Tomitribe and Sonatype Lifecycle
Champions of open source security.
David Blevins, project lead for the Apache TomEE Project and CEO of Tomitribe, is adamant; open source software and commercial software can have a mutually beneficial relationship. He’s out to show both communities how it works by using Sonatype Lifecycle to help Tomitribe proactively find and fix vulnerabilities in heavily deployed open source projects like Apache Tomcat and TomEE.
The History of Tomitribe
The Apache TomEE Project started in 2011. David and a team of volunteers worked on the project in their spare time and within 10 months, TomEE was announced as being Java EE Web Profile Certified during the JavaOne conference in 2011. Within a year, David left his job at IBM and hired the volunteers from the Apache TomEE project to start a support company, Tomitribe. The original TomEE project has grown to encompass a dozen open source projects.
The Tomitribe team, working remotely from nine countries, has 46 years of combined contributions to TomEE. “We wear our investment in the community as a badge of honor,” David says. “We’re not a company that spied an open source project and wanted to take advantage of it. We’re a company created from the open source project, itself.”
“Automated monitoring is the primary reason we chose Sonatype Lifecycle. It alleviates the time consuming manual processes that inhibit scaling. We want to be able to have our eyes on the code and have Sonatype Lifecycle tell us when there’s something requiring our attention.”
Using Sonatype Lifecycle
Tomitribe views security as a critical path to success for the Tomcat and TomEE projects under its care. The team at Tomitribe chose Sonatype Lifecycle because of its ability to monitor the CVE databases and other proprietary sources, curate the vulnerability data to make it useful for their developers, and notify the Tomitribe team of any vulnerability announcements, even before fixes are available.
“Our intention is to use Lifecycle to continually scan our builds and monitor every single version of TomEE and Tomcat we support,” explains David. “We are on the verge of becoming HITRUST certified for our HIPAA compliant customers. It’s essential for us to distribute security fixes to the Apache projects and then notify our clients as quickly as possible.”
“Continuous monitoring and automated governance are the primary reasons we chose Sonatype Lifecycle. It alleviates the time consuming manual processes that inhibit scaling. We want to be able to have our eyes on the code and have Sonatype Lifecycle tell us when there’s something requiring our attention,” explains David. “We are dedicated to protecting the integrity of the projects we support. Through the use of Sonatype Lifecycle, our team can proactively ensure open source security vulnerabilities are precisely identified, managed and resolved before they can impact our customers.”
Sonatype and Tomitribe: Working Together
Sonatype is helping Tomitribe become a better business through its support of open source security in the Apache Tomcat and TomEE Projects.
“I’m a firm believer in commercial software and open source software having a supporting relationship,” concludes David. “Together, Tomitribe and Sonatype, can be an example of how this type of relationship works."