Open Source Governance for DevOps: Sonatype

In the past two decades, software applications and the processes used to develop them have undergone a radical shift. Release cycles are now measured not in months, but days. And ensuring that an application works properly is more critical than ever. The proliferation of apps on the market mean competition is fierce, and applications that don’t work properly will quickly be abandoned for a competitor’s product.

The majority of development teams use open source code. Many don’t understand how to achieve governance of it.

SonatypeOpen source code is likely one of the greatest contributions to DevOps in the history of software innovation. Millions of lines of open source code are now freely available, and it has become common for developers to expedite development — and accelerate the delivery pipeline — by incorporating or adapting open source code for use in custom software projects. In some firms, open source is an approved development resource. In others, it is being used under the radar, putting firms at risk.

To help ensure developers can use open source code safely, with the governance that organizations need, Orasi has partnered with Sonatype.

Benefits of Sonatype

  • Leverage the highest quality open source components to build and maintain open source software libraries and artifacts.
  • Automatically manage open source risk across the SDLC; minimizing vulnerabilities (and resulting remediation activities), increasing productivity by up to 38 percent.
  • Eliminate false positives while rapidly fixing discovered bugs with step-by-step instructions.
  • Automatically enforce open source policies and improve application security by 63 percent.
  • Incorporate automated governance into every phase of the CI/CD pipeline.

As a firm whose primary mission is to help enterprises identify and use tools that expedite DevOps delivery while minimizing effort and risk, we — and our sister firm, Saltworks Security — offer value-add consulting services. We also offer personnel training, helping both development and security teams understand how to not only use Sonatype most effectively in their own environments but also foster a culture of security within the organization.


DevSecOps in a Dangerous World