Olivia
Online
Michael Prescott @ Sonatype
@devcasing
Product Director, Nexus Repository
Toronto, Ontario
Joined November 2017
46 Following
72 Followers
149 Posts
@ecammtweets Ok, good to know! I can move to the next stage of grief now. Let me know if there are any former user meetups where we can all stare glumly at the punch bowl. :P
@ecammtweets Big fan of iGlasses. Any plans to update it to work with recent Mac OS versions? Mine loads but does nothing, and no apps seem to find it as a camera.
@Zoom Please add an affordance to this invisible button, every time I move the Zoom window on my desktop I turn off screen sharing without realizing it.
I’ve spent much time thinking about why organizations struggle to understand the implications of the rise in malicious oss compared to typical vulnerabilities.
It ultimately comes down to psychology. In this article, I explore the psychological barriers that prevent effective action against these threats.
https://t.co/eVcgU9s6iJ
Who to follow
Ilkka Turunen
@llkkaT
Field CTO @sonatype. Software supply chain management, infosec and devsecops veteran, occasional speaker and dependency hell enthusiast. 🇬🇧 & 🇫🇮
Brian Fox @[email protected]
@Brian_Fox
Co-Founder & CTO, Sonatype. Former Chair, Apache Maven, BSA Scoutmaster, Amateur Radio Operator Creator of Maven-dependency-plugin and Maven-enforcer-plugin
Jon Garzon
@JGarz86
Cyber Security, IT Security, Compliance, Arsenal, Colombiano, El Salvadoreno, London, UK, Sports, Garzon Cyber Solutions
🚨 an example of an adversary trying to push their malware as a coding solution. Please be careful with any dependencies
The NVD backlog just went over 10,000 unanalysed issues
A stark reminder from the attack on XZ & libzma: It's more than a vulnerability, it's a calculated assault on the stretched open-source infrastructure of our digital world. Read my full take on the implications, actions you can take and the urgent call for collective vigilance
https://t.co/MA62t2rI3o
make direct, unprotected public registry access a real risk. Older supply chain attacks were trying to sneak a bad library into production, but newer attacks are targeting development secrets and infrastructure. Hard to develop securely when half the dev boxes have been owned!
@Aaronontheweb, useful video, thanks for posting. What we'd normally recommend is that the policy for legitimate component sources be centralized, rather than implemented at a per-project level. Make it completely transparent to project teams so it can't be skipped or forgotten.
I think these two can be used in combination with each other, but one issue you might run into is that JFrog can actually work to the detriment of some of NuGet's security features.
For instance, if your apps ONLY install packages from your local JFrog feed which itself proxies packages from multiple upstreams, you're still susceptible to spoofing attacks that package source mapping would effectively prevent. That same type of security feature would also need to exist in JFrog's feed proxying infrastructure to provide the same level of protection.
We've changed our stance over the years, we now recommend actually blocking developer access to public registries and force everyone through the proxy. We used to think of that as draconian, but the explosion of supply chain attacks in volume and variety—
📢 Today marks a new era! Introducing SBOM Manager - the industry's first integrated system of record for managing SBOMs! A powerful, one-stop shop for easy, cost-effective, and compliant #SBOM management, monitoring, and distribution. https://t.co/615NV7LuT0
How to get started with Repository Health Check (RHC) 2.0, available in Sonatype Nexus Repository Manager 3.3: https://t.co/YFD7ZNFmTP
I don't cry that often, but every now and again I hit ⌘ + Option + m to add a comment to a Google doc in view-only mode. Chrome handles that as a request to minimize all fifty of my browser windows across five desktops and dump them in the Dock bar. T_T
Well, the CRA passed through committee in a way that will avoid further discussion. There's zero chance they knew there were still significant issues and yet here we are.
Read more: https://t.co/BsBE26GY3L
Current status:
Nothing worse than letting the wrong particles into your SDLC.
CERN uses Nexus as a package repository. They then have a proxy that merges the internal repository with the index on PyPI. One issue they had to take care of is dependency confusion where a library with same name is present on PyPI as well as the internal repository
Sonatype Named a Leader in The Forrester Wave™ for Software Composition Analysis https://t.co/e3JipcDPRH
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers