The name of the presentation says it all: Procure Secure Components Faster with Superior Developer Experience. So announced Karthik Loganathan and Sheshagiri (Giri) Rao of Discover at the annual DevOps World | Jenkins World conference.Discover, a leading financial services brand, offers banking, lending, and credit card services. Their credit cards alone process an enormous $143B in sales volume with $728B in annual receivables. The company’s proprietary applications -- like software in other industries -- relies heavily on open source software components.
Loganathan and Rao, managers and DevOps advocates, selected Sonatype to enhance Discover’s use and integration of open source components. They invested in much of the Sonatype Platform including:
Nexus Firewall to block specified components before entering Discover’s repo. Firewall works for multiple languages (e.g., Python, npm, NuGet, Java, PyPi, RPM, Go). This gives Discover’s developers the freedom to select any approved component that’s right for the job.
Nexus Lifecycle to apply automated policy review of app components, report on any OSS component violations, and detect new CVEs -- all integrated into a developer’s IDE.
Loganathan and Rao also talk about the ability to apply security and license policies to all OSS - which run across both Nexus Lifecycle and Nexus Firewall. Specifically, they focus on evaluating non-permissive licenses, security violations, and the ability to issue real-time warnings.
They selected the Sonatype Platform because, in use, the products present actionable information with the best precision necessary to completely avoid, or quickly remediate, open source risks. “Very few tools give this depth of actionable information,” says Rao.
He added that the on-boarding process was relatively easy, making it possible to deploy across teams quickly, especially once they added gamification to the process.
The Discover teams got immediate benefit from Sonatype’s open source license management.
Sonatype Nexus monitors OSS licenses, ranging from the casual, “buy me a beer” license to those with potentially costly practical and/or legal ramifications. For example, if Discover’s proprietary software included a component released under an AGPL license, the entire software would be at risk for an individual claim to make that in-house software freely available open source, too.
Another benefit of open source license management is the ability to define license policies with legal and enterprise architecture teams. These rules, once put in place, save significant review time thanks to automated monitoring.
The best-known benefit are the policy violation reports. These help prioritize remediation and provide insights into other, possible risk vectors. The Discover teams uses reports to monitor specific business verticals, such as credit card components. They connected the Nexus API to Grafana to build an interactive dashboard.
Rao outlined Discover’s adoption of Sonatype tools in four ongoing areas:
- Dependency Tree - mapping and tracking primary and transitive dependencies
- Automated Dependency Management - specifically, setting custom rules to flag components based on age because component age is proportional to risk (as revealed in the 2019 State of the Software Supply Chain report)
- Identify Vulnerable Methods versus Components - use the tools to group and effectively address sequences in the software supply chain
- Architecture Policy Review - for example, how many of your apps are using a package that is being discontinued or is actively unsupported?
Before & After
Loganathan and Rao report striking “before and after” environments. Before, it took an average of 3-7 weeks to research and vet each open source software component. There were no alerts to upgrade to newer versions if a component was compromised; nor was risk measured.
After implementing Sonatype tools, incorporating open source software now takes just minutes. Developers are notified of new releases and upgrade recommendations, automatically. Security is monitored continuously and results are available on-demand. Faster component renewal means reduced risk due to component age, known vulnerabilities, or shifts in the threat landscape.
For these reasons and more, “it pays to Discover” Sonatype.
You can watch Loganathan and Rao's full presentation below: