In recent years, we at Sonatype have dedicated an extensive amount of time to studying enterprise development teams, open source projects, and how everything in the OSS ecosystem works together. In fact, in a two-year-long study with Gene Kim and Stephen Magill we examined software release patterns and cybersecurity hygiene practices across 30,000 different projects and teams.
Through this, we've found three truths for software engineering teams and the 20 million software developers that work for them:
They seek faster innovation.
They seek improved security.
They utilize a massive volume of open source libraries.
These truths can sometimes feel at odds with each other. Developers do not "own" the security of their own products. Instead, they are subject to security oversight and are relegated to using reactive tools that tell them about vulnerabilities and code issues after development. While the majority of developers have become more aware of security, it's difficult to implement appropriate measures when current tools to manage open source dependencies are often built with security in mind more than development.
I believe we're in the middle of an inflection point. The role of the software developer is changing again. Whether they're ready or not, developers now need to take responsibility for security and code quality, as the definition of dependency management evolves. With developers now needing to manage all of these elements simultaneously, their roles have become increasingly complex. It is therefore critical that they can have tools to automate key processes, helping to boost productivity, while simultaneously improving software security and quality.
This is why I'm proud to introduce Sonatype's newest enhancements for Sonatype Lifecycle: the Advanced Development Pack.
High-performing teams need solutions that make their development practices better. 67% of developers are regularly impacted when dependency upgrades break the functionality of their application, requiring them to spend time on rework. Tools that integrate dependency management into existing DevOps pipelines and go beyond just vulnerability identification and warnings are what developers require.
Organizations who invest in securing the best parts, from the fewest and best suppliers, and keeping those components updated, are widening the gap against their competitors. The best-performing organizations are applying automation to help them manage their open-source component choices and updates. For instance, we know that top-performing projects release 1.5 times more frequently than others and manage 2.9 times fewer dependencies. We also know that open source projects that update dependencies more frequently, typically maintain more secure code.
We wanted to put the control back in the development teams' hands. We wanted to help them engage in proactive dependency management practices without losing the momentum of agile development. The Advanced Development Pack does all of this.
It's ultimately about making developer's lives easier in everything they do, so they can focus on what they love - innovating at lightning speed. Developers don't want to be bogged down by never-ending security tickets. They want a no-fuss way of choosing the best components based on project quality and ease-of-upgrade. Knowing what components to avoid from the start of a project either because it doesn't fit policy, or is associated with abnormal committer behavior, saves developers an incredible amount of time. And, developers want to be able to fix issues as fast and as seamlessly as they can. With the Pack, we're providing them all of this. They'll be able to better understand:
The cost (read: effort) of migrating to a newer or safer version and whether it is possible to do so without breaking their code
The performance of OSS projects they are choosing when it comes to release frequency, cadence of dependency updates, development team size, and popularity — helping guide choices to a higher quality pool of components
The frequency in which dependencies have become vulnerable and are remediated - helping them better grasp the cost and threat of relying on such packages
When suspicious behavior has been observed in project code commits — providing an early warning to malicious injection attacks from adversaries
More specifically, it removes the guesswork, and tells developers exactly which dependencies provide the least costly upgrade path in terms of effort. Specific capabilities include:
Breaking changes — In an industry first, enabling developers to instantly see which component version upgrades will require the least effort with the fewest breaking changes.
Release integrity — A first-of-its-kind early warning system using AI and ML to automatically identify and block next-gen software supply chain attacks relying on typosquatting and malicious code injection. In the past 90 days, the malicious code detection bots supporting this feature have discovered 43 new malicious packages including electorn and loadyaml.
Project Hygiene Rating — dubbed the Consumer Reports of OSS Projects - this first-of-its-kind health & hygiene rating system enables developers to select projects with the very best track records of release frequency, popularity, vulnerability remediation times, developer staffing, and other performance attributes. The exemplar, neutral, and laggard ratings assigned to each component were determined by a deep analysis of 30,000 OSS projects over a five year period.
Transitive Solver — Tackling a project's overall risk and not just individual dependencies, Sonatype's transitive solver provides comprehensive remediation advice for solving both direct and transitive dependencies — all without violating policies or failing builds.
Component Chooser — Think of this as Google for open source — it is an engine that helps developers search and compare OSS components in order to select the highest quality options. Component quality takes into account the project's hygiene rating, security and license compliance, and awareness of where else the component is being used within the developer's organization. This feature — currently in beta — will be generally available in 2021.
I've said this before, but it remains even more true today: New versions of components are released at an overwhelming pace, approximately 20,000 per day, making it impossible for most teams to manually manage dependencies. The Advanced Development Pack will automate this otherwise painful process and help developers update to the best and newest versions of component releases.