Sonatype company logo

The profile is currenly unclaimed by the seller. All information is provided by CB Insights.

sonatype.com

Founded Year

2008

Stage

Acq - Fin | Alive

Total Raised

$147.6M

Mosaic Score

+40 points in the past 30 days

What is a Mosaic Score?
The Mosaic Score is an algorithm that measures the overall financial health and market potential of private companies.

About Sonatype

Sonatype provides component lifecycle management technologies, intelligent tools and information services. On November 18, 2019 Sonatype was acquired by Vista Equity Partners, the terms of the agreement were not disclosed.

Sonatype Headquarter Location

8161 Maple Lawn Blvd Suite 250

Fulton, Maryland, 20759,

United States

301-684-8080

Predict your next investment

The CB Insights tech market intelligence platform analyzes millions of data points on venture capital, startups, patents , partnerships and news mentions to help you see tomorrow's opportunities, today.

Research containing Sonatype

Get data-driven expert analysis from the CB Insights Intelligence Unit.

CB Insights Intelligence Analysts have mentioned Sonatype in 1 CB Insights research brief, most recently on Aug 24, 2021.

Expert Collections containing Sonatype

Expert Collections are analyst-curated lists that highlight the companies you need to know in the most important technology spaces.

Sonatype is included in 2 Expert Collections, including Tech IPO Pipeline.

T

Tech IPO Pipeline

286 items

C

Cybersecurity

4,886 items

Sonatype Patents

Sonatype has filed 19 patents.

The 3 most popular patent topics include:

  • Application programming interfaces
  • Computing platforms
  • Java platform
patents chart

Application Date

Grant Date

Title

Related Topics

Status

11/25/2015

1/21/2020

Software design patterns, Software testing, Software design, Software distribution, Computer security

Grant

Application Date

11/25/2015

Grant Date

1/21/2020

Title

Related Topics

Software design patterns, Software testing, Software design, Software distribution, Computer security

