Editor’s note: This is final installment of a four part series, talking with Bryan Batty, Director of Product and Infrastructure Security at Bloomberg Industry Group. In Part Three, Bryan shared his thoughts on measuring success. In this section, Bryan discusses what brought him to Sonatype.
"If you are faced with an emergency where you have to upgrade, you don't want to try to upgrade 15 years worth of versions. You should be right at the current version when building new applications or updating existing applications." -- Bryan Batty
What led you to work with Sonatype?
I was looking at Software Composition Analysis and I knew that we had a lot of third party, open source libraries that we were using in our applications. We had a tool that was at least able to count them -- whether it was the purpose of that tool was something else -- but it counted the number of open source libraries that we used.
In the few dozen applications that I was monitoring, there were something like 10,000 open source library versions that were being used. That was extremely scary to me. I mean that's probably more like 90/10 than 80/20. I realized we needed to get a handle on it.
So I manually looked at a couple of components and saw that there were some versions that were like 15 years old, and just... "Oh, great." If you are faced with an emergency where you have to upgrade, you don't want to try to upgrade 15 years worth of versions. You should be right at the current version when building new applications or updating existing applications.
Manually, we weren't going to do 15 years worth of updates. We didn't even have a manual process. People were getting together, when I started, to discuss how we can have an open source committee to manually look at every piece of open source software. And when I came in I said, "Man, you guys are crazy. You are going to be working 20 hour days-."
-for the next thousand days!
… and you're not going to get it done. So I pointed out to them, "Hey, this is the number of open source libraries that we currently use and people are choosing new ones every day. It's not a manual process. You cannot do it."
I decided to look around at the bigger players. Sonatype was one of them, and then Black Duck.
Importance of Open Source Governance
It surprises me that, even to this day, people don't know how much open source is being consumed.
In the annual survey that we do - the DevSecOps Community Survey - we ask people “do you have an open source governance policy and do you follow it?” Consistently, for years, roughly 57% of organizations have an open source governance policy.
Have one. Whether it's on paper or automated or whatever. 57%. And mainly developers say that they have one. Are people just not aware that they're using open source? You're talking about this group that gets together and says, "We should think about looking at this open source that we're using."
Well, that group was what got me approval to use the Sonatype Platform. I was able to explain it to them, talk to the right people who were able to get license approval. We only had a one year engagement that we renewed.
Their heads crashed to the desk once I pointed out we were using 10,000 open source components. Then three or four months later it was 12,000. So 2,000 more in just a few months! That showed them that we needed Nexus Lifecycle to help us out with this. Thankfully, we have engineers who are hard at work at doing this.
We had someone tell us that it was taking 25 days to look at 800 components manually, the way you're talking about doing it. When they first stood up Nexus Lifecycle, they started a scan on a Friday afternoon, got a cup of coffee for the road, and put their coat to leave because they thought it was going to run all weekend. She came back five minutes later and the scan was done! She said it instantly eliminated 600 components that they didn't have to review. It actually cut it down to only 200 for review, a 75% reduction. That was cool to hear.
Yes, that proof of concept really helped as well. Being able to stand up the server and boom, it was done. I invited a dozen key developers to take a look, and at first only four or five showed up. But because I strategically chose to demonstrate it in an open area, developers were walking by. They're like, "Oh, what's this?"
It was really interesting to them. I tried to get buy in, but it's a cultural change. People ask if DevOps is hard. No, DevOps is not hard. Changing culture is hard. The DevOps part is easy. One of the things that you have to do is be patient, and get buy-in from various levels.
If you get developers excited about it, but senior leadership says, “no I don't see the value in it,” then it's not going to happen. Senior leadership says, “I see the value in that,” I'm going to shove it down developers, whether they like it or not. I think everybody knows how that's how that usually goes. Luckily, I was able to get key developers interested, as well as senior leadership interested.
A big thanks to Bryan Batty for sharing his perspective on a variety of DevSecOps topics, and why he uses the Sonatype Platform. Read more from Bryan in Part One, Part Two, and Part Three. Let us show you how the Sonatype Platform can benefit your company, too. Contact us.