Today’s software development teams have increasingly embraced the use of open source and third-party components in building their projects instead of actually starting from scratch. But while open source usage has added significant value to software development, enabling speed and innovation in teams, it has also introduced a host of security vulnerabilities.
From 2014-2017, there was a 50% increase in verified or suspected security breaches related to open source components according to a recent DevSecOps survey. Plus, the survey showed that one in 16 open source component downloads also contains known security vulnerabilities. However, the risks associated with open-source dependencies do not only involve security. The lack of proper regulation and verification of components to be used in projects also exposes an organization to a number of problems, including quality and licensing issues, rework, and waste.
Sonatype, the leader in software supply chain automation, seeks to help software development teams and organizations avoid these unnecessary complexities and instead accelerate innovation. Applying the principles of supply chain management to the software development lifecycle, Sonatype empowers teams to improve application development and operational efficiency, driving productivity and savings while minimizing risk.
Sourceforge recently spoke with Derek Weeks, the VP and DevOps Advocate at Sonatype, to discuss the importance of software supply chain automation and how the Nexus platform provides value across the entire development pipeline.
Q: Sonatype has a long history in open-source development and has worked hard in distributing the world’s most popular repository manager (Nexus). Can you share with us some additional background information about Sonatype?
A: Sonatype was founded in 2008 with a single mission – accelerate innovation through better software supply chain automation and security. Today’s constantly evolving threat landscape and businesses’ increasing use of open source software have made that mission more important than ever before.
Organizations have become heavily dependent on open source software components for their application development needs. But while these components are fantastic for innovation and acceleration, they can introduce unwanted risks into an organization’s software supply chain.
We help organizations mitigate those risks without sacrificing innovation by providing them with solutions to improve the security, speed, and quality of their software builds. We provide the Nexus Repository Manager, the most popular means of organizing, storing, and distributing software components locally within development teams — this solution is currently used by over 120,000 organizations worldwide. We also provide Nexus Lifecycle and Nexus Firewall to continuously manage the quality and security of components being used across the software development lifecycle.
We’re headquartered in Fulton, MD, with offices in McLean, VA; Sydney, Australia; and London, England. We serve clients in all industries, including technology, healthcare, government, manufacturing and financial services.
Q: Can you explain to us the software development lifecycle? Why is utilizing open source and third-party components very important, especially in today’s business environments?
A: Open source and third-party components are used extensively within the modern SDLC and have many advantages. They can lead to greater efficiencies, faster innovation, and better software builds. It’s no surprise that 80 to 90 percent of every modern application is comprised of open source component parts, as noted in our most annual State of the Software Supply Chain report.
Derek Weeks, the Vice President and DevOps Advocate at Sonatype
Unfortunately, use of open source components can also introduce unwanted security risks into organizations’ software supply chains. It’s extremely difficult for organizations to manually identify how many components are flooding these supply chains, where they are flowing through their development cycles, or where they exist in production applications. Plus, open source components can come from virtually anywhere, from respected vendors to sources of unknown origin. It’s tough to know who – or which components – to trust.
The lack of automated insight within many organizations makes it difficult to practice truly effective open source component hygiene — that is, quickly assessing “good” vs. “bad” components. In fact, we’ve found that 1 in 18 Java components downloaded from the Central Repository in 2016 contained known vulnerabilities. Those vulnerabilities are making their way into organizations that do not have strong software supply chain hygiene practices when it comes to vetting their components.
Q: As defined by Sonatype, the supply chain is a ubiquitous trait of modern software development lifecycles. So why do businesses need a product for software supply chain management? What are some of the typical use cases or scenarios where a supply chain management product is beneficial?
A: Software supply chain automation is critical because it ensures that open source components are defect-free and dependable. While the average application has about 190 open source components, not all of those components are created equal. Indeed, we’ve often said that they age more like milk than fine wine since they degrade over time. Newer components tend to be more reliable, secure, and simply better quality.
Choosing to use a supply chain can help safeguard a business’ components.
Businesses need platforms like Sontaype’s Nexus to automatically safeguard those 190 unique components living in each of their applications. Development organizations use thousands of different components across their application portfolio. Nexus real-time intelligence to developers that ensures organizations are using the best quality, most secure, and most up-to-date components available.
Nexus is very effective at keeping untrustworthy components out of the software supply chain. For organizations using Nexus, we’ve found a 28 percent improvement in developer productivity, a 30 percent reduction in development cost, and a 48 percent increase in application quality. In one case, a large financial services client shaved 136,000 manual hours of governance and saved $13 million annually.
