Trilliant and Sonatype Lifecycle
Helping Utility Companies Improve “Smart Cities”
Sonatype runs anywhere — self-hosted, on the cloud, or air-gapped. Sonatype's cloud offers can be found and are hosted on AWS.
Open Source Component Management is Vital to the Energy Technology Platform
Whether enabling traditional utility companies to implement smart meters and smart grids or aiding cities in their smart transformation initiatives, Trilliant has the technology to provide unparalleled service to their customers through an open and secure communication platform.
The Cary, North Carolina company enables a frictionless exchange of data for the next generation of smart grid and smart city solutions. Trilliant’s multi-technology platform supports automation of energy distribution and real-time analytics used to optimize energy usage while also proactively providing resilience during natural disasters. Trilliant’s advanced communication platform is highly scalable and helps utility companies to draw insights to improve energy distribution and efficiency. Clients use the platform to reduce costs and create new revenue streams.
Like most modern applications, Trilliant’s communication platform is developed using a significant amount of open source (OSS) and third-party libraries, allowing them to develop new innovation at scale. Prem Ranganath, VP of Quality and Risk Management, understands the incredible value that open source libraries bring to front line software developers -- but he also understands the hidden risk that comes with the unmanaged consumption of open source components.
In order to fully leverage the power of third-party open source libraries, Prem knew that Trilliant needed a fully automated and precise governance solution that operated -- not outside of the SDLC -- but inside of the SDLC through integrations with key tools. After an initial attempt with a different product didn’t achieve the desired results, Prem and the team at Trilliant turned to Sonatype Lifecycle.
“Using Sonatype Lifecycle, we’re able to identify risks earlier than ever before in the development process — especially compared to six months ago. Sonatype Lifecycle works very well within our DevOps practice.”
VP of Quality and Risk Management
The Challenge: Scaling open source vulnerability monitoring to meet the needs of a growing customer base
As their customers increase the number of endpoints and smart devices on their networks, it is important for Trilliant to ensure that their platform is secure and scalable.
Colleagues assured Prem that the open source risks were being addressed in the development lifecycle using a tool the team had implemented years earlier. He quickly realized, however, that the product had a few flaws. The biggest was the need for Trilliant’s team to conduct extended, manual reviews of OSS vulnerability alerts generated by the tool they had in place.
“What I realized was that there was a lot of data being pumped out by the previous tool but the processes to analyze and act on the data were not integrated into the development lifecycle. The solution was simply too noisy for threat identification. It was not automated, and it required considerable manual effort to implement changes in a timely manner.” Furthermore, he described how “our previous solution was viewed as a separate tool rather than as an integrated part of our process.” This meant that there was too much dependency on manual human effort and insight to recognize threats and vulnerabilities. This, in turn, led to extended remediation times for issues and extra effort sorting through volumes of false positives.
Prem evaluated how Trilliant’s business needs were evolving to ensure that engineering teams could keep pace with the demands for high-performance innovation and security. A large part of that transformation is based on lean and agile practices. For Prem, DevOps is more than a collection of engineering practices. Instead, it provides a framework to drive the cultural changes required to shift security left on the SDLC.
A key part of this transformation was creating governance controls so Trilliant could automatically regulate which open source software components were being used during different phases of the SDLC. “We realized the need to have formal screening mechanisms that were repeatable along with a consistent set of controls across our software supply chains feeding development,” explained Prem.
“We were benefiting from the value open source components offer our development teams, and it was critical to have our processes and tooling tightly integrate with the development pipeline to provide an on-demand view into the potential risks of using third party libraries. The integration of repeatable and automated governance controls represented a change in our organizational maturity that enabled Trilliant to evolve from DevOps to DevSecOps,” Prem noted.
“Sonatype Lifecycle has become an extremely critical piece of what we are doing.”
VP of Quality and Risk Management
The Solution: Seamlessly Integrating OSS Component Intelligence Into the Developer’s IDE
Prem needed to identify a new way to easily manage the governance of open source components that are critical to Trilliant’s software supply chains. To support the DevOps transformation, he knew the new solution needed to be integrated early and throughout their entire development pipeline. He also recognized that with the volume of components being used regularly would require an automated solution with precise component information to meet Trilliant’s scale requirements. He wanted to ensure that there was a mechanism for developers to be aware of OSS quality and security issues as they emerged. Finally, he wanted to ensure developers could be guided through remediation paths that would effectively eliminate future rework or delays in their coding efforts.
