Genome.One and Sonatype Lifecycle

Genome.One is a health information company, providing genetic answers to health questions through clinical whole genome sequencing and analysis. The company's aim is to enhance the lives of patients, families and communities across the world by enabling the future of precision healthcare. Software is at the core of everything they do.

Genome.One researches Disease Diagnostics, Discovery Genomics, Personal Health Genomics and Precision Health Applications. Software innovation is central to these efforts and Sonatype Nexus Repository, Sonatype Repository Firewall, and Sonatype Lifecycle are utilized to automatically enforce licensing, security,  and governance policies with respect to open source components.

The Challenge: Managing Open Source Consumption at Scale

The biggest stakeholder for the development team at Genome.One are projects internal to the company, serving clinical diagnosis through genomics. They must adhere to the rules, policies and regulations from the government as well with the Australian Department of Health as another major stakeholder. 

Tudor Groza, CTO, explains how he realized the initial challenge. "My legal colleagues pinned me to the ground and said ‘You have to manage your governance of open source components.’ At first, I went through the process manually. It was a painstaking process of checking the licensing and dependencies by hand in one of the earlier platforms. "

The first manual exercise was completed in a Word file, to make it easier for the legal department. After three months, there was a manual update of some of the dependencies, then another manual check to make sure the licenses were still the same. That’s when the process stopped. 

"As you can imagine, I hated my life," says Groza thinking back over the process. "I don’t think we’re any different from any other company. There was very little being done to monitor the components once they became deployed as part of an application. There was a clear sign that there must be something out there that does this."

The Solution: Embracing Sonatype Lifecycle to Automate Open Source Governance and Policy Management

As a software development team, Genome.One started to build products for their stakeholders at the beginning of 2017. The very first thing they wanted to set up was an artifact repository.

“To be honest, there’s not that many options out there. We first looked at Artifactory. We just couldn’t make it work for us. We found Sonatype to be most suitable for us. It was very easy to setup and use immediately." Java and NPM proxy were the ‘low hanging fruit’ when it came to binary management and publishing through Maven.

Genome.One runs a continuous integration pipeline loop, which has the Sonatype Platform as part of that integration. The developer team was not affected by implementation of the automated governance and policy management system. Fairly well established open source frameworks were being used. It was perceived more as a safety check. When other dependencies were added, there wasn’t an issue of going back and checking licensing.

"Until we saw the demo from Sonatype Lifecycle, we didn’t pay too much attention to vulnerabilities," says Groza. "It could have been a sign of not being mature enough as a team," he acknowledges. "When we saw a demo it shifted our perception of the use and needs from just license checking. That alone was because we no longer had to do it manually. But really, the primary usage became the vulnerability checking and writing policies around the vulnerabilities."

The Outcome: Using Vulnerability Scans to Maintain Quality Open Source Consumption

Groza described a major benefit of using the Sonatype Platform. "There’s a qualitative side to using Sonatype Lifecycle where I know I don’t have to do that manual, painstaking exercise of running the license checks. Secondly, once we setup the vulnerability checks, we trusted it was just there, running in the background. The measurement can be seen as a 'lack of pain'."

Genome.One is fortunate when it comes to getting buy-in from the rest of the company. They understand the value of saving time through alleviating the manual checks on a regular basis vs having something in place that does it much, much better.

“We have to keep in mind we are dealing with patient data and healthcare data. Security comes above everything. The fact that we can trace vulnerabilities and their dependencies with Sonatype Lifecycle alleviates this from our list of things do."

The Conclusion: World-Class Support Facilitates Quick Integration to Provide Automated Validation and Software Risk assessment

When asked about working with the Sonatype team, Groza was unequivocal.

"We have a great interaction with the team. When we had some challenges in the beginning setting things up, Sonatype was able to work quickly and easily with our team. We wouldn’t be having this discussion if things weren't working well!"

The next step for the team is to get approval for software as a medical device, which will make it much more challenging to do the validation of the outcomes of the software. That's where the Sonatype Platform will continue to provide automated validation and software risk assessment as part of the expanding Genome.One mission: Transforming Healthcare through Genomics.