Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Sonatype Nexus Lifecycle: Scaling Open Source Governance

DZone's Guide to

Sonatype Nexus Lifecycle: Scaling Open Source Governance

· Integration Zone
Free Resource

Today’s data climate is fast-paced and it’s not slowing down. Here’s why your current integration solution is not enough. Brought to you in partnership with Liaison Technologies.

The Wake-up Call

They had downloaded over 200,000 open source components in the past year.  And their open source policy…the one established to protect against license risks and security vulnerabilities?  It covered about 3% of them.

This is how Nigel Simpson, Director of Architecture at a major media and entertainment company, described his organization’s “huge” wake up call during our conversation with him on Oct 22.  His organization’s manual approaches to open source reviews and approvals would simply not keep up with these volumes.  When consumption outpaced the ability to review, his security and legal debt became an unknown.

Screen Shot 2014-11-03 at 4.26.30 PM.png

A Failure to Communicate

For Nigel’s organization, the problem was centered around a failure to communicate: developers weren’t aware of the policy. In addition, the centralized open source governance team couldn’t keep up with reviews. “We knew we needed to do something different…and we needed it quickly,” Nigel said, “as we realized a lot of vulnerabilities were being missed by our manual review process.”

To tackle the problem, they pulled together a broad team of stakeholders, including: legal, security and development personnel. The goal:  enable developers to actively use open source components while minimizing risks, automating risk analysis, and — most importantly — not slowing down the pace of development.

Make the Easy Thing, the Right Thing

The result was a developer-friendly program called “Paving the Path to Compliance.” The program educates developers about the legal, security and quality risks of open source components and helps them make informed decisions early on in the development process.

Screen Shot 2014-11-03 at 4.27.36 PM.png

Key to the program’s success was making it “easy to do the right thing.” Sonatype’s Nexus Lifecycle was integrated into Nexus and across all IDEs — everywhere developers are using open source. That way, developers could immediately see vulnerable components and their associated risk levels (according to company policy). Using Nexus Lifecycle, the rapid analysis of policy compliance would typically take less than 30 seconds for an application.  And when policy violations did appear, Nexus Lifecycle  would offer a view of alternative component versions that could comply to the company’s open source policy.

The End Game

Using Nexus Lifecycles’s dashboard, the company can now instantly track the use of open source components across development and into production.  Not only do they have a software Bill of Materials for open source used in each application, but they can quickly visualize license risks and security vulnerabilities for each component — now and into the future.  The CLM dashboard also enables them to better prioritize fixes to policy violations, by scoring the most severe vulnerabilities, how often they are appearing, and in which applications.  As Nigel described it, the end game was to drive out those vulnerabilities, which “we couldn’t have done without CLM,” Nigel said.

You can hear all of Nigel’s story about establishing a modern, agile and scalable open source governance practice, Raise the B.A.R.R (Ban Avoidable Risk and Rework), discussion here.

Screen Shot 2014-11-03 at 4.31.18 PM.png

Have You Been Tested?

Wondering if your organization is using vulnerable or risky open source components in yoru applications?  In just two minutes, Sonatype’s free Application Health Check will let you know. This free community service identifies potential open source security vulnerabilities, license risks, and quality issues in open source components used within your Java applications.

Is iPaaS solving the right problems? Not knowing the fundamental difference between iPaaS and iPaaS+ could cost you down the road. Brought to you in partnership with Liaison Technologies.

Topics:
java ,open source ,governance ,application security ,nexus ,open source governance ,open source governance policy

Published at DZone with permission of Derek Weeks, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}