Sonatype: improving software with open source technology
Wayne Jackson, CEO of Sonatype, discusses current industry trends and predictions for the new year.
1) Could you tell me a little bit about your company and your role at the company?
At Sonatype, we focus on helping organizations build better software, faster, by harnessing all of the good that open source has to offer, while mitigating the inherent risks that come with it.
We have a long history of partnership with the world of open source software development. From our humble beginning as core contributors to Apache Maven, to supporting the world’s largest repository of open source components (Central), to distributing the world's most popular repository manager (Nexus), we exist for one simple reason; to help accelerate software innovation.
We believe that modern organizations can build better applications, faster, for less when they embrace and apply the fundamentals of supply chain automation to their software development practices.
There is a staggering volume and variety of open source and third-party component parts flowing through every development environment in the world. If properly sourced and managed, these components are a tremendous source of energy for accelerating innovation. If not, they lead directly to security vulnerabilities, licensing risks, enormous rework, and waste.
My main role is ensuring we’re prioritizing the right innovations and the right strategies across the company, to stay ahead of the market, as we’ve consistently done since our founding. I’m also focused on making sure we’re providing a supportive, diverse and collaborative workforce for our nearly 350 employees - who make Sonatype the great company it is.
2) What are the current trends within your industry?
There are four significant trends within our industry that are driving the growth of the overall market and our company:
Massive growth in use of open source components by software developers
For every company in every industry, competition is as likely to come from an unknown startup as it is from long - established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is.
To keep up with these demands, enterprises are turning to open source development practices - the miracle drug of choice powering DevOps and modern software innovation. In fact, enterprise development teams consume an average of 500,000 open source libraries annually to accelerate the pace of software innovation - and can be into the millions. This massive demand for open source will only continue to grow. As new versions are being consumed, they not not only offer enhanced features, but also provide improved performance, bug fixes, and security patches
Developers are the new frontline of security; organizations are adopting DevOps and DevSecOps practices to accelerate software development
Today, developers are the frontline of everything - when you understand that every company is a software company, the role is at the center of the global economy. Developers must be empowered to build quality software with security measures baked in like guardrails, not gates that immediately stop innovation; this requires new tools. When we solve the software supply chain problems, we simultaneously improve hygiene and lower our surface area for better security; but, it starts with the developer.
Growing visibility of cybersecurity threats - specifically centered on applications
Vulnerable applications are the number one attack vector leading to breaches. The industry is finally recognizing how important it is to monitor the development of applications from the very beginning (playing offense), rather than just putting up a perimeter that doesn’t always work (playing defense). In fact, Gartner recently discussed the importance of this, also known as Software Composition Analysis (SCA) in a report. Specifically, they note how critical it is to understand what’s inside your application by creating what’s called a software bill of materials (SBOMs), or an inventory of all the components within a given application that allows you to immediately find a vulnerability, when one arises.
Rising interest in industry and government regulation directing the use of safer open source components to minimize software supply chain risks
The UK’s National Cyber Security Strategy 2016-2021 declared that “Businesses and organisations decide where and how to invest in cyber security based on a cost-benefit assessment, but they are ultimately liable for the security of their data and systems.” That notion of liability is increasingly being applied not just in the UK but around the world, as governments, and industry bodies, turn up regulations and guidance. For instance, in the US, the FDA started recommending the use of SBOMs for medical device manufacturers as far back as 2017. In January 2019, new PCI secure development standards advise organizations to generate an SBOM to track and trace the location of every single component. The Commerce Department’s National Telecommunications and Information Administration (NTIA) is considering requiring companies to list their sources of software parts to protect the U.S. software supply chains. And, in December 2018, the U.S. House Energy and Commerce Committee released its Cybersecurity Strategy Report which details the importance and priority for utilizing an SBOM.
3) What makes your company competitive?
Simply put, we’ve invested in knowing more about the quality of open source than anyone else in the world. This investment takes the form of machine learning, artificial intelligence, and human expertise, which in aggregate produces highly curated intelligence that is infused into every Sonatype Nexus product. Our data collection engine has ingested and analyzed more than 67 million open source components (70% more than any other source.) and never stops learning. Organizations equipped with Sonatype products make better decisions, innovate faster at scale, and rest comfortably knowing that their applications always consist of the highest quality open source components.
4) What innovations has your company been developing during 2019?
While we’ve been continuously innovating throughout the year, and are constantly focused on providing best-in-class features for our customers, we’re most proud of delivering first-of-its-kind, automated malware prevention for open source libraries.
Over the past two years, there have been more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories. Adversaries used these attacks to mine cryptocurrency, steal private ssh keys, insert backdoors, and even deliver targeted patches to alter proprietary code. Open source projects impacted by the malicious injections have been difficult to detect because, on the surface, they look no different than other open source contributions.
