Product Director, Nexus Repository
Joined November 2017
- Tweets 149
- Following 46
- Followers 71
- Likes 183
8 Photos and videos
Michael Prescott @ Sonatype retweeted
23 Jul 2024
I’ve spent much time thinking about why organizations struggle to understand the implications of the rise in malicious oss compared to typical vulnerabilities.
It ultimately comes down to psychology. In this article, I explore the psychological barriers that prevent effective action against these threats.
forbes.com/sites/forbestechc…
2
4
7
840
Michael Prescott @ Sonatype retweeted
29 May 2024
🚨 an example of an adversary trying to push their malware as a coding solution. Please be careful with any dependencies
29 May 2024
A threat actor is now advising StackOverflow devs seeking debugging help to install a 'pytoileur' #Python package as a "solution" to their code troubles.
🛑DO NOT fall for this, it's a trap—the package has encoded code hidden on line 17 via whitespaces and infects Windows users with #trojan as soon as it's installed!
sonatype.com/blog/pypi-crypt… #opensource #malware
1
2
237
Michael Prescott @ Sonatype retweeted
8 May 2024
The NVD backlog just went over 10,000 unanalysed issues
2
4
169
3 May 2024
ALT Children's story book-style illustration of a dinosaur eating weeds from a pond, with the caption, '65 million years before malicious open source, dinosaurs could ingest whatever they liked'.
34
Michael Prescott @ Sonatype retweeted
1 Apr 2024
A stark reminder from the attack on XZ & libzma: It's more than a vulnerability, it's a calculated assault on the stretched open-source infrastructure of our digital world. Read my full take on the implications, actions you can take and the urgent call for collective vigilance
blog.sonatype.com/cve-2024-3…
1
4
4
276
31 Mar 2024
@Aaronontheweb, useful video, thanks for posting. What we'd normally recommend is that the policy for legitimate component sources be centralized, rather than implemented at a per-project level. Make it completely transparent to project teams so it can't be skipped or forgotten.
21 Mar 2024
I think these two can be used in combination with each other, but one issue you might run into is that JFrog can actually work to the detriment of some of NuGet's security features.
For instance, if your apps ONLY install packages from your local JFrog feed which itself proxies packages from multiple upstreams, you're still susceptible to spoofing attacks that package source mapping would effectively prevent. That same type of security feature would also need to exist in JFrog's feed proxying infrastructure to provide the same level of protection.
1
1
35
31 Mar 2024
We've changed our stance over the years, we now recommend actually blocking developer access to public registries and force everyone through the proxy. We used to think of that as draconian, but the explosion of supply chain attacks in volume and variety—
1
19
31 Mar 2024
make direct, unprotected public registry access a real risk. Older supply chain attacks were trying to sneak a bad library into production, but newer attacks are targeting development secrets and infrastructure. Hard to develop securely when half the dev boxes have been owned!
14
📢 Today marks a new era! Introducing SBOM Manager - the industry's first integrated system of record for managing SBOMs! A powerful, one-stop shop for easy, cost-effective, and compliant #SBOM management, monitoring, and distribution. bit.ly/4cnJpPU
4
8
570
Michael Prescott @ Sonatype retweeted
22 Aug 2023
How to get started with Repository Health Check (RHC) 2.0, available in Sonatype Nexus Repository Manager 3.3: share.sonatype.social/nfjeu
1
2
54
11 Aug 2023
I don't cry that often, but every now and again I hit ⌘ Option m to add a comment to a Google doc in view-only mode. Chrome handles that as a request to minimize all fifty of my browser windows across five desktops and dump them in the Dock bar. T_T
1
42
Michael Prescott @ Sonatype retweeted
19 Jul 2023
Well, the CRA passed through committee in a way that will avoid further discussion. There's zero chance they knew there were still significant issues and yet here we are.
Read more: devops.com/the-cyber-resilie…
Current status:
2
9
19
3,147
19 Jul 2023
Nothing worse than letting the wrong particles into your SDLC.
19 Jul 2023
CERN uses Nexus as a package repository. They then have a proxy that merges the internal repository with the index on PyPI. One issue they had to take care of is dependency confusion where a library with same name is present on PyPI as well as the internal repository
1
1
77
Michael Prescott @ Sonatype retweeted
16 Jun 2023
Sonatype Named a Leader in The Forrester Wave™ for Software Composition Analysis securityboulevard.com/2023/0…
1
1
31
Michael Prescott @ Sonatype retweeted
24 May 2023
Thrilled to share that @sonatype has been named in the 2023 Gartner Magic Quadrant for Application Security Testing (AST)!
Sonatype is recognized as a key vendor for software supply chain security and software composition analysis. Read more👇 share.sonatype.social/zutyr
1
2
96
Michael Prescott @ Sonatype retweeted
3 May 2023
Hit close to home recently. Releasing code to a package manager has several advantages over just tagging code git. May seem obvious but when a vendor starts with "just build our tag" these are the reasons they should be producing a binary.
2 May 2023
Package management in software ecosystems continues to evolve, but is it headed in the right direction? 📦 Sonatype's @devcasing explores the world of package managers in this excellent blog post: share.sonatype.social/2amm3
1
3
310
☎️ Hey friends, could we ask a favor?
We're looking for your opinions and 10 minutes of your time. 👇
🔗 bit.ly/3UyX6mM
2
1
520