While bad actors lie in wait to carry out cybersecurity attacks, securing your software supply chain must become a top priority. Many organizations continue to suffer from security gaps that can be exploited.
At Anaconda, we are dedicated to closing these gaps and ensuring your open-source software (OSS) pipeline is both accessible and safe for your data science teams—without slowing down development and innovation. That’s why we’re excited to announce the release of Anaconda Server 6.5.0, which introduces security enhancements such as conda-forge CVE association, audit logs, and signature information to Anaconda’s Business and Enterprise plans.
What is Anaconda’s Business plan?
Anaconda’s Business plan empowers security teams to enforce organization-wide security policies without hindering data science workflows. Data practitioners can quickly develop and deploy models with the confidence that their preferred packages meet their organization’s security requirements, IT administrators can manage permissions across channels with role-based access controls, and security leaders can proactively implement enterprise-grade policies with license and package filtering.
What is Anaconda Server?
Anaconda Server is the on-premises repository included with on-premises and managed hosting deployments of Anaconda’s Business plan (and above). Anaconda Server lets you centralize your organization’s projects, secure open-source packages and libraries, and manage vulnerabilities with a private repository hosted on premises or in your cloud.
What’s Already Included
Unlike public repositories, Anaconda’s Business and Enterprise plans offer features that protect your supply chain from cybersecurity threats, like:
- Centralized repository: Access thousands of packages built from source, on private infrastructure, with stringent standards for QA testing for security and compliance.
- Tokenized access: Safeguard against unauthorized access.
- Conda signature verification: Install or update packages with confidence, knowing they originate from verified sources and remain untampered with during transit.
- Software bill of materials (SBOM): Built in accordance with Software Package Data Exchange (SPDX) specifications, SBOMs provide visibility into software components, facilitating awareness of potential risk factors and enabling quicker response times should an issue arise.
- CVE curation: Anaconda’s curation team reviews flagged packages, verifies what software particular common vulnerabilities and exposures (CVEs) affect, and curates a CVE status and score to give your team more confidence.
What’s New
We’re continuously adding layers of defense to enhance your OSS security practices. With the latest version of Anaconda Server 6.5.0, we’ve included:
- Vulnerability reporting: Monitor potential software risks. Anaconda’s enhanced vulnerability reporting capabilities provide you with comprehensive information about security vulnerabilities in your Python packages. This feature enables proactive vulnerability management and helps you mitigate potential risks.
- User artifact reporting: Monitor activity and stay ahead of vulnerabilities. IT administrators can more easily monitor and track user activity, ensure compliance, and facilitate vulnerability management with Anaconda’s Artifact Reports. This brings the benefit of enhanced transparency, accountability, and security, especially for highly regulated enterprise environments. Unlike alternatives such as manually tracking user actions or relying on incomplete logs, the artifact report is a comprehensive and reliable record of user interactions, empowering administrators to maintain control and meet compliance requirements effectively.
- Signed packages: Assure the validity of package signatures. Signature information is now available in channels for packages that are sourced from Anaconda’s curated repository. This functionality provides an added layer of security by allowing users to ensure the integrity of downloaded packages.
- CVE metadata: Get detailed information about package vulnerabilities. Anaconda now includes CVE metadata, providing comprehensive information about specific vulnerabilities associated with packages. This metadata enables you to assess and prioritize security updates faster and more accurately.
- Conda-forge CVE association: Identify and mitigate security risks faster. This feature provides a way to identify CVEs that are associated with conda-forge packages that have been mirrored to your secure repository. You can see CVEs that are reported to the National Institute for Standards and Technology (NIST) and add a policy to your conda-forge channel to filter out vulnerable packages. With this new capability, you can more quickly identify and mitigate security risks in your Python open-source projects.
Why Anaconda?
Anaconda is secure by design, with multiple layers of protection built in. Our centralized Professional Repository contains thousands of trusted packages for your data scientists to choose from, all of which are built from source on private infrastructure with rigorous QA testing and stringent standards for security and compliance.
Take ownership of your assets and empower your data scientists with their preferred tools while governing workflows to your high standards. Schedule a demo today!
