A Decade of Real World Learning. We’ve been studying the open source governance problem for years and we’ve examined numerous ways to help organizations automatically connect the dots between open source libraries and vulnerabilities whether publicly reported or not. We’ve learned a ton of valuable lessons during our journey, including those summarized below:
Analyst Coverage is Catching Up. Companies today are under intense pressure to accelerate the pace of software innovation. That’s why they are hiring armies of software developers, consuming unprecedented amounts of open source, and adopting a range of SCA-like tools to help manage use of third-party libraries. As a result, all of the major analysts — including Gartner, 451, and Forrester — have acknowledged the emergence and rising importance of SCA.
As with any young market, the traditional analyst model struggles to understand and define the playing field. For example, analysts organized within their own Dev and Ops silos were challenged to cover a singular perspective on DevOps. The SCA coverage is no exception. Simply stated, it's early days still, and customers, vendors, and analysts alike are wrestling with a critical question: is SCA primarily a "security-centric" endeavor, a "developer-centric" endeavor, or a "legal-centric" endeavor?
At Sonatype, we believe it's all of the above — an “enterprise-wide” and collaborative undertaking to improve how organizations leverage open source software across every phase of their business. Driven by this belief, we invented the Nexus platform to unite software developers, security professionals, legal professionals, and IT operations on the same team and empower cross functional teams to automatically identify and remediate open source risk, without slowing down innovation.
But, not everyone sees the landscape the same way we do. In fact, as evidenced by the results of 2019 Forrester Wave, some observers believe that SCA is first and foremost a "security-centric" endeavor. These people are not wrong. They simply see the world through a different lens.
Today, Tomorrow, and Beyond. Today, thousands of organizations depend on the Nexus platform to automate their use of open source software and third-party libraries — not just “here” or “there” in the development lifecycle — but “everywhere” across the entire software supply chain.
Over the past decade we’ve learned that the most effective open source governance programs reach far beyond a single use case and single persona. Successful efforts are truly collaborative; typically led by forward thinking security professionals, supported by legal and risk management colleagues, and embraced by developers who are grateful to receive precise and actionable intelligence that actually helps them do their job better (and faster). In this sense, the most productive teams not only improve compliance with open source security and licensing policies — but they also accelerate innovation velocity.
So, if your objective is to precisely identify true security, legal, and architectural problems for the entire enterprise, our Nexus solution provides the best path forward. Our platform not only automates the identification of true problems for various stakeholders, but it shows developers exactly how to remediate problems without slowing down their innovation.