Sonatype: What’s Required to Make DevSecOps Really Work?

DevOps World Silicon Valley was a fascinating event. DevOps has existed, as a concept, for almost 15 years, so DevOps conferences these days tend to have an angle and theme beyond simply “DevOps.” To my delight, the overarching theme of this particular event was developer experience.

Developer experience is, according to Microsoft, “how easy or difficult it is for a developer to perform essential tasks needed to implement a change.” Cloudbees CEO Anuj Kapur kicked off the event by pointing out that developers in the enterprise only spend about 30% of their time actually building software and then issued a call to action to the industry that we must improve that figure dramatically.

The rest of the event’s talks focused on various contributing factors to that inefficiency: resource bottlenecking, onerous manual compliance schemes, “shifting” too many processes to “the left,” and, naturally, the relationship between application development and security. Security and compliance are two tasks that have definitely shifted left over the past several years. The result? Anyone in the application security or application development space will tell you that this shift has generated much friction on both sides.

It was thus refreshing to hear several talks about how these two critical domains could work together in harmony. After all, everyone wants the same thing: secure, high-quality, feature-rich software shipped quickly. Many of the day's speakers offered insightful, actionable tips for making that happen. But the theme of developer experience and the need for secure software actually extended beyond the day’s sessions. During breaks, I wandered around, listening to conversations and checking out the exhibitor booths in the expo hall. As a long-time technologist who doesn’t get a chance to do much hands-on work these days, I was interested in keeping up with current trends.

It was in this frame of mind that I found myself chatting with the folks at Sonatype, including Ken Youn. I was broadly curious about the subject of software engineers and their take on application security and specifically curious as to what Sonatype’s message was for them.

From back in the days when I was actually involved in application development, I had a sense of Nexus Repository as an expedient way to obtain libraries in the software I was writing. Forget the bad old days of painfully integrating components to your application – use the repository manager, and you’re just a single command away from using a logging library or other component.

Pulling components into your app has security implications, but I wasn’t aware of that at the time or particularly concerned about it. Fast forward to today, and I see how intertwined software development and security have become. I learned that Forrester recently named Sonatype, a leader in software composition analysis (SCA). And that instantly made sense to me. If you’re a security-minded organization and you’re storing software components, managing their relationships, and assessing their dependencies, Sonatype’s SCA puts you in the perfect position to do all of this while also giving you the best data quality when it comes to potential threats in the software supply chain.

And the industry recognizes this positioning. Apparently, 70% of Fortune 100 organizations use Sonatype’s solutions, particularly those most concerned about risk avoidance and/or in heavily regulated industries. Any organization managing risk and using open source at this kind of scale would absolutely need rock-solid software composition analysis.

But perhaps the most interesting thing to come out of our conversation for me was the tie-in to the theme of developer experience. Ken explained to me, “the real meat of our value proposition is the partnership between security and development.” This struck me as incredibly resonant with the talks happening on stage. The key to developer experience improvements, vis a vis security, is tooling that makes software more secure while making software engineers’ lives easier.

For any engineers that came by and spoke with Sonatype, Ken’s hope was that they would return to their companies, describe Sonatype’s capabilities to the security folks, and be greeted with an enthusiastic response. Sonatype’s tooling is the key to moving away from the frictional relationship between development and security. You know that it’s happening when both parties get excited about their shared tools.