BT

InfoQ Homepage News Sonatype Acquires Vor Security to Expand Nexus Open-Source Component Support

Sonatype Acquires Vor Security to Expand Nexus Open-Source Component Support

Bookmarks

In June, Sonatype announced the acquisition of Vor Security to extend their open-source component intelligence solutions’ coverage to include Ruby, PHP, CocoaPods, Swift, Golang, C, and C++.

Sonatype, well known as the creators of artifact repositories Apache Maven and Nexus, have extended their previously Java, JavaScript, .Net and Python centric component intelligence capabilities to include the new open-source ecosystems. The new capabilities are packaged in a new product, Nexus Lifecycle XC and, like the existing Nexus Lifecycle product, are delivered via the Nexus IQ server.

Vor Security founder and CEO Ken Duck was responsible for creating the OSS Index, a free online index of known open-source software vulnerabilities. The index currently contains over 2.1 million packages and information on more than 120,000 vulnerabilities across a number of open-source ecosystems. Duck will join the product and engineering team at Sonatype.

Matt Howard, Sonatype CMO, told InfoQ:

Organisations value precision and accuracy in a DevOps context as well as breadth of coverage. This acquisition allows us to put more space between commodity products that tend to create high levels of false-positives – this acquisition tackles the criticism that we are narrow in our scope and broadens our capability. This is a win-win component intelligence engine. DevOps customers can comfortably break builds knowing the intelligence is right and waterfall customers can generate a bill of materials. We won’t be resting on our laurels – we’ll keep on investing time to curate the data for all these ecosystems and keep developing precision and accuracy. Initially, Nexus XC will be a free stock intelligence service available to Nexus Lifecycle customers.

The DevOps movement has spawned a subset, DevSecOps, whose concerns include shifting security left in the software development and delivery lifecycle and making security part of everyone’s job. Tools like Nexus Lifecycle allow developers to receive component intelligence in their integrated development environments (IDEs) as they compose applications and make informed changes to reduce the number of vulnerable components that make it through the route to live onto production platforms.

Details of the financial terms of the acquisition have not been disclosed.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.