Sonatype updates Repository Firewall to target open-source malware
Sonatype has announced significant updates to its Repository Firewall, designed to enhance proactive malware protection throughout the software development lifecycle for enterprises.
The enhancements are designed to help development, security, and data science teams block known and suspected malicious components at an early stage. The approach reduces the need for rework, prevents potential security incidents, and ensures consistent enforcement of policies across traditional, containerised, and artificial intelligence (AI)/machine learning (ML) environments.
Malicious open-source packages represent a particular risk within the industry, as they often bypass traditional security solutions. These packages, which Sonatype refers to as open source malware, tend to evade detection by standard perimeter tools and can enter development environments before software composition analysis tools are activated. Sonatype's Repository Firewall identifies and blocks these malicious packages before they are downloaded, minimising exposure and protecting every entry point for open source and third-party components.
As part of the new features, Sonatype Repository Firewall now integrates with Zscaler Internet Access (ZIA). This expansion delivers open source software intelligence and protection to the network perimeter. The combination of Repository Firewall and Zscaler is designed to prevent high-risk open source components from entering the development pipeline, giving developers increased confidence as risky elements are filtered out early.
The integration aims to address the challenge of shadow downloads, which Sonatype defines as open-source components downloaded directly from public repositories onto developer machines, thereby circumventing internal controls. According to Sonatype's data, there has been a 32.8% rise in shadow downloads throughout 2024, illustrating the expanding risk facing organisations. By enforcing security measures both at the perimeter and within developer processes, the integration with Zscaler delivers what is described as end-to-end protection against open-source malware in DevSecOps environments.
Tyler Warden, Senior Vice President of Product at Sonatype, stated, "Enterprises are doubling down on zero trust strategies, and that must include open source software and AI governance. By combining ZIA with Sonatype's intelligence-driven policy-based blocking, teams can proactively quarantine risky components at the point of ingestion, reducing attack surface, manual effort, and remediation costs — while increasing coverage and strengthening governance."
The Repository Firewall now also includes support for Docker registries, allowing organisations to extend malware and vulnerability protection to container images alongside traditional package formats. This ensures consistent security and compliance across various deployment methods, including virtual machines, Kubernetes clusters, and cloud-native architectures. Developers can receive feedback and protections, regardless of whether containers are used for testing or production deployment, all without altering their workflow.
Another addition is support for Hugging Face AI models. This feature brings the capabilities of the Repository Firewall to AI and ML components, giving teams the ability to detect and block potentially malicious or non-compliant Hugging Face models before incorporation into development workflows. Earlier this year, Sonatype researchers identified and addressed vulnerabilities in 'picklescan', a security tool on Hugging Face, which had allowed malicious AI models to evade detection.
By applying stringent checks to AI models similar to those used for traditional open-source packages, organisations can guard against emerging threats, such as malicious PyTorch pickle files and other risky model payloads that might otherwise appear harmless. With developers and data scientists increasingly adopting advanced AI tools and model libraries, the Firewall is positioned to help maintain security and compliance standards.
The firewall has also been enhanced with an automated malware detection system that works at scale. A new suite of application programming interfaces provides real-time malware insights, enabling detection and blocking of malicious components during any stage of the software development lifecycle. Organisations can automate detection and enforcement tasks across continuous integration and continuous delivery pipelines, security tools, and threat prevention platforms. This flexibility allows teams to specify how and where to restrict risky components based on their environments and risk definitions.
