Endress+Hauser (Endress and Hauser) is a Swiss-based instrumentation and process automation company with a network of 100 companies in 44 countries. In 2017 the Group generated net sales of €2.1 billion. Production facilities for E+H are located in Germany, Switzerland, France, Italy, South Africa, the United States, China, India, Japan and Brazil.
The in-house software development team uses the Sonatype Platform for open source software licensing and governance, while managing component vulnerability and risk assessment.
Lars Brößler, Senior Software Developer, is on a team responsible for development of new software as well as maintaining the system's legacy features. His team developed and maintains a large number of applications for in-house consumption.
Lars describes challenges he was having with the use of open source components and libraries in the existing workflow. "Too many libraries were being downloaded and used. There was no tracking or monitoring of component or library consumption. Anyone could download, leaving no clues as to which libraries were being used, or where."
The most difficult challenge was the use of a manual tracking process. "We had setup a process to manually track hundreds of applications. We stopped after assessing fifteen libraries," Lars said, shaking his head. "There was no way we would be able to scale or handle the volume of consumption."
Lars and his team began looking for a solution. They narrowed the search down to three possible solutions.
"We evaluated Black Duck, Veracode and Sonatype Lifecycle. We found that Sonatype Lifecycle was the best on the market for managing software licensing of open source and component vulnerabilities. My colleagues and I chose Lifecycle because it is the best user interface for what we are trying to do: remove all critical findings before they reach production."
Compared with Veracode and Black Duck, Sonatype Lifecycle presented minimal false positives. The team created a proof of concept (PoC) to present to the board. "It was a logical decision for them to approve the purchase."
The challenges Lars was having with open source consumption and management have all but disappeared through the use of the Sonatype Platform. Sonatype Lifecycle gives the team the ability to automatically track and monitor deployed components not only in development, but in production as well.
"We are able to access the same libraries for multiple builds," Lars explains. "We have the ability to see libraries within the entire company, down to which versions appear in which apps."
When asked why Endress+Hauser chose the Sonatype Platform, Lars didn't hesitate. "We evaluated Black Duck, Vericode and Sonatype Lifecycle. My colleagues and I chose Sonatype Lifecycle because it has the best usability for what we are trying to do: newly developed apps must have all critical findings removed before they reach production."
"The Sonatype Platform will be integrated into the security pipeline and be mandatory as soon as our updated security guidelines go into effect. The goal is to have no application going into production without the automated evaluation by Sonatype Lifecycle."
Lars concluded by expressing his satisfaction with the Sonatype Platform. "I personally chose Sonatype. Not only does it make my work easier, it simplifies our security process. I definitely recommend it.“