Resources Blog Return on investment in software composition analysis (SCA)?

Return on investment in software composition analysis (SCA)?

Today, drawing from customer feedback on real user experiences, we look at how software composition analysis (SCA) means less overall risk, money, and effort with Sonatype Lifecycle and Sonatype Repository Firewall. Our third in this series, we started with the importance of data quality and then detailed the benefits to individual developers and dev teams.

Accelerate development

Moving quickly in the software development life cycle (SDLC) means more than just a faster time to market, it's also more responsive.

"[When] producing new applications and updating old applications… it takes much less time to add features or produce a new product out to our subscribers than it did before," explained Michael, a Senior Enterprise Architect at the MIB Group.

"That allows us, obviously, to start billing for those services sooner. Without Sonatype [Lifecycle], it would take a considerably greater amount of time. Our return on investment is based upon how many applications we bring out and the turnaround time."

Release speed is key for a Java development manager who also responded: "The solution has improved the time it takes us to release secure apps to market by at least 50%."

Customers also reported the ability to respond to problems faster.

"It significantly lowers the turnaround for responding to incoming issues," said Ryan, a Security Analyst. "It also empowered our support staff to be able to pass along audit results without having to loop in the security team directly. There is a much lower overhead involved when doing it that way."

Michael also noted some dramatic improvements for his team.

"The data quality helps us solve problems faster. I would estimate it saves us weeks to a month, or more, depending upon the scope of a project."

Improving efficiency

An effective SCA solution streamlines the development and releasing process. Estimating a 10% boost in developer productivity, the Java development manager explained "because of the plugin which is included for the IDE [that] gives a report of the vulnerabilities, it saves time in figuring out the right open-source versions that we need to use."

Michael highlighted the ease of development and the ability to automate a lot of the build-and-deploy process.

"What we get out of using Sonatype [Lifecycle] is that all of our dependencies are in the same place and we can specify a specific version. The biggest benefit is the overall ease of development. It has definitely increased developer productivity. They spend a lot less time looking for components or libraries that they can download."

Through detailed information from the scan results or the listings, Ryan saw improvements in the team's vulnerability management. Being able to audit them thoroughly and test them "really helps with development resources in our case."

"We do not have to cram in a bunch of upgrades just for the sake of upgrading if we're constrained elsewhere. It really helps prioritize dev resources."

An Information Security Architect at Alef Education told us:

"[The] impact is really huge because we are able to meet our continuous integration in the DevOps pipeline. The speed of that flow is noticeable. The impact is on both development and operations, together. The integration with the CI/CD pipeline is easy."

Saving money by reducing risk

While it doesn't represent clear-cut cost savings or revenue increases, everyone knows that failures are expensive. There's no shortage of companies today dealing with security incidents and reputation damage, as well as compliance penalties.

Austin, an enterprise infrastructure architect at Qrypt said that "[Sonatype Repository] Firewall is really useful for us to keep an eye on our proxy repositories for vulnerabilities."

"That's another layer of helping us make sure that we don't have vulnerable products. The expense is justifiable because of the potential to save a company a lot of money in lawsuits and risks from having vulnerable packages."

A product strategy group director at Civica, a tech services company explained that they were able to protect their intellectual property and identify security issues reducing risk.

An Application Security professional noted that Sonatype Lifecycle "gets our developers to think about the third-party libraries they're pulling into the system, in terms of security. The return on investment for us is that we have the process in place that has our security aspects tied into it."

To learn more about what IT Central Station members think about SCA – visit Sonatype Lifecycle Reviews.


Part 1: Why High-Quality Data is Critical for Effective Software Composition Analysis

Part 2: Effective Tools for Software Composition Analysis


Made with LibreOffice productivity suite and the PhotoDemon image editor.

Picture of IT Central Station

Written by IT Central Station

IT Central Station is a crowdsourced knowledge platform that helps technology decision makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.