Resources Blog Why high-quality data is critical for effective software ...

Why high-quality data is critical for effective software composition analysis (SCA)

To understand a company there's no one better to talk to than their customer. That's why Sonatype connected with IT Central Station to get insights from their membership on how they actually feel about Sonatype's products. This is the first in a series of articles that employs real user experiences with Sonatype Lifecycle and Sonatype Repository Firewall, to explore how next-generation software composition analysis (SCA) solutions enable greater developer productivity.

Up first - the importance of data quality. A secure software supply chain requires accurate, timely SCA data for all stakeholders, and higher quality data means greater confidence that real vulnerabilities will be recognized. With this, everyone involved in the development process can spend less time addressing false positives.

Faster issue resolution

Sonatype Lifecycle users leverage its data to learn about new open source vulnerabilities faster, which expedites problem-solving.

"The data quality is really good," explained Russell W., a VP and senior manager at a financial services firm. "They've got some of the best in the industry as far as that is concerned. As a result, it helps us to resolve problems faster. The visibility of the data, as well as their features that allow us to query and search – and even use it in the development IDE (integrated development environment) – allow us to remediate and find things faster."

A product strategy group director at a tech services company agreed, saying: "We don't have masses of false positives. Overall, the data quality helps us solve problems faster."

Using Sonatype Lifecycle meant not having any issues for Wes K., a senior DevOps engineer at an insurance company. He was able to resolve issues and get answers to the developers quickly.

Security Analyst Ryan C. gave us additional detail: "I can pull up a library and see, 'Okay, these versions are non-vulnerable,' and raise my upgrade task."

From a senior enterprise architect at an insurance company, Michael E.: "[Sonatype] will continually scan our components and if a new CVE (Common Vulnerabilities and Exposures) is reported, we get that update. It immediately tells us if we are exposed to that risk and in which areas. That happens very quickly, where before, there was a very painstaking process to try to find that out."

By automatically informing his team if the open source library they're using contains a vulnerability and identifying any applications actively using that library, Sonatype Lifecycle keeps his team moving quickly and safely.

Work smarter

Intelligence from Sonatype allows these professionals to make the best decisions faster, increasing productivity. That's the case for a Java development manager at a government agency, who has found that Sonatype Intelligence data is able to recommend the correct artifact his group should use, along with the different versions that are available to make better decisions.

Ricardo V., a software architect at a tech vendor explained, "Busy developers will usually prefer to spend the majority of their time implementing features and fixing bugs to meet customer timelines rather than indefinitely researching possible vulnerabilities in a library they want to use. The information that we're getting through [Sonatype Lifecycle] makes it all easily accessible."

He continued, "It's also thorough and comes with steps and descriptions of when this issue occurs for specific use cases, so it allows our developers to not lose a lot of time on research."

Security Analyst Ryan C. also appreciates Sonatype Lifecycle for addressing open source vulnerabilities succinctly, which the solution presents to his team in a detailed form. The vulnerability data includes links to easily see the information from Sonatype's security research team and get a deep dive into the information.

"There have been relatively few that I would consider false positives, which is cool. One of the great things about the data that's available within the application is that you can choose your vulnerable library. You can pull up the open source component information and see which versions of that library is available, [ones] that don't have any listed vulnerabilities."

"The most valuable part of the data quality is that it really helps me fit this into our risk management or our vulnerability management policy. Using that data quality to perform targeted, manual testing in order to verify that something isn't a direct issue and that we can designate for upgrade for the next release means that we don't have to do any interim releases."

Competitive advantage

A senior architect at an insurance company evaluated other options before settling on Sonatype Lifecycle.

"The solution's data quality is good. It's a lot better than what we had before, which was OWASP (Open Web Application Security Project) Dependency-Check. Sonatype's data research team seems pretty good. It's good data, for sure, but they're also willing to accept feedback on it, and that's good too."

"We also briefly used SourceClear. We didn't use it very long. It wasn't very good. It seemed that the quality of data wasn't as good."

To learn more about what IT Central Station members think the role of data in SCA, read reviews of Sonatype Lifecycle.

Picture of IT Central Station

Written by IT Central Station

IT Central Station is a crowdsourced knowledge platform that helps technology decision makers around the world to better connect with peers and other independent experts who provide advice without vendor bias.