Sonatype Introduces Open-Source Governance Solution

Sonatype delivers Sonatype Insight, a new solution for governing the use of open-source software in enterprise systems development.

Sonatype has delivered Sonatype Insight, a new suite of software products and services to help ensure the integrity of open-source components in the software supply chain of enterprise systems.

Sonatype Insight provides visibility and control of open-source component use by development teams to enable user organizations to benefit from the economic and development efficiencies of open source without quality, security or licensing risks, the company said.

Sonatype Insight is nonintrusive and tightly interwoven with existing development processes, the company said. Sonatype said user organizations can gain actionable intelligence about open-source usage at any stage of the application-development process. After applications are released to production, Sonatype Insight continuously monitors their bill-of-materials and alerts users if new quality or security defects are uncovered.

"We have brought to market a truly unique product suite to meet an increasingly important function of application development and enterprise IT-software composition analysis-one that has direct consequences to the security, quality, business risk and compliance of an organization," Wayne Jackson, CEO of Sonatype, said in a statement. "As the pervasiveness of open source continues, the market opportunity for Insight is tremendous and should appeal to all Java software developers (6 million and counting) and any company in the world that has used open-source components at any point during the development of mission-critical applications."

Sonatype officials said Sonatype Insight leverages the Central Repository-the repository for open-source software (OSS) components used by more than 40,000 organizations and containing more than 300,000 Java components from open-source projects. Indeed, according to Sonatype, in addition to containing more than 300,000 Java components, the Central Repository is on pace to support 90 percent of all Java open-source projects by the end of 2011.

Moreover, as the principal caretaker of the Central Repository, Sonatype can provide more than manual checks and first-generation scans to discover the composition of applications. Sonatype Insight goes deeper to find flawed components, even when they're hidden deep in an application's dependency tree. As a pioneer in open-source development tools, Sonatype designed Insight to integrate with the development process to ensure only components that meet an organization's quality, security and licensing standards are used-from the design stage through to production, the company said.

Sonatype Insight is comprised of three integrated products:

Management Insight: Provides visibility, proactive monitoring and actionable intelligence about organizational OSS usage including security, license and quality metadata for components.

Development Insight: Enables proactive management of OSS component usage throughout the software development process. Plug-ins for existing development tools deliver quality, security and licensing information where it's needed without disrupting the development process.

Application Insight: Analyzes and continuously monitors the composition of software applications, ensuring that they do not have hidden security, license or quality risks caused by incorporating problematic OSS components. The product notifies users immediately of newly discovered flaws in components-even after applications are in production.

"The launch of Insight is a defining moment for Sonatype in its corporate history and marks a turning point in our strategic direction," said Jason van Zyl, founder and CTO of Sonatype, in a statement. "Building on our deep roots in open-source development, we have built a product that integrates with the development process to provide helpful, proactive information rather than being a burden or afterthought to developers. Sonatype Insight delivers actionable information to the right people, in the right context, at the right time-without disrupting their development processes."

"Without a governance program and an accompanying management policy, the IT organization cannot hope to manage, audit or track open-source assets that come into or leave the enterprise, and it cannot measure the appropriate use of open-source assets within the broader IT portfolio," said Mark Driver, an analyst with the Gartner market research firm.

Moreover, according to Gartner, by 2016, OSS will be included in mission-critical software portfolios within 99 percent of Global 2,000 enterprises, up from 75 percent in 2010. Meanwhile, a January 2011 survey of 1,600 software developers, team leads and architects conducted by Sonatype found that 87 percent of component use is ungoverned.