Resources Blog Effective tools for software composition analysis (SCA)

Effective tools for software composition analysis (SCA)

Because companies are defined by their customers, we connected with IT Central Station for real user experiences with Sonatype Lifecycle and Sonatype Repository Firewall. Our second in the series, we first looked at benefits of data quality to software composition analysis (SCA). Today, we continue with other benefits to individual developers and development teams.

Managing the software supply chain can feel like an impossible task, especially for developers. That's where an SCA solution fits in. By continuously monitoring the software development life cycle (SDLC), they can identify and remediate potential issues as they create new code. By allowing developers to define rules, actions, and policies that work best for the development process, Sonatype Lifecycle gives developers control over their end of the software supply chain.

Boost developer productivity

The reality is that modern software development now makes up between 80 and 90% of a typical application is assembled from third-party and open source components. These components make up the software supply chain and Sonatype's customers use the Sonatype Platform to maintain system best practices.

"[Sonatype Lifecycle] has helped developer productivity," explained Charles, a DevSecOps leader at a financial services firm. "It's like working in the dark and all of a sudden, you've got visibility. You can see exactly what you're using, and you have suggestions so that, if you can't use something, you've got alternatives. That is huge."

A Java Development Manager reported a reduction in the time to release secure apps by at least 50%:

"[Sonatype Lifecycle] has also increased developer productivity to some extent because of the plugin which is included for the IDE [Integrated Development Environment]. It gives a report of the vulnerabilities. It does save time in figuring out the right open source versions that we need to use. It has helped improve the productivity of the developers by about ten percent."

Sebastian, a solutions delivery lead at a financial services firm, reported differences when remediating issues:

"We are saving five to ten percent in developer productivity … and it has improved the time it takes us to release secure apps to market by saving us weeks of rework."

DevOps tooling integration

Sonatype Lifecycle integrates with the most popular pipeline and developer tools, so clients don’t have to waste time adapting to new tools or processes.

"The Sonatype Lifecycle plugin for Azure DevOps allows us to just include a scan as part of the pipeline deployment. The users don't even have to think about it until they have a violation. [It] informs them or stops the build, and the developers have to resolve it," explained Austin Bradley, Enterprise Infrastructure Architect at Qrypt.

Another architect customer, Recardo Palamida, compared Sonatype Lifecycle to his former enterprise solution.

"Sonatype [Lifecycle] integrates well with our other ecosystem. Now, we're running it in AWS and it actually connects to Sonatype's own service for updates. These live updates are a huge improvement to what we were using before."

Still another architect evaluated another service (Black Duck) before choosing Sonatype:

"We selected Sonatype Lifecycle because of the data quality and the ability to integrate it into our build process."

A senior DevOps engineer at an insurance company advised others to "use it as soon as you can. Get it implemented into your environment as quickly as you can because it's going to help. Once you get it, get your devs on it because they're going to thank you for it."

License tracking

Many developers focus on work outside of the license details for the open source and third-party code they're using. Most recognize it as important, but are busy with activities in and around coding and don’t want to be dragged into the legal minutiae.

For this reason, developers appreciate the strong license tracking capabilities available in Sonatype Lifecycle. Christophe, an engineering manager at a tech vendor, said they have avoided legal issues with scans that flag policy violations.

"We had some problems identifying the licenses of the different embedded libraries that were in our products. That could have resulted in legal problems when we deployed our products."

Russell W., a configuration manager at a wellness and fitness company, told us about the improved automation at his organization. The program creates awareness about unlicensed, third-party dependencies.

"With our leaders across our different organizations, we set policies that govern what types of libraries [and] licenses can be used. We set those as settings in the tool and the tool manages that throughout the lifecycle, automatically."

To learn more about what IT Central Station members think about SCA – visit Sonatype Lifecycle Reviews.

Picture of IT Central Station

Written by IT Central Station

IT Central Station is a crowdsourced knowledge platform that helps technology decision makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.