News and Notes from the Makers of Nexus | Sonatype Blog

Nigel’s Wake-up Call: Scaling Open Source Governance

Written by Derek Weeks | November 03, 2014

The Wake-up Call

They had downloaded over 200,000 open source components in the past year. And their open source policy...the one established to protect against license risks and security vulnerabilities? It covered about 3% of them.

This is how Nigel Simpson, Director of Architecture at a major media and entertainment company, described his organization’s “huge” wake up call during our conversation with him on Oct 22. His organization’s manual approaches to open source reviews and approvals would simply not keep up with these volumes. When consumption outpaced the ability to review, his security and legal debt became an unknown.

A Failure to Communicate

For Nigel’s organization, the problem was centered around a failure to communicate: developers weren’t aware of the policy. In addition, the centralized open source governance team couldn’t keep up with reviews. “We knew we needed to do something different...and we needed it quickly,” Nigel said, “as we realized a lot of vulnerabilities were being missed by our manual review process.”

To tackle the problem, they pulled together a broad team of stakeholders, including: legal, security and development personnel. The goal: enable developers to actively use open source components while minimizing risks, automating risk analysis, and -- most importantly -- not slowing down the pace of development.

Make the Easy Thing, the Right Thing

The result was a developer-friendly program called “Paving the Path to Compliance.” The program educates developers about the legal, security and quality risks of open source components and helps them make informed decisions early on in the development process.

Key to the program’s success was making it “easy to do the right thing.” Sonatype’s Component Lifecycle Management CLM was integrated into Nexus and across all IDEs -- everywhere developers are using open source. That way, developers could immediately see vulnerable components and their associated risk levels (according to company policy). Using CLM, the rapid analysis of policy compliance would typically take less than 30 seconds for an application. And when policy violations did appear, CLM would offer a view of alternative component versions that could comply to the company’s open source policy.

The End Game

Using CLM’s dashboard, the company can now instantly track the use of open source components across development and into production. Not only do they have a software Bill of Materials for open source used in each application, but they can quickly visualize license risks and security vulnerabilities for each component -- now and into the future. The CLM dashboard also enables them to better prioritize fixes to policy violations, by scoring the most severe vulnerabilities, how often they are appearing, and in which applications. As Nigel described it, the end game was to drive out those vulnerabilities, which “we couldn’t have done without CLM,” Nigel said.

You can hear all of Nigel’s story about establishing a modern, agile and scalable open source governance practice, Raise the B.A.R.R (Ban Avoidable Risk and Rework), discussion here.

Have You Been Tested?

Wondering if your organization is using vulnerable or risky open source components in your applications? In just two minutes, Sonatype’s free Nexus Vulnerability Scanner will let you know. This free community service identifies potential open source security vulnerabilities, license risks, and quality issues in open source components used within your Java applications.

(featured image credit: http://bit.ly/1x03KSQ)