contract value (ACV) sold
200% increase in Nexus Lifecycle utilization to 720,000 applications per month
60% increase in active users of Nexus Repository Manager to 1.8 million developers
Sonatype also reported a strong 119% net dollar retention rate (DRR). The company attributes its global growth to customer adoption of automated open source governance into DevOps processes, a desire to comply with impending General Data Protection Regulations (GDPR), and an urgency among IT leaders to avoid Equifax-like breaches.

“Software runs the things that run our world, and recent high-profile breaches like the one at Equifax are serving as a wake-up call for all organizations, many of which suffer from poor software development hygiene,” said Wayne Jackson, CEO of Sonatype. “Our performance over the last 12 months is a testament to the growing realization from developers to the C-suite of a need to embrace DevSecOps automation early and everywhere across the SDLC.”

According to Gartner analysts Neil MacDonald and Ian Head in the October 2017 report 10 Things to Get Right for Successful DevSecOps, “By 2019, more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016.”

Earlier this year, the company announced the acquisition of Vor Security to expand language coverage across open source ecosystems and further strengthen the Nexus platform. The company also added management talent with Letitia Long and Steve Hills joining the board of directors and Bill Karpovich joining as SVP of strategy and corporate development.

Media Contact
Katie Hanusik, 703-287-7824
khanusik@speakerboxpr.com

Lecciones a aprender del caso Equifax

By Matt Howard
I’ve spent a ton of time over the past few weeks chatting with different folks about GDPR and how this soon to be enforced EU regulation is contributing to a rising tide of interest in best practices for IT risk management and open source governance.

With GDPR due to become enforceable on 25 May 2018, indeed every company in the world doing business in the EU has been studying GDPR and it’s potential ramifications for quite a while. What’s new however, is the fact that many of these companies are all of the sudden interested in understanding how to implement open source governance programs in the wake of the recent Struts2 breach at Equifax.

Simply stated, from the time that Equifax first discovered the breach in late July — the company waited 40 days to disclose the exploit to the public. This leisurely approach toward public notifcation would not fly in the EU under GDPR rules that are set to take effect in May 2018. Under GDPR — Equifax would have been required to notify the public within 72 hours or face penalties up to €10M ($12M) — or up to 2% of prior year revenue — whichever is higher.

Yes, that’s right. Under GDPR rules, Equifax would have been fined $60M for taking their sweet old time to disclose the breach. That’s a whopping $1.5 million dollars per day.

Of course, in the US we do not currently have a federal law requiring companies to inform the public about data breaches. Legislation proposed in 2015 would have set a 30 day disclosure deadline — but the bill failed — most likely because a majority of congress felt that we already have ample regulation in place in form of PCI.

The white hot irony of course is that Equifax most likely would have passed a PCI audit with flying colors — yet they still got hacked and lost personal data on 140 million Americans and 40 million Brits becuase of poor open source governance.

In the face of GDPR, and in the aftermath of Equifax, companies are beginning to understand two things:

web application firewalls, network and end point security tools, and hardened operating systems by themselves are not sufficient to defend against an attack that is aimed at the application layer and exploits known vulnerabilities in popular open source components like Struts.
true data protection requires end-to-end software supply chain hygiene.
As the U.K’s Information Commissioner’s Office (ICO) states in their FAQ, “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place”. An innovative solution to automatically manage open source risk wouldn’t be a bad idea either — just ask Equifax.

http://blog.sonatype.com/gdpr-compliance-why-the-best-defense-is-a-great-offense

Struts2 Vulnerability Cracks Equifax

We saw a critical vulnerability in Struts2 that would leave web applications vulnerable to remote execution of code and enable direct access to customer-critical data. Early the next morning, we saw a second severe Struts2 zero-day appear.   Then on Thursday we heard that 143 million consumer records were stolen from Equifax as a direct result of the Struts2 vulnerability……..

http://blog.sonatype.com/struts2-vulnerability-cracks-equifax

Aviso Legal

 

AVISO LEGAL

 

1. DATOS IDENTIFICATIVOS

En cumplimiento con el deber de información recogido en artículo 10 de la Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Información y del Comercio Electrónico, a continuación se reflejan los siguientes datos: la empresa titular de dominio web es SECURCHANNEL SOLUCIONES DE SEGURIDAD TI S.L. (en adelante SECURCHANNEL), con domicilio a estos efectos en Madrid número de C.I.F.: B86588035 inscrita en el Registro mercantil de Madrid. Correo electrónico de contacto: info@securchannel.com del sitio web.

