Sonatype
Senior Information Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Sonatype
Sonatype is a software supply chain management and security company based in Fulton, Maryland. Founded in 2008, it focuses on secure software development, particularly with open source components and artificial intelligence. Sonatype's tools are utilized by 15 million developers globally and support 70% of the Fortune 100. The company offers products that automate the software development lifecycle (SDLC), including Nexus Repository, which is recognized as a leading artifact repository manager. Nexus Repository helps development teams manage open-source components efficiently while ensuring compliance with security and legal standards. Additionally, Sonatype manages Maven Central, a key repository for Java and JVM languages, enhancing security and keeping the DevOps cycle up-to-date. Sonatype serves various industries, including government, financial services, manufacturing, technology, and healthcare, with notable clients such as Equifax, Salesforce, EDF, and Delta Airlines.
Security at Sonatype
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Sonatype's AppSec philosophy is that "Security can't be inspected into software at the end — it has to be engineered into how we design and develop it from the beginning." They aim to "Empower developers with automation and intelligence, instead of overwhelming them with alerts," and "Sonatype protects developers — and their time." Their risk philosophy is a "developer-first approach" and includes "AI-aware supply chain security." Stated pain points or goals include "Shift-Left Security: Introduce Security Early in the SDLC," to "integrate security tools and practices into the earliest stages of development," and maintaining a "curated open source catalog."”
Security Team
Information on Sonatype's AppSec team organizational structure and reporting line is not publicly available. Key public-facing leaders include Bhagwat Swaroop, Chief Executive Officer; Mitchell Johnson, Chief Product Development Officer; and Brian Fox, Chief Technology Officer. The exact team size is not publicly available. As of, there is one explicit Sonatype listing for "Security Researcher." Common skill/tool patterns emphasize SCA, repository management, policy-as-code, automated remediation, and SBOM management, but specific SAST/DAST requirements are not publicly available.
Key Initiatives
- Sonatype practices "Shift-Left Security" by introducing security early in the SDLC and integrating security tools and practices into the earliest stages of development, making meaningful and actionable insights available to developers.
- Secure SDLC artifacts include "Sonatype Lifecycle" for seamlessly integrating automated fixes, customizable policies, and contextual risk prioritization.
- "Sonatype Repository Firewall" which identifies and intercepts open source malware.
- "Sonatype SBOM Manager" as an SBOM offering. Evidence of a 2025 industry and product focus on AI-aware SCA and SBOM management is present.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.