Sonatype: improving software with open source technology
Wayne Jackson, CEO of Sonatype, discusses current industry trends and predictions for the new year.
1) Could you tell me a little bit about your company and your role at the company?
At Sonatype, we focus on helping organizations build better software, faster, by harnessing all of the good that open source has to offer, while mitigating the inherent risks that come with it.
We have a long history of partnership with the world of open source software development. From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we exist for one simple reason; to help accelerate software innovation.
We believe that modern organizations can build better applications, faster, for less when they embrace and apply the fundamentals of supply chain automation to their software development practices.
There is a staggering volume and variety of open source and third-party component parts flowing through every development environment in the world. If properly sourced and managed, these components are a tremendous source of energy for accelerating innovation. If not, they lead directly to security vulnerabilities, licensing risks, enormous rework, and waste.
My main role is ensuring we’re prioritizing the right innovations and the right strategies across the company, to stay ahead of the market, as we’ve consistently done since our founding. I’m also focused on making sure we’re providing a supportive, diverse and collaborative workforce for our nearly 350 employees - who make Sonatype the great company it is.
2) What are the current trends within your industry?
There are four significant trends within our industry that are driving the growth of the overall market and our company:
Massive growth in use of open source components by software developers
For every company in every industry, competition is as likely to come from an unknown startup as it is from long - established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is.
To keep up with these demands, enterprises are turning to open source development practices - the miracle drug of choice powering DevOps and modern software innovation. In fact, enterprise development teams consume an average of 500,000 open source libraries annually to accelerate the pace of software innovation - and can be into the millions. This massive demand for open source will only continue to grow. As new versions are being consumed, they not not only offer enhanced features, but also provide improved performance, bug fixes, and security patches
Developers are the new frontline of security; organizations are adopting DevOps and DevSecOps practices to accelerate software development
Today, developers are the frontline of everything - when you understand that every company is a software company, the role is at the center of the global economy. Developers must be empowered to build quality software with security measures baked in like guardrails, not gates that immediately stop innovation; this requires new tools. When we solve the software supply chain problems, we simultaneously improve hygiene and lower our surface area for better security; but, it starts with the developer.
Growing visibility of cybersecurity threats - specifically centered on applications
Vulnerable applications are the number one attack vector leading to breaches. The industry is finally recognizing how important it is to monitor the development of applications from the very beginning (playing offense), rather than just putting up a perimeter that doesn’t always work (playing defense). In fact, Gartner recently discussed the importance of this, also known as Software Composition Analysis (SCA) in a report. Specifically, they note how critical it is to understand what’s inside your application by creating what’s called a software bill of materials (SBOMs), or an inventory of all the components within a given application that allows you to immediately find a vulnerability, when one arises.
Rising interest in industry and government regulation directing the use of safer open source components to minimize software supply chain risks
The UK’s National Cyber Security Strategy 2016-2021 declared that “Businesses and organisations decide where and how to invest in cyber security based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems.” That notion of liability is increasingly being applied not just in the UK but around the world, as governments, and industry bodies, turn up regulations and guidance. For instance, in the US, the FDA started recommending the use of SBOMs for medical device manufacturers as far back as 2017. In January 2019, new PCI secure development standards advise organizations to generate an SBOM to track and trace the location of every single component. The Commerce Department’s National Telecommunications and Information Administration (NTIA) is considering requiring companies to list their sources of software parts to protect the U.S. software supply chains. And, in December 2018, the U.S. House Energy and Commerce Committee released its Cybersecurity Strategy Report which details the importance and priority for utilizing an SBOM.
3) What makes your company competitive?
Simply put, we’ve invested in knowing more about the quality of open source than anyone else in the world. This investment takes the form of machine learning, artificial intelligence, and human expertise, which in aggregate produces highly curated intelligence that is infused into every Sonatype Nexus product. Our data collection engine has ingested and analyzed more than 67 million open source components (70% more than any other source.) and never stops learning. Organizations equipped with Sonatype products make better decisions, innovate faster at scale, and rest comfortably knowing that their applications always consist of the highest quality open source components.
4) What innovations has your company been developing during 2019?
While we’ve been continuously innovating throughout the year, and are constantly focused on providing best-in-class features for our customers, we’re most proud of delivering first-of-its-kind, automated malware prevention for open source libraries.
Over the past two years, there have been more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted by the malicious injections have been difficult to detect because, on the surface, they look no different than other open source contributions.
To address this next frontier of Cybercrime, we’ve combined a new type of behavioral analysis with machine learning and proprietary data to give our customers an indication or early warning sign, when a new release of an open source project demonstrates heightened risk attributes. Think of it as Minority Report meets precise, curated data. Our goal is to give customers a holistic view of the security of a release so they can make an informed choice about how to proceed and whether the risk they’re taking is an acceptable one. We want to give them data in context.
5) What are your predictions for the industry in 2020?
IT security spend will shift further away from the perimeter, and toward AppSec
As security pushes left, there will be massive adoption of third party library checks in the places developers spend the most time
2020 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie.
The cries of the big cloud providers “strip-mining” the open source ecosystem will build momentum to change open source licensing language and term such that cloud provider innovations on top of open source will be shared back with the community but without exposing their core intellectual property.
The Continued rise of ‘augmented development tooling’. More sophisticated security tooling that will continue making developers efforts more seamless as they code, suggesting changes, pull requests and even change implications as they code, helping them choose the optimal components and code on the first go, whilst they work.
For more information on business topics in the United States, please take a look at the latest edition of Business Chief USA.