Resources Blog Software Composition Analysis: A Matter of Perspective (and ...

Software Composition Analysis: A Matter of Perspective (and Experience)

Eureka Moment. In 2010, I joined Sonatype having been CEO of Sourcefire, the commercial open source cyber IPO success story. I was attracted to Sonatype based on a simple, but shocking, observation: public vulnerability disclosures had virtually no impact on developer consumption of open source libraries. So, in partnership with Brian Fox, our founder and CTO, we sketched out a unique vision for a new type of platform that would provide software developers with expert insights on open source libraries, and we would deliver this insight directly within the developer IDE. Eureka! The market we now know as Software Composition Analysis (SCA) was born.

A Decade of Real World Learning. We’ve been studying the open source governance problem for years and we’ve examined numerous ways to help organizations automatically connect the dots between open source libraries and vulnerabilities whether publicly reported or not. We’ve learned a ton of valuable lessons during our journey, including those summarized below:

Dos and Don'ts

Analyst Coverage is Catching Up. Companies today are under intense pressure to accelerate the pace of software innovation. That’s why they are hiring armies of software developers, consuming unprecedented amounts of open source, and adopting a range of SCA-like tools to help manage use of third-party libraries.  As a result, all of the major analysts — including Gartner, 451, and Forrester — have acknowledged the emergence and rising importance of SCA.

As with any young market, the traditional analyst model struggles to understand and define the playing field. For example, analysts organized within their own Dev and Ops silos were challenged to cover a singular perspective on DevOps. The SCA coverage is no exception.  Simply stated, it's early days still, and customers, vendors, and analysts alike are wrestling with a critical question: is SCA primarily a "security-centric" endeavor, a "developer-centric" endeavor, or a "legal-centric" endeavor?

At Sonatype, we believe it's all of the above — an “enterprise-wide” and collaborative undertaking to improve how organizations leverage open source software across every phase of their business. Driven by this belief, we invented the Nexus platform to unite software developers, security professionals, legal professionals, and IT operations on the same team and empower cross functional teams to automatically identify and remediate open source risk, without slowing down innovation.

But, not everyone sees the landscape the same way we do. In fact, as evidenced by the results of 2019 Forrester Wave, some observers believe that SCA is first and foremost a "security-centric" endeavor. These people are not wrong. They simply see the world through a different lens.

Today, Tomorrow, and Beyond. Today, thousands of organizations depend on the Nexus platform to automate their use of open source software and third-party libraries — not just “here” or “there” in the development lifecycle — but “everywhere” across the entire software supply chain.

Over the past decade we’ve learned that the most effective open source governance programs reach far beyond a single use case and single persona. Successful efforts are truly collaborative; typically led by forward thinking security professionals, supported by legal and risk management colleagues, and embraced by developers who are grateful to receive precise and actionable intelligence that actually helps them do their job better (and faster). In this sense, the most productive teams not only improve compliance with open source security and licensing policies — but they also accelerate innovation velocity.

So, if your objective is to precisely identify true security, legal, and architectural problems for the entire enterprise, our Nexus solution provides the best path forward. Our platform not only automates the identification of true problems for various stakeholders, but it shows developers exactly how to remediate problems without slowing down their innovation.

Picture of Wayne Jackson

Written by Wayne Jackson

Wayne is the CEO of Sonatype, a role he has held since 2010. Prior to Sonatype, Wayne served as the CEO of open source network security pioneer Sourcefire, Inc. (NASDAQ:FIRE), which he guided from fledgling start-up through an IPO in March of 2007, later acquired by Cisco for $2.7 billion. Before Sourcefire, Wayne co-founded Riverbed Technologies, a wireless infrastructure company, and served as its CEO until the sale of the company for more than $1 billion in March of 2000.