Large Multinational Media Corporation - From siloed to secure

Reducing false positives with data quality

Sonatype's cloud offers can be found and are hosted on Amazon Web Services (AWS).

The Challenge

Despite possessing tools to bolster security in their software development life cycle (SDLC), this U.S. multinational media corporation, who wishes to remain anonymous, found them insufficient to meet their security requirements. The primary challenge stemmed from their utilization of disparate tools from multiple vendors, resulting in silos, security gaps, and communication deficiencies between the different tools.

Some of the software composition analysis tools they used proved to be inaccurate - generating false positives and false negatives. The inaccuracies in the software composition analysis tools used by the company were a cause for concern, as they undermined the effectiveness of their security measures. False positives occur when the tools incorrectly identify a component as vulnerable when it is not, leading to unnecessary time and effort spent on investigating non-existent issues. On the other hand, false negatives are even more critical; they happen when the tools fail to detect genuine vulnerabilities, leaving the software exposed to potential threats.

Another crucial factor driving the company to seek an improved open-source security solution was the inadequate language coverage provided by their existing tools. With limited language support, the tools left parts of their software codebase exposed and vulnerable to potential security risks.

These challenges sent the media organization on a hunt for something better and this led them to Sonatype.

The Solution

The multinational media corporation sought a single, efficient solution to effectively manage security risks throughout their SDLC without impeding their development pace. Sonatype Lifecycle seamlessly integrated into their DevOps practices, empowering their teams to deliver secure code at an accelerated development velocity. The solution's enhanced accuracy provided precise and actionable intelligence about each component, eliminating the distracting noise that had previously led to wasted efforts. After their prior tools fell short of meeting their needs, the company embraced Sonatype Lifecycle for its scalability, enabling seamless processing and scanning of large data sets every day without compromising speed and efficiency.

“Sonatype's renowned data quality proved to be precisely what they needed to significantly enhance the accuracy of their security violations.”

The architecture of the solution comprises a combination of Sonatype and AWS services. The customer deployed the Sonatype IQ Server - the engine that drives the Sonatype solution - in a dedicated, large, Amazon Elastic Compute Cloud (EC2) instance running an Ubuntu Amazon Machine Image (AMI). Database persistence is Postgres using Aurora, the instance is within a private subnet within a Virtual Private Cloud (VPC), and access to the instance is fronted by an Application Load Balancer (ALB). The customer's CI/CD and build tooling, which runs both within AWS as well as on-premise, then accesses the Sonatype solution.

Sonatype was able to help the company greatly reduce the number of false positives and negatives - which helped them reduce their risk, develop software fearlessly, and continue to build great things.

Secure your software supply chain