Sonatype updates Repository Firewall to target open-source malware
The enhancements are designed to help development, security, and data science teams block known and suspected malicious components at an early stage. The approach reduces the need for rework, prevents potential security incidents, and ensures consistent enforcement of policies across traditional, containerised, and artificial intelligence (AI)/machine learning (ML) environments.
Malicious open-source packages represent a particular risk within the industry, as they often bypass traditional security solutions. These packages, which Sonatype refers to as open source malware, tend to evade detection by standard perimeter tools and can enter development environments before software composition analysis tools are activated. Sonatype's Repository Firewall identifies and blocks these malicious packages before they are downloaded, minimising exposure and protecting every entry point for open source and third-party components.
As part of the new features, Sonatype Repository Firewall now integrates with Zscaler Internet Access (ZIA). This expansion delivers open source software intelligence and protection to the network perimeter. The combination of Repository Firewall and Zscaler is designed to prevent high-risk open source components from entering the development pipeline, giving developers increased confidence as risky elements are filtered out early.
The integration aims to address the challenge of shadow downloads, which Sonatype defines as open-source components downloaded directly from public repositories onto developer machines, thereby circumventing internal controls. According to Sonatype's data, there has been a 32.8% rise in shadow downloads throughout 2024, illustrating the expanding risk facing organisations. By enforcing security measures both at the perimeter and within developer processes, the integration with Zscaler delivers what is described as end-to-end protection against open-source malware in DevSecOps environments.
Tyler Warden, Senior Vice President of Product at Sonatype, stated, "Enterprises are doubling down on zero trust strategies, and that must include open source software and AI governance. By combining ZIA with Sonatype's intelligence-driven policy-based blocking, teams can proactively quarantine risky components at the point of ingestion, reducing attack surface, manual effort, and remediation costs — while increasing coverage and strengthening governance."
The Repository Firewall now also includes support for Docker registries, allowing organisations to extend malware and vulnerability protection to container images alongside traditional package formats. This ensures consistent security and compliance across various deployment methods, including virtual machines, Kubernetes clusters, and cloud-native architectures. Developers can receive feedback and protections, regardless of whether containers are used for testing or production deployment, all without altering their workflow.
Another addition is support for Hugging Face AI models. This feature brings the capabilities of the Repository Firewall to AI and ML components, giving teams the ability to detect and block potentially malicious or non-compliant Hugging Face models before incorporation into development workflows. Earlier this year, Sonatype researchers identified and addressed vulnerabilities in 'picklescan', a security tool on Hugging Face, which had allowed malicious AI models to evade detection.
By applying stringent checks to AI models similar to those used for traditional open-source packages, organisations can guard against emerging threats, such as malicious PyTorch pickle files and other risky model payloads that might otherwise appear harmless. With developers and data scientists increasingly adopting advanced AI tools and model libraries, the Firewall is positioned to help maintain security and compliance standards.
The firewall has also been enhanced with an automated malware detection system that works at scale. A new suite of application programming interfaces provides real-time malware insights, enabling detection and blocking of malicious components during any stage of the software development lifecycle. Organisations can automate detection and enforcement tasks across continuous integration and continuous delivery pipelines, security tools, and threat prevention platforms. This flexibility allows teams to specify how and where to restrict risky components based on their environments and risk definitions.
Sonatype reports that its Security Research Team is actively monitoring the evolving threat landscape. The company's Open Source Malware Index for the first quarter of 2025 indicates substantial growth in data exfiltration packages over the past year. Repository Firewall is intended to address these challenges without disrupting developers.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
11-06-2025
- Techday NZ
Rethinking CRM: How generative AI Is breaking down silos and redefining the future of customer service
For decades, customer relationship management (CRM) systems have been viewed as the exclusive domain of the sales team - often complex, siloed tools that only a handful of specialists can navigate. But as businesses evolve in an era of 'always-on' customer expectations and real-time service demands, this limited conception of CRM no longer serves the reality of a modern company. Today, delivering exceptional customer experience (CX) isn't just dependent on the sales team, but the entire organisation. Marketing, sales, onboarding, customer support, finance, legal - all support the customer journey in meaningful ways. And yet, in too many organisations, these teams still operate in disconnected tools, with fragmented data and clunky workflows. Therefore, how are CRM systems evolving to combat this disconnection, and what role can generative AI play in breaking down silos and redefining the future of customer service? The high price of disconnection When data, processes, and teams are siloed, it can have high costs for organisations - reduced productivity, inflated costs, and ultimately damage to the customer experience. Research by McKinsey shows that organisations lose up to 10% in profitability on new product introductions due to inefficiencies caused by siloed systems. What's more, employees spend nearly 20% of their time simply searching for internal information, time that could otherwise be spent delivering value to customers. Today, when business' bottom lines and productivity are under greater pressure than ever, this is critical. Beyond the financial cost, silos' significantly reduce organisational agility and communication across teams. When critical updates don't flow freely across departments, teams work at cross purposes - rather than in pursuit of a collective, business-wide 'north star'. Promises made in sales aren't reflected in onboarding. Contracts approved by legal aren't visible to finance. Support teams lack historical context. And ultimately, the customer experience suffers as they are faced with lack of creative solutions