 

2. USUARIOS

El acceso y/o uso de este portal de SECURCHANNEL atribuye la condición de USUARIO, que acepta, desde dicho acceso y/o uso, las Condiciones Generales de Uso aquí reflejadas. Las citadas Condiciones serán de aplicación independientemente de las Condiciones Generales de Contratación que en su caso resulten de obligado cumplimiento.

 

3. USO DEL PORTAL

WWW.SECURHCANNEL.COM proporciona el acceso a multitud de informaciones, servicios, programas o datos (en adelante, “los contenidos”) en Internet pertenecientes a SECURCHANNEL  o a sus licenciantes a los que el USUARIO pueda tener acceso. El USUARIO asume la responsabilidad del uso del portal. Dicha responsabilidad se extiende al registro que fuese necesario para acceder a determinados servicios o contenidos.

En dicho registro el USUARIO será responsable de aportar información veraz y lícita. Como consecuencia de este registro, al USUARIO se le puede proporcionar una contraseña de la que será responsable,

comprometiéndose a hacer un uso diligente y confidencial de la misma. El USUARIO se compromete a hacer un uso adecuado de los contenidos y servicios (como por ejemplo servicios de chat, foros de discusión o grupos de noticias) que Nombre de la empresa creadora del sitio web ofrece a través de su portal y con carácter enunciativo pero no limitativo, a no emplearlos para (i) incurrir en actividades ilícitas, ilegales o contrarias a la buena fe y al orden público; (ii) difundir contenidos o propaganda de carácter racista, xenófobo, pornográfico-ilegal, de apología del terrorismo o atentatorio contra los derechos humanos; (iii) provocar daños en los sistemas físicos y lógicos de Nombre de la empresa creadora del sitio web , de sus proveedores o de terceras personas, introducir o difundir en la red virus informáticos o cualesquiera otros sistemas físicos o lógicos que sean susceptibles de provocar los daños anteriormente mencionados; (iv) intentar acceder y, en su caso, utilizar las cuentas de correo electrónico de otros usuarios y modificaro manipular sus mensajes. Nombre de la empresa creadora del sitio web se reserva el derecho de retirar todos aquellos comentarios y aportaciones que vulneren el respeto a la dignidad de la persona, que sean discriminatorios, xenófobos, racistas, pornográficos, que atenten contra la juventud o la infancia, el orden o la seguridad pública o que, a su juicio, no resultaran adecuados para su publicación. En cualquier caso, SECURCHANNEL  no será responsable de las opiniones vertidas por los usuarios a través de los foros, chats, u otras herramientas de participación.

 

 4. PROTECCIÓN DE DATOS

SECURCHANNEL  cumple con las directrices de la Ley Orgánica 15/1999 de 13 de diciembre de Protección de Datos de Carácter Personal, el Real Decreto 1720/2007 de 21 de diciembre por el que se aprueba el Reglamento de desarrollo de la Ley Orgánica y demás normativa vigente en cada momento, y vela por garantizar un correcto uso y tratamiento de los datos personales del usuario. Para ello, junto a cada formulario de recabo de datos de carácter personal, en los servicios que el usuario pueda solicitar a info@securchannel.com, hará saber al usuario de la existencia y aceptación de las condiciones particulares del tratamiento de sus datos en cada caso, informándole de la responsabilidad del fichero creado, la dirección del responsable, la posibilidad de ejercer sus derechos de acceso, rectificación, cancelación u oposición, la finalidad del tratamiento y las comunicaciones de datos a terceros en su caso.

 

Asimismo, V SECURCHANNEL informa que da cumplimiento a la Ley 34/2002 de 11 de julio, de Servicios de la Sociedad de la Información y el Comercio Electrónico y le solicitará su consentimiento al tratamiento de su correo electrónico con fines comerciales en cada momento.

