As part of a new series we're calling 'Real World Experiences' we'll be highlighting how Sonatype customers are benefiting from greater development efficiency, higher productivity levels, faster time to market and better quality software, all while being more secure.
We kick off the series covering Blackboard, the world’s leading education technology company. Blackboard challenges conventional thinking and advances new models of learning in order to reimagine education and make it more accessible, engaging and relevant to the modern day learner and the institutions that serve them.
Blackboard has written millions of lines of custom code—and about half of it touches one or more of 100+ open source components, including the likes of Spring, Struts, Hibernate and Tomcat. Assuring those components are free of vulnerabilities is incredibly important to Blackboard, explained Matthew Saltzman, Senior Security Engineer of Blackboard’s Application Security Team. In the past, the team would spend two days assessing if a specific version of an artifact, framework or library was approved to use in a Blackboard product. Like many other companies, the team tracked its inventory of open source components in a spreadsheet. The team would review notifications from the National Vulnerability Database to see if its open source components were free of security risks. In parallel, the legal team would perform an analysis of any license risks associated with those components. This manual process did not scale with Blackboard’s growing use of open source; it was tedious and tough to maintain. When new vulnerabilities would surface in a live product, the security team would spend days identifying a fix.
Why Blackboard Selected Sonatype
Blackboard needed to transform its open source governance practices to work at the speed of its agile development teams. The company sought an automated solution to continuously monitor, govern and report on open source components in use. After evaluating open source and commercial options, Blackboard chose Sonatype’s Component Lifecycle Management (CLM) because it was easy to integrate and easy to use. CLM tracks usage, enforces policy and prevents the use of flawed components all the way through the SDLC. CLM would also help the company track open source artifacts in production applications, refocusing the company’s security team to new vulnerability disclosures that might impact customers or operations.
At Blackboard, Sonatype’s CLM is integrated directly into the continuous integration platform Jenkins—a key priority for the company. Integrated tightly inside their development tools, developers now get real-time updates about component attributes (security, licenses, and quality) so they can make the right choices. The solution not only identifies potential issues, it also offers recommendations on safer versions of troublesome components. CLM provides a complete software “Bill of Materials” that covers all open source components used and then continuously monitors that inventory for changes and vulnerabilities associated with used components. This detail, presented in a CLM dashboard, keeps development, application and legal teams informed of Blackboard’s overall open source inventory, including artifact and application vulnerability profiles.
The Value Blackboard Sees in Sonatype
Blackboard’s application security team has transitioned from spending time researching open source vulnerabilities to relying on CLM to continuously automate the oversight and policy guardrails. The CLM integration helps to both enforce the set of open source licenses vetted by the legal team and to identify potential license risks. Not only do both teams save an incredible amount of time, Blackboard now has a proactive way to use open source components safely, avoiding security, license and quality-related issues. “In less than a day, we were up-and-running with the CLM solution integrated into development,” Saltzman said. “And to top it off, our developers needed only a 30-minute course to learn the product. With CLM, we were able to recognize value right away.”
Interested in how other organizations are achieving value from Sonatype products, read more 'Real World Experiences'.