Status

Grant

Latest Sonatype News

7 top software supply chain security tools

May 11, 2022

These tools will help identify vulnerabilities and threats posed by third-party code through software composition analysis and SBOM creation. Thinkstock As the fallout from the Apache Log4J vulnerabilities earlier this year shows, the biggest risks in enterprise software today are not necessarily with insecure code written directly by in-house software development teams. The flaws of the components, libraries and other open-source code that makes up the bulk of today’s software code bases are the underwater part of the insecurity iceberg. The truth is that so much of the enterprise software and custom applications produced by DevOps teams and software engineering groups is not actually coded by their developers. Modern software today is modular. Developers use what is called a microservices architecture to make new applications by constructing them a lot like a Lego house—using blocks that are made of premade code. Rather than reinventing the wheel every time they need their application to perform a common function, developers root around in their proverbial box of blocks to find just the right one that will do what they need without a lot of fuss. That box is today’s ever-expanding software supply chain, a sometimes very informal source of code that flows from the millions of GitHub repositories and open-source projects floating around online today. It consists of components and libraries used in myriad applications and in the underlying application and development infrastructure used to construct modern development pipelines. Of course, the programs provided by this supply chain aren’t really bricks and they don’t always interlock perfectly, so developers create custom code to glue all those pieces together. In fact, many often then turn those creations into yet more open-source projects for others to solve similar problems. Which is one reason why the software supply chain keeps growing. Applications built with third-party code A modern application is mostly made up of third-party code. According to Forrester , the percentage of open-source code that makes up an average application’s code base rose from 36% in 2015 to 75% in 2020. It’s a faster, more scalable way to quickly develop but like all technology innovation it comes with added cyber risk unless proper care is taken. It’s the dirty little secret of the development world that the components co-opted from today’s software supply chain can very easily be out of date and riddled with vulnerabilities. Making things even more complicated is the fact that that flaws are often nested together as different projects may have dependencies to others in the supply chain. Sometimes the flaws can even be purposely added by attackers who seed open-source software intentionally with vulnerabilities. The vulnerabilities introduced by the software supply chain can be like hidden cybersecurity landmines in enterprise software, particularly when organizations do nothing to formally govern how their developers use the software supply chain. Many organizations barely even track—let alone vet or manage—the kinds of components, libraries, and developer tools that go into or produce the code that their developers commit. According to a study released by Linux Foundation , fewer than half of organizations use a software bill of materials (SBOM) that tracks exactly what goes into their applications from the software supply chain. Creating an SBOM is foundational for supply chain security, alongside open-source governance and securing the infrastructure as code elements that touch applications throughout the SDLC. The following is a list of tools that help accomplish this, with a heavy emphasis on software composition analysis (SCA) tools that focus specifically on developing SBOM, raising visibility into what goes into software and remediating flaws in components that are the building blocks of software today. Top supply chain security tools Contrast Security Known best for its Interactive Application Security Testing (IAST) technology that detects vulnerabilities in applications via an agent running on the application server, Contrast Security provides SCA capabilities as part of a full slate of testing in its open platform, which also does dynamic application security testing (DAST), static application security testing (SAST) , runtime application scanning protection (RASP), and serverless security checks on AWS Lambda infrastructure. The tooling can not only generate an SBOM but also contextualize flaws across the various ingredients that make up an application by visualizing application architecture, code trees and message flow information to aid in threat modeling remediation. Open-source governance is embedded within modern development workflows and tooling and Contrast’s bread and butter is in bridging the divide between developers and security teams, making it a major player in the DevSecOps market. Shiftleft A relative newcomer in this field of options, ShiftLeft is designed to fit into the development workflow of forward-thinking DevOps teams. The core value is in bringing together SCA and SAST into a single scan that’s done when a developer makes a pull request. The technology uses a technique the company calls Code Property Graph (CPG) to map out dependencies and data flows across custom code, open-source libraries, SDKs and APIs, seeking out not only flaws across the entire application—including its open-source components—but also logical app weaknesses. Supply chain flaws are prioritized by susceptibility to attack using a “reachability” index that’s inserted into the SBOM that puts it in context of how attackable the component is based on how it is used in the application. Snyk Snyk is a cloud-native, developer-centric set of tooling that’s purpose-built for DevSecOps and cloud-native development shops. Best known for its SCA and container security scan capabilities, it also offers SAST and API vulnerability testing. In February, 2022 the company purchased Fugue , a cloud security posture management company. As Gartner explained, its blend of offerings across infrastructure as code security, container security, and application security are representative of the fact that “application and infrastructure layers increasingly blur together. It’s usually bought on the developer side but is worth a look for CSOs and security staff seeking to move toward a democratized model of developer-run security testing and remediation. Sonatype Nexus One of the longest-running offerings in the SCA market, Sonatype was billing itself as a “software supply chain security” company long before the term was sneaking its way into the titles of security conference and webinar sessions. The heart of the the Sonatype Nexus platform is its capabilities for creating detailed SBOMs and policy management. Forrester analysts say , “Policy is an area of strength for Sonatype, with out-of-the-box policies that align to a range of standards and a policy engine that allows users to create and assign policies to certain types of applications.” Policies can be applied not only for what goes into the code but also in managing the security and configuration of the surrounding infrastructure as code and containers that are used to develop and deploy applications. Sonatype also offers repository management to provide a single source of truth for all components, binaries, and build artifacts. Nexus’s visualization of component history and Sonatype’s customer service are also called out by the analysts as its big strengths. Last year Sonatype also picked up MuseDev in an acquisition that helped it build out its Sonatype Lift capabilities, which provide dev-friendly code quality analysis during code review. Synopsys Black Duck Synopsys’ Black Duck SCA tool does four types of analysis—dependency, codeprint, binary and snippet—to track and manage the components used within an organization’s software. Synopsis recently improved Black Duck’s SBOM creation capabilities to include BLANK. In addition to creating bills of materials, the tool also performs automated policy management. Black Duck is part of the broader portfolio of AppSec tools offered by Synopsys, which Gartner named as a leader in its Application Security Testing Magic Quadrant . The open platform model it uses to deliver SCA alongside DAST, SAST, penetration testing, fuzzing and a range of other testing capabilities is a key value proposition. It “makes Synopsys a good fit for organizations with complex, multiteam development, using a mix of development styles and programming technologies,” says Gartner. Veracode A longtime powerhouse in the traditional appsec testing market with its mature SaaS product that has long dominated the SAST and DAST arenas, Veracode in the last few years has been putting heavy investment in SCA. Following its acquisition of SourceClear in 2018 there was some bifurcation between its homegrown SCA capabilities and what it offered through SourceClear, but Veracode Software Composition Analysis is now a single product available through the platform. “Veracode’s roadmap focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC [Infrastructure as Code] security capabilities,” explains Forrester analysts. They say the high points for Veracode is its remediation reports and dependency graphing. The biggest point of friction, they noted, was difficulty of integrating it into developer workflows. White Source Software A big highlight of WhiteSource Software’s SCA tooling is in the developer-friendly remediation of component security issues, including alerting and fixing out-of-date and malicious components. “WhiteSource’s thought leadership is focused on remediation and prioritization,” wrote Forrester analysts , who deem this vendor a leader in the SCA space. “WhiteSource offers differentiating features, including a browser plugin to help avoid problematic components and removing unreachable vulnerabilities from the developer’s queue to improve developer experience.” One point in which they say it lags is in its lack of out-of-the box policies. More on application security:

