Building Quality In
In 1965, Ralph Nader published his groundbreaking, best-seller “Unsafe at Any Speed: The Designed-In Dangers of the American Automobile”. The book detailed decades of decisions made by designers at American automakers who resisted the introduction of safety features from safer seat belts, better air pollution controls, to stronger passenger compartment doors and roll-over bars. Nader argued that engineers in Detroit were more focused on aesthetic design over safety enhancements, outspending on the former by a ratio of 2800:1.
In 2016, new innovations inside DevOps practices are challenged with a similar predicament. To accelerate innovations, DevOps engineers are delivering new software features faster through the reuse of open source and third-party components -- now comprising 80 - 90% of a traditional application. While innovation is delivered faster, the use of open source and third party components faces two big challenges: (1) parts are not created equal, and (2) parts age and grow stale quickly.
The 2015 State of the Software Supply Chain report from Sonatype reveals that over 1-in-17 components electively used in applications ships with a known defect: security vulnerabilities, outdated and unsupported versions, or intellectual property risks. (The 2016 report will be published next month...stay tuned.)
New Superpowers Needed
Faced with intense pressure to deliver high quality software faster than ever, today’s development organizations need tools to make it automatically obvious what parts are good, and what parts are not. But with billions of open source and third-party components being consumed by DevOps engineers annually across dedicated software supply chains that is not an easy task -- unless, of course, you empower your engineers with new superpowers:
Knowing which components are the best is a monumental task. Just as manual builds have given way to automated builds, so has automated component analysis. At Sonatype, we evaluate nearly a billion components every day, so that you don’t have to. Research into component quality is more than just identifying whether a part is vulnerable; it's understanding the root cause of a vulnerability. The intelligence behind identifying the root cause of any defect is part of Sonatype’s world-class component research. That research is built into our entire portfolio from Nexus Repository, to Nexus Lifecycle, to Nexus Firewall through our SaaS enabled IQ Server technology.
Components live everywhere across your software supply chain. They live in IDEs, repository managers, build systems, QA centers, and production. To identify, track, and trace their use, expert vision across multiple integration points is needed. Sonatype’s Nexus portfolio provides x-ray vision into all of the tools you know and love, including eclipse, IntelliJ IDEA, Jenkins, Hudson, Bamboo, TeamCity, Maven, Nexus Repository Managers, Docker, and more.
If you want to get a glimpse of what x-ray vision into your own apps looks like, take a look at Application Health Check. Sonatype’s Nexus Repository Pro users can get a daily glimpse inside their repos using its free Repository Health Check feature.
Superhuman Intelligence and X-Ray Vision help DevOps teams identify and track down defects faster reducing mean time to identification (MTTI), but an even more stronger power that is needed is Healing. Healing is critical because it accelerates Mean Time to Remediation (MTTR). Master DevOps practices clock in MTTR at 168x their peers. Across our Nexus portfolio, Sonatype’s IQ Server recommends upgrades, migrations, workarounds, and configurations when a defective component is found. DevOps engineers are provided a real-time view of higher-quality, more secure, and less risky component alternatives to known defective components and are then supported through remediation.
For those who read about Sonatype’s Nexus Firewall, introduced in October 2015, you’re already aware that it acts like a Forcefield. Nexus Firewall evaluates every component being downloaded to Nexus Repository Pro to ensure it has no known defects and that each component complies with your company’s policies. Nexus Firewall marked the end of golden repository strategies with a Forcefield that rejects and quarantines bad parts.
For DevOps practices, unplanned and unscheduled work is never desired. Yet we all know components age more like milk than wine -- they can go bad over time as defects like security vulnerabilities are discovered. When this happens, teams want to know immediately if a known vulnerable component was used, and if so, where it might be found. For many teams outside of DevOps practices, this requires manually tracking down and evaluating every component in every application across a portfolio. Users of Nexus Auditor have access to a different superpower: Time Travel. With an accurate software Bill of Materials keeping the component inventory of all applications in production, Nexus Auditor can instantly travel back in time accurately alerting teams to where components with newly discovered defects were used.
The last superpower being employed by DevOps engineering teams today is speed. When it comes to analysis, identification, tracking, and remediation of defective components -- those actions now take place in a few seconds. DevOps teams have replaced manual efforts for identification and analysis that used to take weeks at the end of development lifecycles. What used to take a company two weeks to evaluate, now takes two minutes -- marking a 10,000x improvement.
Achieve DevOps Dominance
Designed-in dangers of the auto industry’s past do not have to be repeated in the software industry of today. Equipped with the right intelligence, vision, protection, and speed, DevOps engineering teams can now design quality in from the beginning. It’s now easier than ever to assemble your own band of heroes and super powers to achieve DevOps dominance.