DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Backend For Frontend (BFF) Pattern
  • Cloud Migration: How To Overcome Fears and Capitalize on Opportunities
  • Safeguard Your AWS Account: IAM Best Practices
  • Post-Pandemic Cybersecurity: Lessons Learned and Predictions

Trending

  • Chronicle Services: Low Latency Java Microservices Without Pain
  • Cognitive AI: The Road To AI That Thinks Like a Human Being
  • AI for Web Devs: Project Introduction and Setup
  • Top 8 Conferences Developers Can Still Attend
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Vor Security Brings OSS Index to Sonatype

Vor Security Brings OSS Index to Sonatype

Oss Index is a data aggregation feed which focuses on coverage of software security vulnerabilities. See how Sonatype is making use of OSS Index.

Brian Fox user avatar by
Brian Fox
·
Jul. 28, 17 · News
Like (1)
Save
Tweet
Share
3.57K Views

Join the DZone community and get the full member experience.

Join For Free

Our data research team is always on the lookout for ways to expand Nexus Lifecycle’s coverage with new sources and feeds of data. A little under a year ago, we stumbled across OSS Index.

Initially, we were intrigued by the coverage into ecosystems we had not yet fully researched. However, as we opened up a dialog and engaged in a formal relationship with Ken Duck, founder and CEO of Vor Security, the company behind OSS Index, it became apparent that this was not just another run-of-the-mill data aggregation feed.

What most people don’t realize is that so much of the reported data in places like NVD is often lacking sufficient details to be truly precise and actionable. Sometimes it’s even incorrect.

Security research is a specialized skill that requires a deep understanding of attack methods combined with software engineering expertise. Recognizing mistakes in reported information requires this unique skill set and can’t be fully automated. At the end of the day, a human is required to interpret the results and to ultimately determine where the vulnerability occurs. If your vendor isn’t doing this for you, then it falls to your team to deal with sifting through all the noise.

Like Sonatype, Vor understands the subtle deficiencies in the feeds commonly used by other tools and undertook an effort to produce an efficient way to correct the data and make it useful to downstream consumers. Their approach to this solution involved processes and insights that were very much aligned with our own that ultimately lead to a human curation element as the final arbiter. Vor approached the vulnerability correction and assignment from the project to the components, which is exactly opposite of the Sonatype approach of finding the vulnerable code and tracking it back to the released component.  By merging the top down and bottom up approaches, we can significantly increase our vulnerability coverage.

Sonatype’s roots are in open source, starting with the early days of Apache Maven. In addition to being the providers and caretakers of The Central Repository for over 10 years, the creation of M2Eclipse and many others, we have long made our tooling such as Nexus Repository Manager available to open source projects and forges for free. This desire to do the right thing by the community, to make a difference, and leave things better than we found them is another common bond we share with Vor Security.

Bringing Vor into the Sonatype fold will immediately allow us to increase ecosystem coverage, and OSS Index provides us a platform to accelerate innovation in the area of open source security research. We are pleased to welcome Vor Security to Sonatype.

security

Published at DZone with permission of Brian Fox, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Backend For Frontend (BFF) Pattern
  • Cloud Migration: How To Overcome Fears and Capitalize on Opportunities
  • Safeguard Your AWS Account: IAM Best Practices
  • Post-Pandemic Cybersecurity: Lessons Learned and Predictions

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: