Sonatype is automating software supply chain security to help accelerate developer innovation. The company offers a full-spectrum software supply chain management platform that helps more than 1,500 organizations and over 15 million developers accelerate innovation and improve application security.
Brian Fox, CTO of Sonatype, hit the ground running to talk about how so many companies never even realized they were using open-source software. Fox says, “The reality is, you can’t really be innovative unless you’re leveraging open source.” He adds, “You certainly can’t keep up with the competitors writing every single line of code like I used to do when I started my career.” But there are inherent dangers when developers just choose to use anything they want. For example, Fox says, “The first things people started to worry about were the open-source licenses. They were afraid of getting sued over GPL and AGPL copyright violations.” But then came serious vulnerabilities like Heartbleed and Shellshock, that made people seriously pay attention.
This all helped to lead to an evolution in the supply chain problem. According to Fox, one of the biggest problems was that “… so many companies don’t have the ability to produce a bill of materials (BOM). So if you don’t even know what’s in your software, how do you know what vulnerabilities you need to be responding to.” Fox then adds, “Startups have to care about it. Large companies are going to have to care about it because they’re selling stuff to the government. The new Executive Order (EO) is requiring anybody selling to the government to be able to produce a bill of materials for them.”
Another important issue brought up is that of shipping vulnerabilities in code. To that, Fox says, “Something I observed very early in the company when we were trying to help people modernize is that everybody meant to do the right thing, that the goals they were trying to achieve were correct. However, their tactics for doing it were incorrect.” According to Fox, this caused friction which led to a slowdown in development.
The result of such issues was that developers learned how to game the system. According to Fox, “They knew that if they put the security guy in the corner, and only allowed them to investigate it at the very end, they were creating a false Sophie’s Choice where either we ship this thing now, and you accept the risk, or we take a month delay.”
Sonatype is helping address this issue with a developer-focused control plane for managing and integrating systems across the systems development lifecycle. And, in Fox’s words, “We have the ability to help you guide your developers upfront to make better choices of their components. We have the ability to actually inspect what’s being built, allow you to define policies to pass/warn/fail so you can warn developers there’s a vulnerability in one of your dependencies, but not interfere with their ability to do their job.”
Video Summary was written by Jack Wallen