018_SDT051.qxp_Layout 1 8/20/21 5:23 PM Page 18
18
SD Times
September 2021
www.sdtimes.com
INDUSTRY SPOTLIGHT
Empower developers for broader role A
s companies steadily move toward By being integrated into the feedback increased agility, the software sup- loop, the tools create the safety net right ply chain can no longer afford to follow from the start. Machine learning can the old assembly-line model: Specialists bring results such as a download being who once focused their efforts solely on intercepted and found noncompliant developing code have seen their roles with policy or a download discovered to expand to that of generalist. With gov- be potentially malicious. The same is ernance, security and quality assurance true for new releases of the components: professionals less commonplace in the They may have elements that appear industry, developers now integrate their suspicious or originate from a part of the code in an environment where compli- world where such releases are of a quesance, security and problem-solving not tionable nature, Fox said. The feedback only rests on their shoulders but needs message that “this transaction is not to be expedited across the software characteristic for you” blocks the downdevelopment life cycle. “It is almost the inverse of the ‘Developers will be industrial revolution in some way,” naturally suspicious of says Brian Fox, chief technology anything coming from officer of Sonatype, which specialoutside. They have a izes in software supply chain manlong history of being agement. “What that means is that burned by bad tools.’ increasingly the developers…are the ones defining the architec— Brian Fox, CTO, Sonatype ture.” Ultimately that means the developer needs the capability to deterload and prevents its use. mine upfront whether the framework is The advent of these capabilities compatible with the license policy, with highlights even more how inefficient security and with other requirements. the older model of software develop“Everything gets more real time and ment was because, for one thing, those the people doing the work have to be processes customarily used to scan code empowered to make those decisions,” would focus solely on the custom code, said Fox. “They need to be empowered the smaller portion of the code base. with the information to make the right The scans would not take into account decisions.” anything open source, which could That’s especially critical, he said, account for as much as 80 percent of because these tasks are essential when the code base, said Fox. software relies heavily on open-source To make matters worse, he said, components. The constant evolution of legal, security and other professionals these pre-built third-party components within the organization were usually can leads to vulnerabilities, generating unaware that this issue even existed — risks to application security. Without even if the developers themselves did. the proper smart tools to identify code “In 2011 or so when we were really quality, to flag vulnerabilities and to fix starting to solve this problem, we had them in a way that is policy-compliant financial organizations downloading — functions that can be accomplished 60,000 components a year and we automatically — developers may be talked to them and said ‘we see you are unable to track or fix any of these issues using a lot of open source.’ They said and still meet deadlines — if at all. they weren’t using open source. They Content provided by SD Times and
were unaware they were using open source, not recognizing that in the banking training algorithm platform they turned out, 80 percent of that code was open source.” In the years that followed, progressive organizations have come to recognize that the legacy model did not work and the best solution was to turn directly to the developer, said Fox. “Forward-leaning organizations are starting to look at this as proper dependency management, not just picking good frameworks but considering the legal and quality issues, all the way down the dependency stack,” he said. The idea of bringing everything to the developer’s domain in a cohesive, integrated way is finally starting to take hold, he said. This also accepts the reality that open-source libraries can — and should — continue to be a source of efficiency without becoming a source of compromise or threat. It also provides better insurance against common mode failure. Making these better choices upfront means doing less work later, he said. Fox acknowledges that such a change in the model relies heavily on buy-in from the developers who will, of course, necessarily be taking on those additional responsibilities. “Developers will be naturally suspicious of anything coming from outside. They have a long history of being burned by bad tools,” he said. He believes, however, that developers want to solve the overall problems and that they care about what they’re doing. It is a big plus for developers to not have to wait six weeks for the goahead from someone in another building, or perhaps another country, before they can proceed, he said. And ultimately, he said: “They’re going to have less stuff to chase down later.” z
