As part of a new series called "Real World Experiences," we'll highlight how Sonatype customers benefit from greater development efficiency, higher productivity levels, faster time to market and better quality software, all while being more secure.
We kick off the series covering Blackboard, the world's leading education technology company. Blackboard challenges conventional thinking and advances new models of learning to reimagine education and make it more accessible, engaging and relevant to the modern day learner and the institutions that serve them.
Blackboard has written millions of lines of custom code — and about half of it touches one or more of 100+ open source components, including the likes of Spring, Struts, Hibernate, and Tomcat. Assuring those components are free of vulnerabilities is crucial to Blackboard, explained Matthew Saltzman, Senior Security Engineer of Blackboard’s Application Security Team. In the past, the team would spend two days assessing if a specific version of an artifact, framework or library was approved to use in a Blackboard product. Like many other companies, the team tracked its inventory of open source components in a spreadsheet. The team would review notifications from the National Vulnerability Database to see if its open source components were free of security risks. In parallel, the legal team would analyze any license risks associated with those components. This manual process did not scale with Blackboard's growing use of open source; it was tedious and tough to maintain. When new vulnerabilities would surface in a live product, the security team would spend days identifying a fix.
Blackboard needed to transform its open source governance practices to work at the speed of its agile development teams. The company sought an automated solution to continuously monitor, govern and report on open source components in use. After evaluating open source and commercial options, Blackboard chose Sonatype's Component Lifecycle Management (CLM) because it was easy to integrate and easy to use. CLM tracks usage, enforces policy and prevents the use of flawed components all the way through the SDLC. CLM would also help the company track open source artifacts in production applications, refocusing the company's security team on new vulnerability disclosures that could impact customers or operations.
At Blackboard, Sonatype's CLM is integrated directly into the continuous integration platform Jenkins — a key priority for the company. Integrated tightly inside their development tools, developers now get real-time updates about component attributes (security, licenses, and quality) so they can make the right choices. The solution not only identifies potential issues, but also offers recommendations on safer versions of troublesome components. CLM provides a complete software bill of materials (SBOM) that covers all open source components used, and then continuously monitors that inventory for changes and vulnerabilities associated with used components. This detail, presented in a CLM dashboard, keeps development, application and legal teams informed of Blackboard's open source inventory, including artifact and application vulnerability profiles.
Blackboard's application security team has transitioned from spending time researching open source vulnerabilities to relying on CLM to continuously automate the oversight and policy guardrails. The CLM integration helps both enforce the set of open source licenses vetted by the legal team, and identify potential license risks. Not only do both teams save incredible time, Blackboard now has a proactive way to safely use open source components, avoiding security, license and quality-related issues. "In less than a day, we were up-and-running with the CLM solution integrated into development," Saltzman said. "And to top it off, our developers needed only a 30-minute course to learn the product. With CLM, we recognized value right away."
Interested in how other organizations achieve value from Sonatype products, read more "Real World Experiences."