We help U.S. Federal agencies, their vendors and contractors to build safer software by assuring that the latest and safest versions of open source components are used. Much like a traditional “supply chain” is used to manufacture products, today’s software is built with a supply chain of components from all over the globe, most of which are open source and some of which have known vulnerabilities.
Through software supply chain automation, our products ensure that organizations:
This is a high priority for the US Government – even with the potential for legislation which is actively being discussed about Cyber Supply Chain Management. Sonatype can help you address this challenge now.
Centralize, store, version and release all build components. Includes enterprise level support and advanced features. Learn more
Block undesirable components from entering or leaving your repository manager. Learn more
Support agile by automating policies to ensure acceptable components are used across the software life cycle. Learn more
Continually monitor applications for known vulnerabilities in open source components. Learn more
Sonatype has a long history of accelerating open source usage. As the stewards of the Central Repository, the creators of the Apache Maven project and the distributors of the Nexus repository managers, Sonatype has supported the adoption of open source by more than 11 million developers worldwide.
Today, Nexus repository managers are preferred 6:1 over all other brands and Nexus Lifecycle has fast become the world-leading choice for open source governance and robust software supply chain automation.
In their paper “Open Source Software in Government: Challenges and Opportunities,” authors Tom Dunn & David Wheeler discuss the need for guidance when discussing open source software (OSS), including the impact of certain restrictive licenses such as GPL, and the growing need for OSS use in development as federal budgets shrink.
“Typically, people divide the (software) world into cost, schedule, functionality, quality. In my experience, almost everyone when they talk ‘quality’, are excluding security.” — David A. Wheeler
Institute for Defense Analyses
As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."