Sonatype Shows Some (Component) Integrity

Dr Dobbs

Published: September 19, 2011 18:36

Hitting the global software tools marketplace this week is Sonatype Insight, a new suite described as a combination of both "software products and information services" for ensuring the integrity of open-source components in the software supply chain.

Not the only tool claiming to provide "visibility and control" with a view to creating and upholding software integrity, Sonatype Insight is perhaps distinguished by its specific alignment towards open-source component usage by development teams.

Aside from Sonatype's worthy claims of speed and precise functionality, the company's product is built to combine organizational consumption awareness, real-time component change data, and a library of quality, security, and licensing information. Sonatype says that while other approaches to open-source management are either unenforceable, or find issues late in the development cycle when rework becomes prohibitively expensive, Insight is non-intrusive, non-disruptive, and tightly interwoven with existing development processes.

The central developer proposition here is that organizations can gain actionable intelligence about open-source usage at any stage of the application development process. After applications are released to production, Sonatype Insight continuously monitors their bill-of-materials and alerts users if new quality or security defects are uncovered.

Sonatype Insight leverages the Central Repository — the software industry's leading repository for open-source software (OSS) components used by more than 40,000 organizations and containing more than 300,000 Java components from all major open-source projects.

"Without a governance program and an accompanying management policy, the IT organization cannot hope to manage, audit, or track open-source assets that come into or leave the enterprise, and it cannot measure the appropriate use of open-source assets within the broader IT portfolio. At best, an IT organization can simply react tactically to risks (e.g., catastrophic technical failures) after the fact," said Mark Driver, research vice president, Gartner Inc. from A CIO's Perspective on Open-Source Software, Jan. 31, 2011

Sonatype Insight is comprised of three integrated products that support the modern, component-based development process and offer important reporting and management capabilities for application managers: legal and compliance executives, information security executives, and IT leadership:

  • Management Insight: Provides visibility, proactive monitoring, and actionable intelligence about organizational OSS usage including security, license, and quality metadata for components.
  • Development Insight: Enables proactive management of OSS component usage throughout the software development process. Plug-ins for existing development tools deliver quality, security, and licensing information where it's needed without disrupting the development process.
  • Application Insight: Analyzes and continuously monitors the composition of software applications, ensuring that they do not have hidden security, license, or quality risks caused by incorporating problematic OSS components. The product notifies users immediately of newly discovered flaws in components — even after applications are in production.

"As the pervasiveness of open source continues, the market opportunity for Insight is tremendous and should appeal to all Java software developers (6 million and counting) and any company in the world that has used open-source components at any point during the development of mission-critical applications," suggests Wayne Jackson, CEO of Sonatype.

News Source Dr Dobbs