Prem sought advice from engineering colleagues. Engineering had a longstanding relationship with Opticca Security, and the firm understood the team’s frustrations with incorporating external data in the IDE. Opticca recommended a few solutions on the market, including Sonatype Lifecycle, for automated open source governance. Sonatype Lifecycle stood out for several reasons. Prem and his peers in Engineering really appreciated how Sonatype Lifecycle seamlessly integrated OSS component intelligence into the developer’s IDE as well as other integration points in Trilliant’s development pipeline.
Another plus was that the team could work with security, legal, and governance stakeholders to set policies to meet internal and external requirements. By working across the business, Trilliant could define custom OSS policies that surface the highest quality components. When implemented, these policies could quickly help identify alternative libraries if issues were detected in the original choice of a developer.
Opticca Security also demonstrated how Sonatype Lifecycle fits into a DevOps practice, helping Trilliant’s teams deliver secure code at a higher development velocity. With more accurate intelligence about each component, it was immediately noticeable how Sonatype Lifecycle delivered precise, actionable information that teams would pay attention to - eliminating all the noise about components that led to wasted effort. After an extensive comparison between Sonatype, Veracode, and Synopsys — it was clear that Sonatype Lifecycle would be the best fit for Trilliant’s DevOps transformation.
“The thing I liked about Sonatype Lifecycle was the way it integrates with other tools. For example, SonarQube. We had been using SonarQube for many years. But the integration of static code analysis with our previous solution for proactive threat identification was not an easy task. Sonatype Lifecycle works with all of the tools we’re already using to create a best-in-class pipeline.”
The Outcome: Quickly Identifying and Remediating Application Security Risks
“I think the simplest measure of success is that we are able to quickly identify and remediate application security risks so that we can provide objective assurance to our customers and to regulatory agencies,” Prem says of Sonatype Lifecycle.
“Using Sonatype Lifecycle, we’re able to identify risks earlier in the development process than ever before. It works very well in a DevOps practice by mitigating issues earlier in the development process. With Sonatype Lifecycle, we are reducing our development costs and increasing our software quality,” Prem continued. “I think Sonatype Lifecycle is an extremely critical piece of what we are doing since quality is no longer about an application’s features working as intended. Security and performance are integral elements defining the overall experience we deliver to our customers.”
The best DevOps practices rely on several solutions working side by side and integrated into the delivery pipeline. “By integrating SonarQube alongside Sonatype Lifecycle within our solution delivery lifecycle, we make sure that there are guardrails that quickly guide our teams to examine intelligence surfaced about the quality and security of their code. The guardrails coupled with world-class intelligence enable them to take timely action,” Prem said. “When development teams operate within the guardrails, the pipeline operates at high velocity. When policy violations are surfaced, teams are guided toward changes that can better meet the policy and work can then move forward. I think that's the biggest benefit to our customers - reliability and security of our code are built in from the start.”
“Risk mitigation was the biggest part of my business case, followed by the cost savings that Sonatype Lifecycle would bring over the long term by reducing rework and technical debt. I didn't want to make a decision just about cost. I really wanted folks to understand at the C-level, as well as those on the engineering teams, that we were going to significantly reduce risk and improve customer confidence. Through in-depth open source governance, Sonatype Lifecycle helps Trilliant more efficiently manage our software supply chain. Improving our organizational maturity around secure development and DevSecOps resonated with our stakeholders at all levels.”
“Sonatype Lifecycle has shown our organization that any non-functional requirements that we deal with, including security, have to be built in. Security is not something that you bolt on. To be successful, it must be built in, from architecture to design, to coding and testing. Anything that has been built into Trilliant’s development pipeline, built into this process, must be considered so that somebody does not have to take a detour and do two steps back to address risk.”
He summarizes by saying, “The benefit of building in security will materialize only when the tooling and SDLC are integrated, and when the tooling democratizes the ability to view data, form insights, and take timely actions."
Today, Sonatype Lifecycle operates seamlessly throughout Trilliant’s SDLC. The proactive approach to risk management is paying dividends. Trilliant is better able to optimize development costs, improve resilience, and simplify OSS governance without any impact to innovation and agility. Sonatype Lifecycle seamlessly integrates with the SDLC and provides objective assurance through disciplined governance. This ensures that Trilliant’s software platform is always powered by only the best open source libraries.