Sonar Acquires Tidelift to Enhance Open-Source Security and Supply Chain Management

 SonarSource SA, operating as Sonar, has signed an agreement to acquire Tidelift Inc., a company that manages open-source components. The terms of the deal were not disclosed. Sonar, known for its tools that check software code for bugs, inconsistencies, and security flaws, aims to enhance its software supply chain security offerings by including open-source libraries.


Harry Wang, Sonar’s vice president, stated that the acquisition would expand Sonar’s capability to provide verified open-source software vulnerability intelligence to developers. Open-source software is prevalent in commercial products, but it is also susceptible to security compromises. Tidelift improves open-source security by paying maintainers to follow secure development practices, making them more likely to implement critical security measures.


Sonar focuses on helping organizations secure their own software, and the acquisition will likely extend these services to open-source projects. Tidelift, founded in 2017, has a strong background in open-source development, with co-founders who have significant experience in the field.


Sonar plans to continue offering Tidelift’s services without disruption and will provide further details in early 2025. New capabilities for SonarQube, Sonar’s core platform, are expected to be announced in the first half of 2025, covering all code, including open-source and third-party libraries.

https://siliconangle.com/2024/12/17/sonar-acquires-open-source-security-specialist-tidelift/

Comments

Post a Comment

Popular posts from this blog

Endor Labs Announces Integrated SAST Offerings

 Endor Labs recently announced that their Static Application Security Testing (SAST) toolset will be integrated into their platform, enhancing software security. This offering aims to help developers identify and fix code vulnerabilities earlier in the development cycle. By combining SAST with dependency management, Endor Labs provides a streamlined approach to managing and securing both custom code and third-party dependencies in a unified platform, which can improve efficiency and reduce security risks. For more details, you can read the full article  .
Read more

OWASP Releases Enhanced Dependency-Check Tool with Advanced Tagging and Policy Management Features

 OWASP has released an updated version of its dependency-check tool, version 4.12.0, which identifies vulnerabilities in third-party software components, enforces policy compliance, and generates a CycloneDX-based Software Bill of Materials (SBOM). Key updates include enhanced tag features for improved control over security alerts and SBOM validation, a new tag management view, a global policy violation audit view, and authorization for security status badges. These changes offer more granular control over managing third-party dependencies, though experts note that managing software risk remains an ongoing challenge despite these improvements. https://securityboulevard.com/2024/10/owasps-dependency-check-tool-update-key-changes-and-limitations/ ps.  I think Security Boulevard (https://securityboulevard.com/) is a little bit confused here. https://securityboulevard.com/2024/10/owasps-dependency-check-tool-update-key-changes-and-limitations/ The original news links to Dependency...
Read more

The Hidden Cost of DevSecOps: Time and Financial Burden of Security on Developers

 A survey by JFrog, "The Hidden Cost of DevSecOps: A Developer’s Time Assessment," reveals that developers spend a significant amount of time on security-related tasks, costing companies around $28,000 per developer annually. Half of senior developers and team leaders report a notable increase in weekly hours dedicated to security tasks like manual application scans, context switching, and secrets detection. This time detracts from innovation and delivering new applications. JFrog’s CTO, Asaf Karas, emphasized the inefficiency caused by juggling multiple tools and environments, advocating for streamlined security processes to boost efficiency and reduce risks. Many developers spend 19% of their weekly hours on security tasks, often outside regular work hours, resulting in a reactive approach to security. https://informationsecuritybuzz.com/the-hidden-price-of-devsecops/
Read more