INSUBCONTINENT EXCLUSIVE:
Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code
Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.
The product is actually
For starters, Sonatype has a database of open source dependency vulnerabilities called OSS Index
The company gathers this information from a variety of public sources, says Sonatype CEO Wayne Jackson
While it isn''t as highly curated as the company commercial offerings, it does offer a layer of protection that most individual developers
or small shops wouldn''t normally have access to.
After a developer installs DepShield, it checks a code commit in GitHub against the known
vulnerabilities in the OSS Index with recommendations on how to proceed
The company commercial offerings includes a policy engine to automate remediation
The free version simply lets developers know if there are issues, and they can go back and fix them if need be.
What DepShield and OSS Index
are doing is allowing the developers at the front lines to be able to see what happening inside their applications and fix the
vulnerabilities directly,& Jackson said.
Vulnerability listed in OSS Index
Screenshot: Sonatype
As for the differences between the commercial and free products, Jackson say it a matter of scale
&The way you manage a single application or handful of applications as a developer is different than how you might approach it if you&re a
CISO or a governance organization for thousands of applications,& he explained
The latter requires a higher level of automation than the former because of the sheer number of applications involved.
DepShield offers the
28 million developers using GitHub access to a baseline level of protection by identifying a set of known vulnerabilities in their
applications before they make them public
Jackson says that GitHub role is evolving
Today, it not only a tool for committing your code, it also become a place to do issue tracking and code reviews, and he believes that as
such, a product like DepShield is a natural fit.
Known issues list DepShield
Screenshot: Sonatype
DepShield is available starting today in the Security section of the GitHub Marketplace and developers can download and
install it for free.
Sonatype, which is based in Maryland, launched in 2008 and has raised almost $75 million, according to data on
Its most recent funding round was in 2016 for $30 million
Microsoft acquired GitHub in June for $7.5 billion.
