Creditreform was established in 1879 with the goal to protect its clients against bad debts that are so devastating for liquidity and can endanger a company’s very existence. All Creditreform’s solutions and offerings are committed to sustaining that undertaking.
Today, Creditreform, with headquarter in Neuss, Germany, has 167 branch offices with 4,500 employees spread over 23 countries in Europe and in China. The business provides an international expert network for credit reporting and debt collection services. Its objective is to provide international information and debt collection services in order to ensure secure business dealings to its clients all around the world.
Creditreform uses Sonatype Lifecycle to manage the consumption and monitoring of open source components across their multiple developer platforms.
The development teams at Creditreform were having difficulty tracking and monitoring the use of open source components. Specifically, there was a lack of transparency around open source governance, licensing and dependencies.
The Creditreform developers were responsible for assessing the security of the components they downloaded, with no systematic process for that evaluation. Manual processes were the norm for investigating each individual open source license. The team realized they needed to implement automated security management for licensing and governance across all development teams.
Dr. Antje Nowack is head of Research and Basic Concerns which is part of the Software Development Group at Creditreform. The Software Development Group consists of several teams that develop the office services as well the web applications of the organization. Dr. Nowack’s responsibility includes supporting the development environment for multiple teams and supporting them in concerns of security. As part of that role, she led the evaluation process for selecting the tools to automate support of open source governance.
The two most promising candidates were the Sonatype Platform from Sonatype and Black Duck.
Doing away with the developers making personal evaluations and decisions around open source usage was one of the criteria used when selecting Sonatype Lifecycle over Black Duck. Two groups of developers who were concerned with the manual work processes helped in the evaluation process.
During the POC, each group analyzed one of their applications and discussed the results. Setting up and using Sonatype Lifecycle with the existing developer toolset was described as "simple". The team started with example policies from the Sonatype guidebook, and then continued to configure and refine the governance policies.
Another consideration was the evaluation of each company's licensing model. “The Black Duck licensing model depends on the size and number of applications, not the number of people using it. That was one of the criteria that made Sonatype a much better fit for us.”
Dr. Nowak talked about what drove her team’s final decision. “Everyone who saw Sonatype Lifecycle said, ‘This is something we can work with. This is the tool that works for us.’
“What we saw was that Sonatype Lifecycle really worked for us. It was much better than doing everything manually. We didn’t have to rely on developers to understand and determine an output for remediation. This is why we now look to Lifecycle to help the other software development teams.”
With Sonatype Lifecycle acting as the core of the automated security evaluation process for open source at Creditreform, the development teams can now concentrate on building secure software without having the bottleneck of manual evaluation processes.
As the number of applications continues to grow, Sonatype Lifecycle is able to scale to meet the demands of the developers. The team continues to strengthen the automated licensing and governance policies, gaining as much value as possible from Lifecycle.
“It was not really complicated. In fact, getting the solution up and running with Sonatype Lifecycle was very easy,” concludes Dr. Nowack.
When asked if she would recommend Sonatype and the Sonatype platform, Dr Nowack laughed. “I already did! People continually ask me about Sonatype. Sonatype gives us everything we need. It's clear you come from the developer’s corner."
“Sonatype Lifecycle works so well, I have the impression they know how developers work.”