Ask any software developer, and they will tell you the truth about two things:
- Conventional code analysis and application security tools are overly noisy and generally not well integrated into the developer workflow.
- Tools that don't actually make life easier for developers are perceived as friction and commonly ignored.
Rather than slowing developers down with process-heavy security gates or circuitous code quality alerts, we believe developers are better served by providing them with gentle, timely, and effective nudges that actually help them improve the quality and security of the applications they are building.
This is why, today, we're announcing the acquisition of MuseDev.
Who is MuseDev?
MuseDev is a startup that was incubated by Galois, Inc. and spun out in fall of 2019 by founders Dr. Stephen Magill, Andrew Yorra, and Tom DuBuisson. The Muse product is a cloud-native and innovative source code analysis platform that is uniquely friendly to developers. With a few simple clicks, Muse installs into any source control repo, and automatically begins to analyze pull requests, and provides developers with accurate and actionable feedback so they can easily fix more bugs during peer code review.
Any developer can get started with Muse in seconds. Muse aggregates and orchestrates 24 pre-configured code analyzers that range from "light weight linters" to "deep static analysis tools." It also covers a wide variety of coding languages and bug types, including security, reliability, performance, and style. Today, Muse integrates with GitHub, GitLab, and Bitbucket, and supports Java, JavaScript, Python, .NET, Go, and Ruby code.
Integrating with the pull request workflow is critical when it comes to developer adoption. Through its experience in working with large scale enterprise development teams, MuseDev found that when bugs are accurately identified and surfaced inside the pull request workflow, developers are 70 times more likely to fix them. But Muse does not stop there. Muse is constantly getting smarter -- providing developers feedback expressly on bugs that they are most likely to fix.
Adding Muse to our portfolio will offer tremendous value to our customers who are looking to improve the quality of code they write. I'm also very pleased to announce that all MuseDev employees will join Sonatype to help us continue to build and deliver upon its robust roadmap. You can expect the first Muse technology integrations being released from Sonatype in the Spring of 2021.
But wait, I’ve got even more developer-friendly goodness to share.
Breaking new ground with full-spectrum software supply chain management
At the same time we're expanding our portfolio with the acquisition of MuseDev, I've also been spending a lot of time with our customers to better understand their evolving needs and challenges around software supply chain management. As security concerns around supply chains were ushered to center stage, our customers turned to us as trusted advisors asking for broader, deeper, and more intelligent solutions. We're answering that call, louder and more convincing than ever.
Today, we're excited to unveil the next-generation Sonatype Platform offering customers full-spectrum control of the cloud-native software development lifecycle including: third-party open source code, first-party source code, infrastructure as code (IaC), and containerized code.
Building upon the foundation of our ever-popular artifact repository — Sonatype Nexus Repository — and its best-in-class software composition analysis duo — Sonatype Lifecycle and Sonatype Repository Firewall, Sonatype has bolstered its portfolio to include:
- Sonatype Container: A developer-friendly container security solution providing continuous visibility into the composition, and management of, containers from development, to delivery, to run time. Sonatype Container, powered by NeuVector, also protects organizations from new open source zero-day vulnerabilities (e.g. Apache Struts, OpenSSL) using an innovative Layer7 firewall to virtually patch containers in the wild, which buys the development team valuable time as they work to patch the application in code.
- Infrastructure as Code Pack: The Infrastructure as Code Pack delivers out-of-the-box guidance to assist developers configuring cloud infrastructure and foster compliance with privacy and security standards (e.g., CIS Foundations Benchmarks, GDPR, HIPAA, ISO 27001, NIST 800-53, PCI, SOC 2). Integrated with Sonatype Lifecycle, the pack will make it possible for developers to find and easily fix misconfigurations in Terraform plans before they are applied to production infrastructure. To ensure continuous IaC compliance in production environments leveraging the same policy sets, Sonatype announced a strategic partnership with Fugue.
- Advanced Development Pack: This new Pack delivers a real-time rating system to help developers select the best open source component suppliers and reduce variability in version choices. Backed by Sonatype Intelligence, it also boosts visibility to early-stage software supply chain attacks and alerts development teams to the new adversarial threats.
- Advanced Legal Pack: The forthcoming Advanced Legal Pack will improve visibility into open source license obligation for software development and legal teams. The pack is expected to significantly reduce the time spent reviewing each new application release, ensuring development velocity is not hampered as the use of open source components continues to grow exponentially.
Furthermore, in keeping with our long standing commitment to the open source developer community, we've created advanced migration support for open source projects scrambling to find homes on the heels of Bintray and JCenter sunsetting. Open source projects can easily migrate their packages to a free Sonatype Nexus Repository instance and/or Maven Central host.
As an added bonus to community members, we recently upgraded our free security analysis report — making it available to any open source project hosting code on Maven Central as part of its OSSRH service. This migration support aims to ensure developers experience no downtime or build delays for their software supply chains that rely on public code repositories.
Delivering more innovation to our customers
Beginning today, Sonatype customers can expand beyond our best in class open source governance and repository solutions, and will be able to leverage the unique benefits of Muse to help their developers easily find and fix more bugs during peer code review.
The acquisition of Muse and the delivery of our full-spectrum software supply chain management portfolio comes amid continued record growth for Sonatype. We now count 70% of the Fortune 100 as customers and support more than 2,000 commercial engineering teams. Today, the combination of Sonatype's commercial and open source tools are trusted by nearly 15 million developers around the world.
Welcome Muse, to Sonatype! We're excited to have you!
Looking for more developer goodness?
- Join our "Meet Muse" webinar on March 31st
- Try Muse on GitHub today
- We're hiring, if you would like to come and join us
Written by Brian Fox
Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.
Explore All Posts by Brian Fox