Software supply chain monitoring is becoming a requirement of conducting business, especially in the public sector. The federal government is concerned about the quality and security of open source software components that underpin the Internet of Things (IoT) and introduced the Internet of Things Cybersecurity Improvement Act of 2017, which would require technology vendors selling IoT devices to the U.S. government to certify that such devices are free from known security vulnerabilities.
This legislation comes after several exploits in a range of IoT products, including vehicles, smartphones, and medical devices. These exploits could have been prevented with proper software supply chain monitoring and hygiene.
Q: What are three of the major benefits of managing software supply chain hygiene?
A: Three major benefits of managing software supply chain hygiene are improved quality, better security, and improved speed to market. Quality and security increase because developers can find potential bugs in components earlier in the SDLC and there is less risk of problematic components entering at any point during a product build cycle. Additionally, as monitoring is automated, developers and other personnel are freed to work on other, more innovative tasks, which ultimately speeds up production.
Q: In your opinion, what is important to keep in mind in order for a software development process to be successful?
A: Security should be front-and-center in application development. That’s why I’m a firm believer in “shifting left,” or moving security considerations to the earliest possible part of the software development cycle. That way, developers can bake security and good security practices into an application from the outset.
Q: Sonatype has over 120,000 Nexus product installations. To what do you attribute this growth and success?
A: First, we are committed to research and development. We want to ensure that our platform offers clients the best possible management and protection of their software supply chains.
Sonatype also finds itself in the middle of a growing market, as the need for secure software grows with every single product release. Ransomware attacks like WannaCry and Petya, as well as the recent Equifax security breach, have demanded international attention. Better component hygiene may well have prevented such attacks. In addition to regulations set out in the IoT Cybersecurity Improvement Act of 2017, organizations in the public and private sectors are realizing their potential vulnerability and looking to take preventative action.
Q: Out of everything included in the Nexus Platform, what would you say are the unique parts that set Sonatype apart from competitors?
Sonatype identifies how to manage open source components to accelerate innovation.
A: When it comes to Nexus Repository, we offer free support for all component types (e.g., Java, npm, Docker, Ruby Gems, PyPI, etc.). Competitive offerings charge users for access to these formats. Over 150,000 organizations use the Nexus Repository in their DevOps and Continuous Delivery pipelines. You can see how Nexus Repository is deployed in DevOps environments within these 50+ real-world reference architectures.
Our entire portfolio of Nexus products provides in-depth and unique component intelligence. We can precisely identify open source components and determine if they are outdated, vulnerable, or represent licensing risk to your organization. Our precise component intelligence greatly reduces the possibility of false positives.
We use patented, proprietary algorithms to match the components in a given application with the hundreds of thousands of open source and third-party components. We can also match partial components: if just a piece of a component matches a part of our collection, we can identify it.
Q: Can you give us a functional explanation of the three big portions of the Nexus Platform?
A: Nexus Firewall automatically blocks defective parts or bad components from ever entering the CI/DC pipeline.
Nexus Repository acts as a local parts “warehouse” in which developers can store trusted containers, components, and applications.
Nexus Lifecycle protects the supply chain in three different places: in the integrated development environment (IDE), so that developers can choose the highest quality and most reliable components; during the build phase, to ensure that an application adheres to governing policies; and during deployment, to ensure quality. Nexus Lifecycle also continuously monitors applications in production to detect possible vulnerabilities.
Q: What are other big projects, solutions, or software developments will clients see from Sonatype down the road? What trends are you most excited about in the supply chain management market?
A: Software supply chain management is an enterprise imperative for all DevOps organizations. Those embracing the principles of supply chain management are seeing significant improvements in quality and productivity.
Organizations choosing to ignore the feast of components being delivered through their supply chains will suffer from growing technical and security debt along with mounting liability concerns.
This is a world defined by key trends, including:
- DevOps practices and tools helping to automate software supply chains
- Developers consuming a massive volume and variety of open source components
- Open source components of varying quality
- Rapid feedback loops embedded within the development lifecycle enabling continuous improvement
- Regulatory and industry initiatives aimed at protecting end users and consumers
About Sonatype
Founded in 2008, Sonatype is the creator of Nexus, the world’s most popular repository manager. The company strives to help accelerate software innovation through a world-class team of employees, investors, and partners. Sonatype is driven by the idea that organizations can build better applications, faster, for less, and thus continue to procure Nexus products to help modern organizations automate the flow of open source components.