Software composition analysis: A matter of perspective (and experience)
3 minute read time
A decade of real world learning
We've been studying the open source governance problem for years and we've examined numerous ways to help organizations automatically connect the dots between open source libraries and vulnerabilities whether publicly reported or not.
We've learned a ton of valuable lessons during our journey, including those summarized below:
Analyst coverage is catching up
Companies today are under intense pressure to accelerate the pace of software innovation. That's why they are hiring armies of software developers, consuming unprecedented amounts of open source, and adopting a range of SCA-like tools to help manage use of third-party libraries. As a result, all of the major analysts — including Gartner, 451, and Forrester — have acknowledged the emergence and rising importance of SCA.
As with any young market, the traditional analyst model struggles to understand and define the playing field. For example, analysts organized within their own Dev and Ops silos were challenged to cover a singular perspective on DevOps. The SCA coverage is no exception. Simply stated, it's early days still, and customers, vendors, and analysts alike are wrestling with a critical question: is SCA primarily a "security-centric" endeavor, a "developer-centric" endeavor, or a "legal-centric" endeavor?
At Sonatype, we believe it's all of the above — an "enterprise-wide" and collaborative undertaking to improve how organizations leverage open source software across every phase of their business. Driven by this belief, we invented the Sonatype platform to unite software developers, security professionals, legal professionals, and IT operations on the same team and empower cross functional teams to automatically identify and remediate open source risk, without slowing down innovation.
But, not everyone sees the landscape the same way we do. In fact, as evidenced by the results of 2019 Forrester Wave, some observers believe that SCA is first and foremost a "security-centric" endeavor. These people are not wrong. They simply see the world through a different lens.
Today, tomorrow, and beyond
Today, thousands of organizations depend on the Sonatype platform to automate their use of open source software and third-party libraries — not just "here" or "there" in the development lifecycle — but "everywhere" across the entire software supply chain.
Over the past decade we’ve learned that the most effective open source governance programs reach far beyond a single use case and single persona. Successful efforts are truly collaborative; typically led by forward thinking security professionals, supported by legal and risk management colleagues, and embraced by developers who are grateful to receive precise and actionable intelligence that actually helps them do their job better (and faster). In this sense, the most productive teams not only improve compliance with open source security and licensing policies — but they also accelerate innovation velocity.
So, if your objective is to precisely identify true security, legal, and architectural problems for the entire enterprise, the Sonatype platform provides the best path forward. Our platform not only automates the identification of true problems for various stakeholders, but it shows developers exactly how to remediate problems without slowing down their innovation.
Written by Wayne Jackson
Wayne is the CEO of Sonatype, a role he has held since 2010. Prior to Sonatype, Wayne served as the CEO of open source network security pioneer Sourcefire, Inc. (NASDAQ:FIRE), which he guided from fledgling start-up through an IPO in March of 2007, later acquired by Cisco for $2.7 billion. Before Sourcefire, Wayne co-founded Riverbed Technologies, a wireless infrastructure company, and served as its CEO until the sale of the company for more than $1 billion in March of 2000.
Explore All Posts by Wayne Jackson