or timely products, and blocked lines of communication. AI as the bridge, not the barrier The next era of customer experience will be defined by accessibility - breaking down long-standing barriers and making it possible for every team to contribute meaningfully to the customer experience. At the heart of this transformation are AI engines which are specifically designed to serve the everyday user, not just those who are technically inclined. An example of this is Zoho's 'CRM for Everyone' which aims to democratise CRM use by leveraging the AI platform Zia across organisational teams. With simple, conversational prompts, anyone in an organisation can now generate reports, build workflows, or even design modules. This removes a major obstacle to CRM adoption by reducing technical complexity and minimising onboarding time, resulting in a boost of AI adoption across organisations. Therefore, CRM becomes not just a repository of information but a dynamic system - orchestrating workflows between various teams and acting on behalf of users. Customer data no longer sits in isolation. When sales updates a record, onboarding sees it. When legal approves a contract, finance is notified. Every touchpoint flows through a unified platform, ensuring that the customer's journey feels seamless - regardless of how many internal teams are involved. This works to alleviate departmental silos, allowing information to flow across the organisation, creating a unified, contextual view that mirrors the reality of how customers engage. And the benefit? The customer experience becomes seamless. No more missed opportunities to drive engagement. No more delayed responses or repeated questions. Just consistent, relevant interactions across the entire journey. AI as an enabler of trust, speed, and customer loyalty When customers interact with a business that is clearly aligned internally, they notice. Trust grows. Loyalty deepens. According to McKinsey, companies that improve cross-functional CX see a 30% increase in customer satisfaction - and that satisfaction directly correlates with higher retention and lifetime value. But this shift isn't just about speed. It's about trust and empowerment - for customers and for teams. When AI reduces the complexity of tools, it lowers barriers to adoption and enables employees at all levels to act confidently as they are equipped with the right knowledge. In turn, this creates a more meaningful, personalised customer experience. The future of CRM Ultimately, great customer experience is not just about technology - it's about empowering people with the right tools. AI models aren't trained on how to interpret the customer data, and the user experience isn't overcomplicated with heavyweight AI that drives up cost or complexity. CRM can no longer be just a sales tool. It must become a shared system of record and action - one that aligns every department around the customer, orchestrated by intelligent automation, and accessible to all. With AI operating as an enabler, not a barrier, we can finally move toward a structure where every team plays a part in creating connected, cohesive, and meaningful customer experiences. That's not just a technology upgrade but a cultural shift in how many organisations operate.
Techday NZ
29-05-2025
- Techday NZ
Zscaler to acquire Red Canary to boost AI-powered security ops
Zscaler has agreed to acquire Managed Detection and Response provider Red Canary as part of an expansion of its AI-powered security operations capabilities. Zscaler stated that Red Canary's decade-long expertise in security operations enables customers to investigate threats up to ten times faster with 99.6% accuracy, aided by streamlined workflows and automated remediation. This acquisition will bring Red Canary's threat detection and response across endpoints, identity, network, and cloud workloads together with Zscaler's Zero Trust Exchange Platform and Data Fabric. The companies said the combination will form a unified Security Operations Center with agentic AI that fuses AI-driven workflows and human expertise. According to Zscaler, the move is intended to help security teams improve the speed and efficiency in detecting, triaging, investigating, and responding to threats, while aiming to reduce missed signals and incomplete threat analysis that can leave organisations vulnerable. Jay Chaudhry, CEO, Chairman, and Founder of Zscaler, said: "With our innovative AI-powered risk management services like Risk360 and the acquired data fabric technology from Avalor, we are disrupting legacy security operations just like we did with our Zero Trust ExchangeTM platform. The proposed acquisition of Red Canary is a natural expansion of our capabilities into managed detection and response and threat intelligence to accelerate our vision of AI-powered SOC of the future. By integrating Red Canary with Zscaler, we will deliver to our customers the power of a fully integrated Zero Trust platform and AI-powered security operations." Zscaler reported that it provides protection to nearly 45% of the Fortune 500, running a cloud security platform that processes more than 500 billion daily transactions. Over its 15-year history, the company has developed AI-driven solutions leveraging a comprehensive dataset, such as Zscaler Digital Experience (ZDX) and Zscaler Exposure Management. Red Canary has been recognised for its contributions to managed detection and response, being named a Leader in the Forrester Wave: Managed Detection and Response for the third year running and featured in the Gartner Market Guide for MDR for the past seven years. Within security operations centres, Red Canary's technology helps automate remediation workflows, improving efficiency in response processes. Zscaler described the transaction as uniquely positioned to address operational pain points linked to missed signals and increased vulnerability from undetected threats. The companies expect that their combined platforms and expertise will provide organisations with the tools to address current cyber security challenges more confidently and with precise response capabilities. Brian Beyer, CEO of Red Canary, commented: "For over 10 years, we've protected our customers by combining high-fidelity signals with agentic AI, behavioral analytics, and global threat intelligence—delivering fast, accurate, and high-quality threat detection and response. As part of Zscaler, we will elevate how IT and security teams address the rapidly shifting threat landscape with the strength of our combined technology and expertise. Zscaler's global scale and reach provide the resources and granular data needed to fuel advanced AI, threat intelligence, and detection engineering, giving us a broader view of adversary behavior while enabling faster innovation across the board. Both companies share a relentless commitment to quality, execution, and delivering exceptional outcomes for our customers." The completion of the acquisition remains subject to customary closing conditions and regulatory approvals. The companies anticipate closing the transaction in August 2025.