 

 5. PROPIEDAD INTELECTUAL E INDUSTRIAL

SECURCHANNEL  por sí o como cesionaria, es titular de todos los derechos de propiedad intelectual e industrial desu página web, así como de los elementos contenidos en la misma (a título enunciativo, imágenes, sonido, audio, vídeo, software o textos; marcas o logotipos, combinaciones de colores, estructura y diseño, selección de materiales usados, programas de ordenador necesarios para su funcionamiento, acceso y uso, etc.), titularidad de SECURCHANNEL o bien de sus licenciantes.

Todos los derechos reservados. En virtud de lo dispuesto en los artículos 8 y 32.1, párrafo segundo, de la Ley de Propiedad Intelectual, quedan expresamente prohibidas la reproducción, la distribución y la comunicación pública, incluida su modalidad de puesta a disposición, de la totalidad o parte de los contenidos de esta página web, con fines comerciales, en cualquier soporte y por cualquier medio técnico, sin la autorización de SECURCHANNEL. El USUARIO se compromete a respetar los derechos de Propiedad Intelectual e Industrial titularidad de SECURCHANNEL. Podrá visualizar los elementos del portal e incluso imprimirlos, copiarlos y almacenarlos en el disco duro de su ordenador o en cualquier otro soporte físico siempre y cuando sea, única y exclusivamente, para su uso personal y privado. El USUARIO deberá abstenerse de suprimir, alterar, eludir o manipular cualquier dispositivo de protección o sistema de seguridad que estuviera instalado en el las páginas de SECURCHANNEL.

 

 6. EXCLUSIÓN DE GARANTÍAS Y RESPONSABILIDAD

SECURCHANNEL no se hace responsable, en ningún caso, de los daños y perjuicios de cualquier naturaleza que pudieran ocasionar, a título enunciativo: errores u omisiones en los contenidos, falta de disponibilidad del portal o la transmisión de virus o programas maliciosos o lesivos en los contenidos, a pesar de haber adoptado todas las medidas tecnológicas necesarias para evitarlo.

 

 7. MODIFICACIONES

SECURCHANNEL se reserva el derecho de efectuar sin previo aviso las modificaciones que considere oportunas en su portal, pudiendocambiar, suprimir o añadir tanto los contenidos y servicios que se presten a través de la misma como la forma en la que éstos aparezcan presentados o localizados en su portal.

 

 8. ENLACES

En el caso de que en WWW.SECURCHANNEL.COM se dispusiesen enlaces o hipervínculos hacía otros sitios de Internet, SECURCHANNEL no ejercerá ningún tipo de control sobre dichos sitios y contenidos. En ningún caso SECURCHANNEL asumirá responsabilidad alguna por los contenidos de algún enlace perteneciente a un sitio web ajeno, ni garantizará la disponibilidad técnica, calidad, fiabilidad, exactitud, amplitud, veracidad, validez y constitucionalidad de cualquier material o información contenida en ninguno de dichos hipervínculos u otros sitios de Internet.

Igualmente la inclusión de estas conexiones externas no implicará ningún tipo de asociación, fusión o participación con las entidades conectadas.

 

 9. DERECHO DE EXCLUSIÓN

SECURCHANNEL se reserva el derecho a denegar o retirar el acceso a portal y/o los servicios ofrecidos sin necesidad de preaviso, a instancia propia o de un tercero, a aquellos usuarios que incumplan las presentes Condiciones Generales de Uso.

 

 10.GENERALIDADES

SECURCHANNEL perseguirá el incumplimiento de las presentes condiciones así como cualquier utilización indebida de su portal ejerciendo todas las acciones civiles y penales que le puedan corresponder en derecho.

 

 11.MODIFICACIÓN DE LAS PRESENTES CONDICIONES Y DURACIÓN

SECURCHANNEL podrá modificar en cualquier momento las condiciones aquí determinadas, siendo debidamente publicadas como aquí aparecen.