Sonatype Web Traffic

Rank
Page Views per User (PVPU)
Page Views per Million (PVPM)
Reach per Million (RPM)
CBI Logo

Sonatype Rank

You May Also Like

JetBrains Logo
JetBrains

JetBrains is a leading developer of website and application software tools. Some of their notable products include IntelliJ iDEA (IDE for Java), ReSharper (Productivity tool for .NET developers that makes Microsoft Visual Studio accessible), PyCharm (complete IDE for Python and Django), Kotlin (a semi-official language of Android) and Space, an integrated team environment that provides a toolset that combines into a single platform messaging, team and project management, internal blogs, meeting scheduling and software development processes.

Snyk Logo
Snyk

Snyk is an open-source security platform designed to help software-driven businesses enhance developer security. Snyk's dependency scanner finds, prioritizes, and fixes vulnerabilities and license violations in open source dependencies and container images.

Replit Logo
Replit

Replit is an online IDE that allows users to write code and build apps and websites using a browser. It was founded in 2013 and is based in San Francisco, California.

Checkmarx Logo
Checkmarx

Checkmarx is a developer of software solutions that identify, fix, and block security vulnerabilities in web and mobile applications. It provides a way for organizations to introduce security into their software development lifecycle.On March 16th, 2020, Checkmarx was acquired by Hellman & Friedman at a valuation of $1.15B.

Jenkins Logo
Jenkins

Jenkins is an open source automation server, providing hundreds of plugins to support building, deploying and automating any project.

Vector Fabrics Logo
Vector Fabrics

Vector Fabrics specializes in developing tools for the design and implementation of multicore, multi-threaded applications and embedded systems. Vector Fabrics helps programers write software for multicore and manycore processors. Its multicore programming tools analyze the dynamic behavior of programs, detect multi-threading bugs and enable parallelism where developers never thought concurrent execution was attainable.

Discover the right solution for your team

The CB Insights tech market intelligence platform analyzes millions of data points on vendors, products, partnerships, and patents to help your team find their next technology solution.

Request a demo

CBI websites generally use certain cookies to enable better interactions with our sites and services. Use of these cookies, which may be stored on your device, permits us to improve and customize your experience. You can read more about your cookie choices at our privacy policy here. By continuing to use this site you are consenting to these choices.