Sonatype reports that its Security Research Team is actively monitoring the evolving threat landscape. The company's Open Source Malware Index for the first quarter of 2025 indicates substantial growth in data exfiltration packages over the past year. Repository Firewall is intended to address these challenges without disrupting developers.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
29-05-2025
- Techday NZ
Zscaler to acquire Red Canary to boost AI-powered security ops
Zscaler has agreed to acquire Managed Detection and Response provider Red Canary as part of an expansion of its AI-powered security operations capabilities. Zscaler stated that Red Canary's decade-long expertise in security operations enables customers to investigate threats up to ten times faster with 99.6% accuracy, aided by streamlined workflows and automated remediation. This acquisition will bring Red Canary's threat detection and response across endpoints, identity, network, and cloud workloads together with Zscaler's Zero Trust Exchange Platform and Data Fabric. The companies said the combination will form a unified Security Operations Center with agentic AI that fuses AI-driven workflows and human expertise. According to Zscaler, the move is intended to help security teams improve the speed and efficiency in detecting, triaging, investigating, and responding to threats, while aiming to reduce missed signals and incomplete threat analysis that can leave organisations vulnerable. Jay Chaudhry, CEO, Chairman, and Founder of Zscaler, said: "With our innovative AI-powered risk management services like Risk360 and the acquired data fabric technology from Avalor, we are disrupting legacy security operations just like we did with our Zero Trust ExchangeTM platform. The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future. By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations." Zscaler reported that it provides protection to nearly 45% of the Fortune 500, running a cloud security platform that processes more than 500 billion daily transactions. Over its 15-year history, the company has developed AI-driven solutions leveraging a comprehensive dataset, such as Zscaler Digital Experience (ZDX) and Zscaler Exposure Management. Red Canary has been recognised for its contributions to managed detection and response, being named a Leader in the Forrester Wave: Managed Detection and Response for the third year running and featured in the Gartner Market Guide for MDR for the past seven years. Within security operations centres, Red Canary's technology helps automate remediation workflows, improving efficiency in response processes. Zscaler described the transaction as uniquely positioned to address operational pain points linked to missed signals and increased vulnerability from undetected threats. The companies expect that their combined platforms and expertise will provide organisations with the tools to address current cyber security challenges more confidently and with precise response capabilities. Brian Beyer, CEO of Red Canary, commented: "For over 10 years, we've protected our customers by combining high-fidelity signals with agentic AI, behavioral analytics, and global threat intelligence—delivering fast, accurate, and high-quality threat detection and response. As part of Zscaler, we will elevate how IT and security teams address the rapidly shifting threat landscape with the strength of our combined technology and expertise. Zscaler's global scale and reach provide the resources and granular data needed to fuel advanced AI, threat intelligence, and detection engineering, giving us a broader view of adversary behavior while enabling faster innovation across the board. Both companies share a relentless commitment to quality, execution, and delivering exceptional outcomes for our customers." The completion of the acquisition remains subject to customary closing conditions and regulatory approvals. The companies anticipate closing the transaction in August 2025.
Techday NZ
15-05-2025
- Techday NZ
Zoho unveils Ulaa Enterprise for secure, privacy-first browsing
Zoho has launched Ulaa Enterprise, an enterprise-focused version of its privacy-oriented browser designed to offer organisations enhanced security and granular control features without the complications of third-party solutions. The new browser addresses the increasing importance of browsers as central tools in the workplace, with employees accessing cloud-based applications and handling sensitive data through their browsers. Ulaa Enterprise is intended to provide security at the browser level, reducing the reliance on additional software or virtual environments, and aims to minimise the IT workload while improving overall protection. Raju Vegesna, Chief Evangelist at Zoho, said: "The shift to cloud-based software has made the browser the largest attack surface inside an organisation, yet no software vendor has been able to produce a secure browser that strikes the correct balance between depth of policy controls and straightforward usability. Ulaa Enterprise addresses the need for a proactive and comprehensive security solution for businesses to reduce their attack surface, keep users secure, and stay in control of their security." Security features offered by Ulaa Enterprise include centralised policy management, allowing administrators to set access controls, manage download permissions, govern extension installations, and oversee user behaviour across groups. The browser also enforces data loss prevention (DLP) at the browser layer, blocking unauthorised uploads, copy and paste actions, screen captures, and downloads of sensitive information. For IT teams, Ulaa Enterprise delivers detailed visibility and control, including access to audit logs, risk monitoring, and precision enforcement of security policies at the browser level. These measures are designed to reduce the need for reactive security responses by providing preventative defences within the browser environment itself. Thomas Wieberneit, Founder and Principal Analyst at AheadCRM, commented: "As a Ulaa user, I highly appreciate its responsiveness, compatibility, and built-in security features. With the release of Ulaa Enterprise as the front-end to business applications, Zoho now has a security stack that nearly no other tech vendor can compete with. Zoho's relentless commitment to security and privacy is part of its DNA and is unique in the industry." The browser also features integration with Zia, Zoho's AI-based automation and insights tool. Zia offers several enhancements, such as ZeroPhish, which uses AI to detect phishing attacks before users interact with malicious content, analysing URLs and web page behaviour in real-time. Zia also includes smart web categorisation, which blocks unsafe content automatically, and tab organisation, which arranges tabs based on user behaviour to improve productivity and browser management. On the usability front, Ulaa Enterprise is designed to keep IT management straightforward, without necessitating complex infrastructure or heavy virtualisation. The browser promises simple deployment, lightweight management, and instant propagation of policy changes, all without affecting end-user performance. Security monitoring is described as ethical and targeted, aiming to build employee trust while avoiding invasive surveillance. Ulaa Enterprise is built on Chromium, providing users with a familiar browsing experience, while integrating local security checks for improved speed and data protection. It is compatible with all major desktop and mobile operating systems, including support for Android and iOS devices. The release of Ulaa Enterprise comes at a time of considerable growth for the Ulaa browser, with download numbers and monthly active users reportedly increasing by a factor of 2.5 since 2023. Ulaa Enterprise is available at a price starting from USD $1 per month per device or USD $10 per year per device. Zoho highlighted its approach to artificial intelligence, stating that its AI models are not trained on consumer data and do not retain user information. The company builds AI tools focused on assisting users while resisting the urge to impose additional costs on consumers through excessive model scaling. The company reaffirmed its privacy stance, noting that it does not operate an advertising revenue model, even for free products, and manages its own data centres to retain oversight of customer data and security. According to Zoho, more than 125 million users globally, spanning hundreds of thousands of organisations, use its products daily.
