As a long time conference attendee and sometimes speaker, I always get excited for Red Hat summit. Maybe it's because I have always admired Red Hat the company and have been a fan of many of their technology solutions, or maybe it's because I often see a lot of folks I know.
This year is exciting for me, because in my new role at Sonatype I help manage our emerging relationship/partnership with Red Hat, and we have some exciting things to share. SPOILER ALERT: Be on the lookout for a press release announcing Sonatype Nexus Repository is recognized as a certified OpenShift solution.
Perhaps most importantly, though, I'm excited about our emerging partnership with Red Hat, because our two companies have some shared passion for software hygiene. At Sonatype, the leader in software supply chain automation, we are intensely focused on helping our customers choose, and use, only the best open source components from the best open source projects. A few years ago, our CEO, Wayne Jackson, authored a paper entitled, Open Source Needs Help. This was the first quantitative assessment of the software ecosystem that we knew of at the time. In assessing the ecosystem, we focused on mean time to remediate (MTTR), or how long it took projects to fix their known security issues in their projects, or one of its dependencies. The results were illuminating, and the summary is as follows. On average, projects needed ~300 days to remediate to fix these issues! If we looked at just level 10 defects (as bad as it gets), the average dropped to 224 days. Not good, and why we felt open source needed help. But the real story here was a statistical outlier in JBoss. Their remarkable attention to these issues produced an incredible MTTR of less than 1 week! No one else was even close.
I see Red Hat as a world class supplier of software, possibly the most robust stack you could use at the OS and middleware layers in my opinion. At Sonatype, we believe that if we can help our customers apply that same level of diligence at the application layer, they'll have the most secure and comprehensive solution available. A weakness in any layer weakens the entire stack, so no matter how good Red Hat is, if you deploy an app with the newish struts2 vulnerability on top of it, all is for naught.
Secondly, summit affords me the opportunity to connect with you and compare notes to better understand your journey to the cloud and containers. In turn, I can share how Nexus is adding value to OpenShift by helping Red Hat 'shift left' and engage more readily with the developer tribe and the LOB's they work for. This is our first year as a sponsor of the summit. Please visit us at booth #306 to see firsthand how our component intelligence platform enables developers, and all stakeholders on the delivery team, to ensure the quality and security of their open source components at any stage in the application development life cycle. Remember, on average 80% of your application is open source components.
Lastly, I'm a social person and love large gatherings of people. I look forward to having fun and casual conversations with you, customers and friends at our awesome luncheon about containers, clouds and DevSecOps transformations. It's an exciting time to be in IT, and I'm excited to be part of a team that helps delivery teams go fast, and be safe. I hope I see you there.
Curtis Yanko is a Sr Principal Architect at Sonatype and a DevOps coach/evangelist. Prior to coming to Sonatype Curtis started the DevOps Center of Enablement at a Fortune 100 insurance company and chaired a Open Source Governance Committee. When he isn’t working with customers and partners on how ...
Explore All Posts by Curtis Yanko
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.