The BNP Paribas Group, initially founded over 200 years ago, has grown to be one of the top 10 global banks with a presence in more than 72 countries. The company has consistently been at the forefront of global movements and “adapted to the challenges of their times,” ensuring their clients have stability during times of changes. The software systems they built to power their evolution, were often built on open source software. However, until recently, their teams didn’t know the extent of their open source use and had no insight into how secure the open source they were using was.
“The Sonatype Platform is consistent with our gradual rise in maturity. The product brings richness from the very first use. Whether you're a beginner or a Sonatype expert, it gives you the ability to find the solutions you need. It's just really great. All our teams are delighted to be able to use it.”
When BNP Paribas Personal Finance began evaluating their use of open source, they knew they weren’t getting as much value out of the ecosystem as they could. All of their libraries were directly in Git Repositories and all of their procedures were manual; the idea of automation wasn’t even an apple in their eye.
Knowing they needed help wrangling their open source use, they sought a recommendation and were pointed toward Sonatype Nexus Repository. Once implemented, it created a sense of transparency and autonomy that the DevOps teams of over 250 developers, didn’t have before. It gave them awareness of what they were using and ability to see dependencies. To get here, however, they had to break down silos and preconceived ideas of how the development process should work. Before Sonatype Nexus Repository helped them manage libraries, they were only able to be downloaded through access from specific development stations that were negotiated with leadership.
Implementing Sonatype Nexus Repository helped spark a revolution at BNP Paribas Personal Finance. They knew they needed to look beyond the fact that there was an open source library, and that it needed to be downloaded so that it could be available anytime. By maturing and growing with the product, they started making drivers, running tests, and running trials. They began to better understand dependency management and software composition more organically and that it was important to better understand all of their open source libraries throughout the development lifecycle and potential risk that came with them. They recognized that the way software was being built had changed. You used to deliver an application and no one cared what dependencies it had. 10 years ago, it just wasn’t a question you asked.
As BNP Paribas Personal Finance grew and matured in their use of Sonatype Nexus Repository and IQ, they uncovered multiple things about their business they didn’t know before. IQ, specifically, helped the organization understand vulnerabilities and licensing issues they needed to address. It created visibility into teams that were using licensed products that they would have never seen.
Bruno Darras, Head of DevOps for BNP Paribas Personal Finance, is convinced that frequent use of the Sonatype Platform helps the teams grow by constantly discovering new valuable functionalities. He believes that taking the time to mature with the platform allowed them to understand the tool better, understand the meaning of each feature, each function and how it fits into all areas of the organization.
Bruno and his teams have gathered great clarity from the in-depth IQ reports. In the coming months, the reports will be a part of all security forms and application review processes. The analysis and results will be proactively sent to Product Owners. They will therefore be challenged, or they will have to challenge their teams, to do better. This element will ultimately guide steering and management of assets like quality dimension, vulnerability dimension, and which tools you use to make your deployments. Sonatype products will be integrated into the asset dashboard to allow a 360-degree view of any asset.
The Sonatype Platform is transforming the way BNP Paribas Personal Finance builds software. With integrations at the heart of how IQ was developed, it’s left a world of possibilities open for the organization. For the company, this not just a question of tools, but a question of people. They recognize that a cultural transformation with security champions, security architects, IT risk, and technical support all involved, is vital to continued success. There needs to be a community available to the development teams to support, train and guide them. The security champion is key in this transformation - invigorating that community and understanding how they help, is critical. To date, the organization had been focused on implementing the technical side of the Sonatype Platform. Now, they are focused on teams and training. The culture needs to change to meet the power of the tool. This is their new challenge.