Discovery Health and Sonatype Lifecycle

Managing and monitoring open source component usage.

Launched in 1992, Discovery Health is South Africa’s leading manager of medical schemes. The company now provides managed care services to over 3.2 million beneficiaries and has a 38% market share in the overall medical scheme market in South Africa.  With headquarters in Johannesburg, South Africa, Discovery has expanded its operations globally and currently impacts 6.9 million lives in 16 countries and has close to 12,000 employees worldwide. In its primary markets of South Africa and the UK, Discovery owns and operates the financial service provider or insurer.

Discovery Health has large in-house development team. Almost every project built is underpinned by open source technology.  Today, Sonatype Lifecycle provides visibility into open source components with known vulnerabilities and license risks early and everywhere across the company's global application stack. Sonatype's solutions also track and govern the use of open source components across their development lifecycle. Utilizing the automated reporting provided by Sonatype's IQ Server, the operations team understands the current state of component governance across their entire application portfolio.

“We needed constant monitoring and notifications of open source vulnerabilities in our applications. That’s what Sonatype Nexus Repository and Sonatype Lifecycle delivered.”

Systems Architect, Discovery Health

The Challenge: Automating Open Source Component Consumption Policy

Nick Alexander, Systems Architect at Discovery Health explains the challenges his team was facing before discovering Sonatype Lifecycle. “Before implementing Sonatype Lifecycle, we tried to manually constrain what software components were available to developers within our Sonatype Nexus Repository managers. We had a manual approval process to determine which artifacts were permitted for use. It was a time consuming process that eventually degraded to the point where anyone requesting permission for use of a new component was denied. We just didn’t have the time to identify or to analyze the specific components for security or license risks."

"Because of our reliance on manual processes, many times there was no mining through the existing artifacts in the repository manager to determine which previously approved components had new vulnerabilities associated with them", Alexander said.  "There was also little visibility across the development lifecycle to monitor for component vulnerabilities. Without automation, trying to keep up was a monumental task." 

Open Source Hygiene at Discovery Health

The Solution: Embracing Sonatype Lifecycle to Mitigate Risk and Reduce Attack Surface With Regard to Dependencies

Discovery Health operates a significant application server farm, translating to 1000s of application server instances. Manual component governance at this scale is impractical and can be particularly error prone. An important aspect of using Sonatype Lifecycle is for all teams to have access to data about components that are continuously and automatically refreshed. No matter where the components are being used across the development pipeline or in production, all teams have access to the latest component information and their compliance to governance policies.

The team at Discovery Health first started looking at Sonatype Lifecycle to mitigate risk and reduce their attack surface with regard to dependencies used by their open source frameworks and libraries. “Because transitive dependencies may have been pulled into our projects, we had very little visibility as to our true security risk,” Alexander says.

“One of the key features in Sonatype Lifecycle we originally found of interest was the notification that a given component had a new vulnerability,” says Alexander. “We now use Nexus Lifecycle notifications in the deployment phase and in production.  If we only analyzed components at the deployment phase, new vulnerabilities associated with components in production might stay there for quite some time.  Without Nexus Lifecycle, we would have very little visibility into that vulnerability.”

The use of Sonatype Lifecycle started to grow organically across teams. Discovery Health then started to actively engage developers on an individual basis to make them aware of how vulnerabilities were being discovered and how Discovery Health - Monitoring Open Source Vulnerabilities with Nexus Lifecyclethe company was taking a new automated approach to mitigating security risks early and everywhere. There was no ‘big stick’ approach.

Alexander explained the management team's philosophy: “We wanted to drive organic uptake by encouraging people and emphasizing how our new approach would improve the quality of their work while reducing company risk. We strongly encouraged developers to use the Sonatype Lifecycle plug-in within their IDEs to identify security vulnerabilities and license risks early, minimizing re-work that might occur if the issues were discovered later in the lifecycle. This approach was quite successful."

“In Java development, the sheer number of frameworks and open source projects available to you is daunting. It’s impossible to maintain manual reviews of components across our entire environment. However, today we don’t impose any constraints on what is downloaded to the Sonatype Nexus Repository from the Central Repository. Through the use of Sonatype Lifecycle, we have automated governance capabilities that allow us to scale our compliance checks to any volume of component downloads. Without automation, keeping pace with our consumption practices would be  completely impractical.”

The Outcome: Sonatype Lifecycle Delivers on Providing Precise Information on Open Source Licensing and Providing Policy Control Over OSS Consumption

Discovery Health has already met its primary objective for their Sonatype project. Nick Alexander is happy to say that every team is now onboard. “They understand the importance of using the Sonatype Platform. The fact that each team has visibility into reporting for their own product is key at this stage. We now have precise information on our license exposure and when we need to address specific risks. Sonatype Lifecycle is delivering on its promise."

"Now, we are starting to implement more restrictive policies as our teams mature in their use of Sonatype Lifecycle. Tracking the number of exposures we currently have on a fixed cycle is the next step to implement. We’re also very keen to look at JavaScript (npm packages) scanning and the features around analyzing applications within Docker containers."

“We needed constant monitoring and notifications of open source vulnerabilities in our applications and that's what Sonatype Nexus Repository and Sonatype Lifecycle has delivered.”