PCI Compliance

PCI says “No” to using components with known vulnerabilities. Sonatype can help.

The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data. Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines. The good news is that Sonatype makes it easy to avoid this risk and achieve PCI compliance.

Learn more about PCI standards for component security

Why are components the "neglected 90%?" What's the risk?

These days, your developers are assembling the majority of your applications using open source building blocks called “components,” which are shared in a vast global developer network. Yet, your organization probably doesn’t know what components are used, where they are used, or which have security risk that do not comply with PCI standards.

Sonatype created Nexus Lifecycle (formerly Component Lifecycle Management) to help you meet PCI standards by providing complete visibility into component security, license and quality risks backed up by the automation and monitoring to ensure compliance over time.

The threat is real. Take Struts as an example.

Recent cyber attacks targeting known vulnerabilities in heavily used older versions of a popular open source web framework called "Struts" impacted: global banks

  • a large financial exchange
  • a major software provider
  • and hundreds more

Despite 30+ publicly disclosed vulnerabilities which were immediately fixed with 35+ new versions and an FBI Flash Alert, 2,682 organizations have downloaded vulnerable Struts versions 80,575 times. Empower your developers to avoid vulnerable components from the start. It’s a small investment that protects the 90% of your application comprised of components.

Learn how you can avoid using vulnerable components

With Nexus Lifecycle you can:

FS-ISAC recommends Sonatype for "Policy management and enforcement of open source
libraries and components." With Nexus Lifecycle, you can:

Find and remediate
problems early in development using the tools that your developers use everyday. No extra work or delays.

Automate policies
for open source security, license & quality with integration throughout your software development lifecycle.

Monitor continuously
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.

See a tour of Nexus Lifecycle

What's Next?

Are there component security or license issues in your applications? Find out in 2 minutes – it’s confidential and free.

As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."

  • Confidentially and quickly analyze your open source components
  • Create a "bill of materials" inventory of precisely which components are used and where
  • Identify specific security, quality and license risks
  • Analyze both internal and third party applications

Learn More & Start Your Analysis

Want a Nexus Continuous Advantage? Start Here.