With well over 17 billion open source components downloaded from public repositories in 2014, it is clear that more software development organizations are assembling software from component building blocks.
In fact, Gartner reports that by 2016 the vast majority of mainstream IT organizations will leverage open source software (OSS) components in mission-critical IT solutions. This massive reliance on open source components has created new challenges for managing the speed, cost, and risks of continuous delivery in today’s software development efforts.
An increasing number of solutions now exist to help organizations better manage their component consumption, with differing approaches to the problem ranging from code scanning and open source governance to OSS logistics and software supply chain management.
These solutions are generally used to:
- Identify license, security or quality issues in open source components
- Assure organizational policies or industry guidelines are met
- Understand any potential legal liabilities that may exist with copyright issues
- Reduce overall risk profiles relating to open source component usage
- Accelerate development and deployment of component-based applications
When considering the right solution for your business, consider the following differentiators:
1. License, Security & Quality?
Some solutions clearly focus in one direction or the other. Do you want only component license information - even when security and quality information can be included for the same or less cost? Where does the solution get the data? How accurate is it? Will it produce false negatives or false positives and require manual effort to decipher?
2. Agile versus waterfall?
How does your development team operate? Be sure that the solution is designed to operate at your development speed. Waterfall-type solutions typically are used toward the end of your development cycle. Scans take hours or days to produce, yielding thick reports demanding days or weeks of manual review and remediation. Some organizations even require a team dedicated to reviewing the analysis.
Agile-type solutions operate at the speed of development, providing guidance and real-time component intelligence integrated in popular continuous development tools (Jenkins, Hudson, Bamboo, Nexus, Eclipse, SonarQube, etc.) used across the lifecycle. Early and immediate identification of potential component-related issues reduces the time and cost of unplanned rework and provides iterative improvements in step with agile methodology.
3. Problem Discovery and Remediation
Do you want a solution that just finds problems, or also helps fix them? Following the discovery of an open source policy violation (quality, license, architectural, or security related), the best solutions will provide immediate guidance to the developer, empowering them to quickly make a better decision. Not only will developers see the current overall component quality, they will also see alternate recommended versions. In some cases, especially early in development, these replacements can be made simply with the click of a mouse.
4. Continuous vs. Point-in-time Reviews
On average open source projects update their components 3-4 times a year to fix bugs, enhance features and patch security vulnerabilities. Even if you are confident with the component selection in the build process, what happens if new and better versions are released later in the lifecycle? If you are a continuous development shop, you’ll want your solution to stay alert and watch for component issues at any lifecycle stage, including post production.
5. Developer-Centric vs. Legal-Centric
Most developers are not fond of any solution perceived as adding controls that impede their speed. Legal-centric solutions typically are seen as restrictive versus empowering. Developers often are required to endure manual approvals and workflows to assure their component selection meets organizational policies. This is often unrealistic and dramatically impacts development speed and efficiency. If a solution is not developer-centric, development teams will feel restricted and simply bypass the system as much as possible. This scenario inevitably creates friction between development and legal and security teams. The ideal solution empowers development teams to easily and quickly choose the better component and offer legal and security stakeholders with dashboards to monitor their progress in real-time.
6. Snippets vs. Advanced Binary Matching
All solutions rely on some data source used to evaluate and validate your component quality and uncover potential license, or security or architectural issues. The accuracy of this data and the ability to make precise matches is paramount to the overall effectiveness of the solution. Sonatype uses patent-pending advanced binary fingerprinting to identify all open source software and proprietary components as well as their dependencies and determines which components are an exact, partial or modified match. Users of source code scanners or simple binary matching frequently report they “receive too many false positives” or “false negatives” caused by ineffective and imprecise component matching. Furthermore, consider how the data is delivered. Is it a real-time feed or a massive database to load on your servers? How often is the data updated?
7. Visibility and Transparency
Generally multiple departments care about the effectiveness of your solution. Development may want to create reports that show how well the solution is helping them avoid faulty components - or remediate known issues. Security and legal departments will want assurances that your applications are free of avoidable risk. Everyone will immediately want to know if a newly announced vulnerability impacts your applications. Be sure that your solution delivers the appropriate dashboards to all of your stakeholders. Be sure that at a minimum you can create a bill of materials inventory of the component used in every application and that you are alerted when new vulnerabilities are found.
8. Proof of Concept
Are you able to observe how easily the solution can be set up in your environment? Is the vendor willing to let you test drive the solution? Will the vendor let you talk to other customers about their implementation process? Do they instead suggest that you see in-depth demos? A vendor who is eager to get the solution working inside of your environment is generally the one who has confidence in the process and the end result.
9. Continuous delivery
Risk is important, but it shouldn’t be the only driver. In addition to reducing risk, many organizations find that automation of their component consumption drives huge gains in speed and efficiency as well. In many cases this can be the main business driver since better component intelligence means choosing better components and avoiding unplanned rework down the road. Further, some tools not only focus on components but also consolidate and organize all parts relating to the build. This streamlines the hand-off from development to operations ito meet the need for continuous delivery and DevOps.
If you want to learn more about Sonatype, please contact us or take a two-minute online tour here.