Sonatype, the leader in Component Lifecycle Management (CLM), today introduced a revolutionary new approach to application security which significantly reduces the risk in using freely available, open source software (OSS) components. Sonatype CLM is the first and only solution to secure the entire component lifecycle – from design, development and deployment through production operations.

Sonatype CLM directly addresses the Open Web Application Security Project (OWASP) Top Ten for 2013. The definitive resource for application and mobile security best practices, OWASP Top Ten for the first time includes provision A9: using components with known vulnerabilities.

For years, software developers have been using free, open-source components to speed software development and reduce costs. The usage of components is now so commonplace that more than eight billion components were downloaded from Sonatype’s Central Repository in 2012 alone. Most modern software applications are built by stringing together these components – roughly 80 percent of an application is comprised of open-source components with the remaining 20 percent being proprietary components and written code.

The downside to the exploding use of components has been lagging security standards and increased exposure to exploit. According to new Sonatype research, also released today, 71 percent of applications contain components with known security flaws classified as severe or critical and an alarming 76 percent of all organizations have no component management policies in-place. These applications increasingly represent a rich attack vector for hackers, forcing companies to rethink how they should manage risk in the age of agile, component-based software development.

Now with Sonatype’s new CLM platform, software developers can continue to go fast while also delivering secure software. By uniquely identifying components, making it easy to fix flaws early, and enforcing policy at every phase of the software development lifecycle, Sonatype CLM eliminates security and other risks in OSS. Productivity is increased and security is ensured.

“The software industry lacks the tools to manage the intricacy and risk associated with a complex and distributed software supply chain. When coupled with agile development practices, enterprises are finding themselves with massive, unmanaged risk,” said Wayne Jackson, CEO of Sonatype. “With Sonatype CLM, we are fundamentally changing the dynamics in software development and stripping away the risk in using open source – helping developers go fast, without introducing risk into their applications or stalling the development process.”

Recognizing Sonatype’s leadership in modern software development, investors led by New Enterprise Associates (NEA), completed a $25 million round in July 2012 that included all previous investors: Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures. CLM addresses the security needs of the custom application development market estimated at $86 billion globally.

Sonatype is uniquely positioned to solve the component security problem as the caretaker of the Central Repository, the industry’s primary source for open-source components, serving more than eight billion requests per year from more than 70,000 organizations. The company has been a pioneer in component-based software development since its founding by Jason van Zyl, the creator of the Apache Maven build management system and Sonatype’s Central Repository.

“Usage of older, outdated and vulnerable libraries and frameworks, whether by mistake or by design, represent a significant threat to enterprise IT software supply chain integrity.” – Neil MacDonald and Ray Valdes, Analyst(s), Gartner Inc., from the Maverick Research report, Living in a World Without Trust: When IT’s Supply Chain Integrity and Online Infrastructure Get Pwned, Oct. 5, 2012

New Development Paradigm, New Approach to Security and Risk Mitigation 
Until now, there has been no practical way to automate governance of open-source component usage throughout the software lifecycle or eradicate flawed components from production applications. Sonatype CLM breaks down the conventional walls that exist between developers tasked with producing more features faster, and security and risk mangers concerned with protecting the IT infrastructure and organization as a whole. Sonatype CLM is the first solution to deliver component information, controls, and remediation options directly into the tools that developers use every day. This enables software development, corporate governance, and risk management to work together to eliminate exposure to risk, improve development velocity and maintain the integrity of the software supply chain.

“Today’s software assembly model calls for extending defense-in-depth to the application layer and throughout the development lifecycle,” said Jason van Zyl, CTO and Founder of Sonatype. “Sonatype CLM is a new approach to exposing, avoiding and eliminating risk and is the first product designed to address the needs of both application development and security and risk management.”

Sonatype CLM is comprised of three, key functional areas:
• CLM Server: Provides a central facility for active risk assessment and management across development environments, applications and teams.
• CLM for Development: Informs and governs the software supply chain by validating, authenticating, securely delivering, and monitoring component security, popularity and licensing information throughout the development lifecycle. It offers developer-friendly policy enforcement and early flaw detection and prevention.
• CLM for Continuous Monitoring: Ensures the security and integrity of the components that make up critical applications by providing a complete component and application bill-of-materials inventory and a fast-path to discovering and fixing at-risk applications.

Sonatype CLM is an open platform designed to work with any programming language, to integrate with complimentary technologies such as source code analysis tools, and to act upon existing sources of component and application metadata. Sonatype CLM is designed for flexible implementation that can be adapted to the priorities of any organization – enabling enforceable open-source risk management, flaw discovery early in the development cycle, and straight-forward paths to flaw remediation.

“After 10 years of slowly getting farther and farther behind, software assurance is now largely incompatible with modern software development,” said Jeff Williams, one of the world’s foremost experts on application security, founder of Aspect Security, and founding member of the Open Web Application Security Project (OWASP). “Most applications don’t get any security attention during their lifespan, but the lucky ones get a few penetration tests from an external team of security specialists. These teams identify a few vulnerabilities, hand them off to the development team to fix, and then move on to the next job — without influencing the culture or the software trajectory at all.”

“Sonatype is sitting on a golden opportunity in the form of an unprecedented amount of leverage. If more than 80 percent of enterprise software does indeed contain open-source components, and those can not only be sourced from a validated repository, but also updated by the developer to more secure versions with a few mouse clicks – well, you do the math,” said Wendy Nather, Research Director, Enterprise Security Practice at 451 Research. “Short of parachuting in crack programming SWAT teams, there will probably be no easier way for enterprises to improve the security of their existing code at something approaching both low cost and large scale.”