Techday NZ
15-05-2025
- Techday NZ
Zoho unveils Ulaa Enterprise for secure, privacy-first browsing
Zoho has launched Ulaa Enterprise, an enterprise-focused version of its privacy-oriented browser designed to offer organisations enhanced security and granular control features without the complications of third-party solutions. The new browser addresses the increasing importance of browsers as central tools in the workplace, with employees accessing cloud-based applications and handling sensitive data through their browsers. Ulaa Enterprise is intended to provide security at the browser level, reducing the reliance on additional software or virtual environments, and aims to minimise the IT workload while improving overall protection. Raju Vegesna, Chief Evangelist at Zoho, said: "The shift to cloud-based software has made the browser the largest attack surface inside an organisation, yet no software vendor has been able to produce a secure browser that strikes the correct balance between depth of policy controls and straightforward usability. Ulaa Enterprise addresses the need for a proactive and comprehensive security solution for businesses to reduce their attack surface, keep users secure, and stay in control of their security." Security features offered by Ulaa Enterprise include centralised policy management, allowing administrators to set access controls, manage download permissions, govern extension installations, and oversee user behaviour across groups. The browser also enforces data loss prevention (DLP) at the browser layer, blocking unauthorised uploads, copy and paste actions, screen captures, and downloads of sensitive information. For IT teams, Ulaa Enterprise delivers detailed visibility and control, including access to audit logs, risk monitoring, and precision enforcement of security policies at the browser level. These measures are designed to reduce the need for reactive security responses by providing preventative defences within the browser environment itself. Thomas Wieberneit, Founder and Principal Analyst at AheadCRM, commented: "As a Ulaa user, I highly appreciate its responsiveness, compatibility, and built-in security features. With the release of Ulaa Enterprise as the front-end to business applications, Zoho now has a security stack that nearly no other tech vendor can compete with. Zoho's relentless commitment to security and privacy is part of its DNA and is unique in the industry." The browser also features integration with Zia, Zoho's AI-based automation and insights tool. Zia offers several enhancements, such as ZeroPhish, which uses AI to detect phishing attacks before users interact with malicious content, analysing URLs and web page behaviour in real-time. Zia also includes smart web categorisation, which blocks unsafe content automatically, and tab organisation, which arranges tabs based on user behaviour to improve productivity and browser management. On the usability front, Ulaa Enterprise is designed to keep IT management straightforward, without necessitating complex infrastructure or heavy virtualisation. The browser promises simple deployment, lightweight management, and instant propagation of policy changes, all without affecting end-user performance. Security monitoring is described as ethical and targeted, aiming to build employee trust while avoiding invasive surveillance. Ulaa Enterprise is built on Chromium, providing users with a familiar browsing experience, while integrating local security checks for improved speed and data protection. It is compatible with all major desktop and mobile operating systems, including support for Android and iOS devices. The release of Ulaa Enterprise comes at a time of considerable growth for the Ulaa browser, with download numbers and monthly active users reportedly increasing by a factor of 2.5 since 2023. Ulaa Enterprise is available at a price starting from USD $1 per month per device or USD $10 per year per device. Zoho highlighted its approach to artificial intelligence, stating that its AI models are not trained on consumer data and do not retain user information. The company builds AI tools focused on assisting users while resisting the urge to impose additional costs on consumers through excessive model scaling. The company reaffirmed its privacy stance, noting that it does not operate an advertising revenue model, even for free products, and manages its own data centres to retain oversight of customer data and security. According to Zoho, more than 125 million users globally, spanning hundreds of thousands of organisations, use its products daily.
