Sonatype offers developers free security scan tool on GitHub

Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code. Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.

The product is actually two parts. For starters, Sonatype has a database of open source dependency vulnerabilities called OSS Index. The company gathers this information from a variety of public sources, says Sonatype CEO Wayne Jackson. While it isn’t as highly curated as the company’s commercial offerings, it does offer a layer of protection that most individual developers or small shops wouldn’t normally have access to.

After a developer installs DepShield, it checks a code commit in GitHub against the known vulnerabilities in the OSS Index with recommendations on how to proceed. The company’s commercial offerings includes a policy engine to automate remediation. The free version simply lets developers know if there are issues, and they can go back and fix them if need be.

“What DepShield and OSS Index are doing is allowing the developers at the front lines to be able to see what’s happening inside their applications and fix the vulnerabilities directly,” Jackson said.

Vulnerability listed in OSS Index. Screenshot: Sonatype

As for the differences between the commercial and free products, Jackson say it’s a matter of scale. “The way you manage a single application or handful of applications as a developer is different than how you might approach it if you’re a CISO or a governance organization for thousands of applications,” he explained. The latter requires a higher level of automation than the former because of the sheer number of applications involved.

DepShield offers the 28 million developers using GitHub access to a baseline level of protection by identifying a set of known vulnerabilities in their applications before they make them public. Jackson says that GitHub’s role is evolving. Today, it’s not only a tool for committing your code, it’s also become a place to do issue tracking and code reviews, and he believes that as such, a product like DepShield is a natural fit.

Known issues list DepShield. Screenshot: Sonatype

DepShield is available starting today in the Security section of the GitHub Marketplace and developers can download and install it for free.

Sonatype, which is based in Maryland, launched in 2008 and has raised almost $75 million, according to data on Crunchbase. Its most recent funding round was in 2016 for $30 million. Microsoft acquired GitHub in June for $7.5 billion.

Chinese Tesla rival Nio files to raise $1.8 billion in US IPO

Tesla may be looking to go private, but Chinese rival Nio is going the other way after it filed to raise $1.8 billion in an IPO on the New York Stock Exchange.

Nio was started in 2014, initially as NextCar, by Bin Li, an entrepreneur who founded online automotive services platform Bitauto. The company is backed by Chinese internet giants Baidu and Tencent among others, and it has developed two vehicles so far: the EP9 supercar and ES8.

The former is really a concept/racer car — it broke the electric vehicle speed record last year — but the ES8, pictured above, is a car designed for the masses which is priced at 448,000 RMB, or around $65,000.

Nio opened sales for the ES8 last year but it only began shipping in June. Thus, to date, it has fulfilled just 481 orders, although it claims that there are 17,000 customers who put down reservations waiting in the wings.

That means that, essentially, it is pre-revenue at this point.

The company reported revenue of $6.9 million as of the end of June — so one month of deliveries — with a total loss of $502 million for 2018 to date. Last year, Nio lost $759 million in 2017, that included no revenue and nearly $400 million spent on R&D.

Nio may be in the same space as Tesla, but its approach differs from the U.S. firm. The company operates ‘clubhouses’ where it sells to new customers and allows existing owners to come to spend time, while it also goes direct to consumer with mobile-based sales. (Not, unlike, say an early Xiaomi model.)

Nio’s pricing is more focused on mid-market and, without a charger network like Tesla (most Chinese households would struggle to charge at home), it has developed its own unique way to handle battery charging. Its vehicles support battery swapping at dedicated stations while it operates a range of roaming charging trucks can  reach users who are low on juice.

Those on-demand charging services come as part of a subscription-based package which will add further revenue beyond car sales. Further down the line, the company said its vehicles will be compatible with the national EV charging network China is developing so that’ll help on the charging front, too.

Like China’s infrastructure play, Nio itself is very much a work in progress.

Indeed, case in point, it doesn’t yet operate its own factory.

Right now, state-owned JAC Motors handles product but Nio has pledged to invest $650 million to construct its own manufacturing plant in Shanghai. Nio’s current order backlog will take six to nine months to process, according to the filing, but its own factory could mean orders are dispatched to customers within 28 days of purchase.

The interior of the NIO ES8

The company’s focus is China, but Nio has global roots. Shanghai is its headquarters and home to nearly 2,500 staff, but it also has teams in Munich (design), San Jose (software and self-driving) and London and Oxford in the UK, which handle vehicle concepts.

Its executive team is predominantly Chinese but one familiar name is Padmasree Warrior who is the head of Nio’s U.S. business. The former Motorola CTO joined the company in 2015 after calling time on Cisco, where she spent seven years and had been chief technology and strategy officer.

Despite an international setup, there’s no word in the filing on whether Nio has a timeframe for selling vehicles outside of China. For now, the company cites analyst data claiming that “China is a clear leader in the global EV market” with sales growing from 21,800 in 2013 to 740,900 units last year. That’s despite the Chinese government cutting back on some of its generous subsidies aimed at encouraging early ownership of EVs and eco-friendly hybrid cars.

The world's biggest tech companies are at serious risk of losing a $32 billion market

The world's biggest tech companies are at serious risk of losing a $32 billion marketLife may get harder for big American tech firms trying to break into one of the world's biggest online shopping and mobile markets. India is proposing new laws that would protect homegrown companies trying to compete with the likes of Amazon, Facebook, Google, and Apple in online shopping. India wants to level the playing field for domestic startups, store Indian user data in India, and change the rules around how foreign companies sell online in India.