Techday NZ
01-05-2025
- Techday NZ
Zoho unveils advanced AI for Creator, boosts privacy focus
Zoho has introduced ten new features and services to its low-code application development platform, Zoho Creator, with a focus on expanded artificial intelligence capabilities and user privacy. The new additions include AI-enabled intelligent process automation, enhanced app building features driven by artificial intelligence, and AI-first low-code development tools. These developments are part of Zoho's approach to integrating AI solutions that deliver real-time, practical benefits for business users, while maintaining stringent data privacy standards. With the launch of the AI assistant CoCreator, powered by Zoho's own Zia technology, Zoho Creator now enables users to build applications faster using both voice and written prompts, as well as process flows and business specification documents. The company states that these tools shorten the time it takes to bring an app from concept to deployment, with no additional fees passed on to existing subscribers. Zoho Canada's Managing Director Chandrashekar LSP said, "Since Creator's introduction in 2006, the focus has been on simplifying and speeding up the app development process without sacrificing functionality. This enabled our users to launch millions of apps successfully. AI allows us to take it to another level, shortening the time from an idea to an app. Today's announcement raises the baseline on speed of quality app creation with deep capabilities, without adding costs." The new features available to users include Idea-to-App Generation, which leverages ZohoAI or OpenAI to create fully-fledged applications based on a range of inputs including text, voice prompts, workflows, and system documentation like software requirement specifications. The system also offers domain-specific suggestions, relevant fields, and modules that are customised to each customer's business context. Another update is contextual component development using AI, where forms and other app elements can be generated via prompts, and Zoho's Zia assistant can proactively recommend fields relevant to existing forms. This functionality is not present in most other low-code app tools, according to Zoho. Developers can also prompt Zia to generate contextual code blocks tailored to their application structure or optimise previously written code for performance. Data cleansing and modelling capabilities have also been expanded, enabling transformation of unstructured data from diverse sources into structured, usable app data, with AI tools removing inconsistencies and bringing order to imported information. The platform introduces AI Skills, a feature enabling applications to interpret natural language instructions, analyse business context, and perform sequences of actions automatically. Powered by Zoho's scripting language Deluge and specialised AI models, this feature is accessible on an early access basis and will be broadly available in June 2025. Additionally, Zoho Creator will offer support for deploying custom AI models, such as those for optical character recognition, prediction, and object detection, tailored to specific domain requirements. A key part of Zoho's announcement centres on its approach to AI and customer privacy. Zoho states that its AI models—across contextual, assistive, and agentic domains—are not trained on consumer data and that the organisation does not retain customer information beyond what is necessary for immediate functionality. In a statement, the company outlined its stance: "Zoho is committed to designing and incorporating artificial intelligence guided by the principles of customer privacy and value. Our generic AI models across contextual, assistive, and agentic AI, are not trained on consumer data and do not retain customer information. Zoho builds AI tools with usefulness in mind, striking a balance between providing AI technology that assists workers while right-sizing models that don't require burdening consumers with additional costs." Zoho's suite of advanced AI features for Zoho Creator is now available for users. The enhanced automation, data preparation, and application generation tools are designed to be accessible to users of various skill levels and do not require further subscription purchases.