La vigencia de las citadas condiciones irá en función de su exposición y estarán vigentes hasta debidamente publicadas. que sean modificadas por otras.

 

 12. LEGISLACIÓN APLICABLE Y JURISDICCIÓN

La relación entre SECURCHANNEL y el USUARIO se regirá por la normativa española vigente y cualquier controversia se someterá a los Juzgados y tribunales de la ciudad de MADRID.

Sonatype Acquires Vor Security; Introduces Nexus Lifecycle XC

Nexus Open Source Intelligence is extending coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++ in addition to Java, JavaScript, NuGet, and PyPI

Fulton, MD – June 29, 2017 – Sonatype, a leader in software supply chain automation, today announced that it has acquired Vor Security. Ken Duck, founder and CEO of Vor will join the product and engineering team at Sonatype to continuously expand and refine the open source component intelligence service that underpins the Nexus platform.

As founder and CEO of Vor, Duck created the OSS Index, an innovative and free online index of known open source software vulnerabilities. Today, the index contains more than 2.1 million packages and detailed information on more than 120,000 vulnerabilities across an array of open source ecosystems.

Sonatype also introduced today Nexus Lifecycle XC, a new data service delivered via the Nexus IQ server that will provide organizations with component intelligence covering a wide swath of open source ecosystems and formats including Ruby, PHP, Swift, CocoaPods, Golang, C, and C++.

Landscape of Open Source Intelligence

Compared to the precisely accurate open source intelligence offered by Nexus Lifecycle for Java, JavaScript, NuGet, and PyPI — traditional vendors of Software Composition Analysis (SCA) tools have long provided commodity open source intelligence across a broad spectrum of ecosystems.

Over time, organizations have come to value the unique accuracy of Nexus Lifecycle data for Java, JavaScript, NuGet, and PyPI; but they still require open source intelligence for a wide variety of other ecosystems.  Beginning today, Sonatype is delivering a win-win intelligence engine that combines the depth of Lifecycle data for machine automated open source controls with the breadth of Lifecycle XC data for foundational open source governance.

Supporting Quotes

“Empowering software development teams with broad and precise visibility into the open source supply chain is critical to practicing proper application security hygiene. Sonatype’s world-class team has led the way in bringing remarkably accurate component intelligence to the forefront of the DevOps movement, and I am excited to join forces with their amazing team and continue the journey.” — Ken Duck, CEO, Vor Security

“Since its introduction in 2012, Nexus Lifecycle has seen tremendous acceptance in the market because it provides remarkably precise and accurate intelligence with respect to open source components across Java, JavaScript, NuGet, and PyPI. While enterprise customers, especially those practicing DevOps, place a premium value on the accuracy and precision of our Nexus Lifecycle data, they also need intelligence for a wide variety of other formats and ecosystems. The combination of Lifecycle and Lifecycle XC gives customers the best of both worlds — a premium intelligence service that fully automates enforcement of open source policies inside of a DevOps pipeline, plus a stock data intelligence service to inform basic hygiene for all other ecosystems.” — Wayne Jackson, CEO, Sonatype

“Establishing, managing and maintaining trust in a digital world requires an integrated approach to embed and quantify trust throughout the entire SDLC. Application leaders should rethink their SDLC to be more like a trusted supply chain, taking into account the multiple dependencies and actors.” — Mark Driver, Felix Gaehtgens, Mark O’Neill, Gartner, “Managing Digital Trust in the Software Development Life Cycle”, May 2017 report

Additional Resources

About Sonatype

Sonatype is the leading provider of DevOps-native tools to automate modern software supply chains. As the creators of Apache Maven, the Central Repository, and Nexus Repository, Sonatype pioneered componentized software development and has a rich history of supporting open source innovation. Today, more than 120,000 organizations depend on Sonatype’s Nexus platform to govern the volume, variety, and quality of open source components flowing into modern software applications. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. Learn more at www.sonatype.com

Contacts
SpeakerBox Communications for Sonatype
Jennifer Edgerly
703-287-7809
jedgerly@speakerboxpr.com

logoSC

SIGUENOS

Twitter

Youtube

CONTACTO

SeguridadTI