To address this next frontier of Cybercrime, we’ve combined a new type of behavioral analysis with machine learning and proprietary data to give our customers an indication or early warning sign, when a new release of an open source project demonstrates heightened risk attributes. Think of it as Minority Report meets precise, curated data. Our goal is to give customers a holistic view of the security of a release so they can make an informed choice about how to proceed and whether the risk they’re taking is an acceptable one. We want to give them data in context.
5) What are your predictions for the industry in 2020?
IT security spend will shift further away from the perimeter, and toward AppSec
As security pushes left, there will be massive adoption of third party library checks in the places developers spend the most time
2020 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie.
The cries of the big cloud providers “strip-mining” the open source ecosystem will build momentum to change open source licensing language and term such that cloud provider innovations on top of open source will be shared back with the community but without exposing their core intellectual property.
The Continued rise of ‘augmented development tooling’. More sophisticated security tooling that will continue making developers efforts more seamless as they code, suggesting changes, pull requests and even change implications as they code, helping them choose the optimal components and code on the first go, whilst they work.
For more information on business topics in the United States, please take a look at the latest edition of Business Chief USA.
Marketing matters: from IBM to Kyndryl
Prior to joining Kyndryl as Chief Marketing Officer, Maria had a 25-year career at IBM, most recently as the tech giant’s CMO where she oversaw all marketing professionals and activities across North America, Canada and Latin America. She has held senior global marketing positions in a variety of disciplines and business units across IBM, most notably strategic initiatives in Smarter Cities and Watson Customer Engagement, as well as leading teams in services, business analytics, and mobile and industry solutions. She is known for her work with teams to leverage data, analytics and cloud technologies to build deeper engagements with customers and partners.
With a passion for marketing, business and people, and a recognized expert in data-driven marketing and brand engagement, Maria talks to Business Chief about her new role, her leadership style and what success means to her.
You've recently moved from IBM to Kyndryl, joining as CMO. Tell us about this exciting new role?
I’m Chief Marketing Officer for Kyndryl, the independent company that will be created following the separation from IBM of its Managed Infrastructure Services business, expected to occur by the end of 2021. My role is to plan, develop, and execute Kyndryl's marketing and advertising initiatives. This includes building a company culture and brand identity on which we base our marketing and advertising strategy.
We have an amazing opportunity ahead at Kyndryl to create a company brand that will stand apart in the market by leading with our people first. Once we are an independent company, each Kyndryl employee will advance the vital systems that power human progress. Our people are devoted, restless, empathetic, and anticipatory – key qualities needed as we build on existing customer relationships and cultivate new ones. Our people are at the heart of this business and I am deeply hopeful and excited for our future.
What experiences have helped prepare you for this new opportunity?
I’ve had a very rich and diverse career history at IBM that has lasted 25+ years. I started out in sales but landed explored opportunities at IBM in different roles, business units, geographies, and functions. Marketing and business are my passions and I landed on Marketing because it allowed me to utilize both my left and right brain, bringing together art and science. In college, I was no tonly a business major, but an art major. I love marketing because I can leverage my extensive knowledge of business, while also being able to think openly and creatively.
The opportunities I was given during my time at IBM and my natural curiosity have led me to the path I’m on now and there’s no better next career step than a once-in-a-lifetime-opportunity to help launch a company. The core of my role at Kyndryl is to create a culture centered on our people and growing up in my career at IBM has allowed me to see first-hand how to prioritize people and ensure they are at the heart of progress in everything Kyndryl will do.
How would you describe your leadership style?
I believe that people aren't your greatest assets, they are your only assets. My platform and background for leadership has always been grounded in authenticity to who I am and centered on diversity and inclusion. I immigrated to the US from Chile when I was 10 years old and so I know the power and beauty that comes from leaning into what makes you different from other people, and that's what I want every person in my marketing organization to feel – the value in bringing their most authentic self to work every day. The way our employees feel when they show up for themselves authentically is how they will also show up for our customers, and strong relationships drive growth.
I think this is especially true in light of a world forever changed by the pandemic. Living through such an unprecedented time has reinforced that we are all humans. We can't lead or care for one another without empathy and I think leaders everywhere have been reminded of this.
What’s the best leadership advice you’ve received?
When I was growing up as an immigrant in North Carolina, I often wanted to be just like everyone else. But my mother always told me: Be unique, be memorable – you have an authentic view and experience of the world that no one else will ever have, so don't try to be anyone else but you.
What does success look like to you?
I think the concept of success is multi-faceted. From a career perspective, being in a job where you're respected and appreciated, and where you can see how your contributions are providing value by motivating your teams to be better – that's success! From a personal perspective, there is no greater accomplishment than investing in the next generation. I love mentoring younger professionals – they are the future. I want my legacy as a leader to include providing value in work culture, but also in leaving a personal impact on the lives of professionals who will carry the workforce forward. Finding a position in life with a job and company that offers me a chance at all of that is what success looks like to me.
What advice would you give to your younger self just starting out in the industry?
I've always been a naturally curious person and it's easy for me to over-commit to projects that pique my interest. I've learned over years of practice how to manage that, so to my younger self I’d say… prioritize the things that are most important, and then become amazing at those things.