ACG National Capital
For every company in every industry, creating and implementing innovative software is no longer optional. In today’s economy, software that finds new and better ways to answer customer needs has to be an imperative that defines a company’s product and service offerings. This need for innovative applications practically demands perpetual development cycles to create innovative new solutions.
Putting a finer point on the stakes, Sonatype’s Chief Marketing Officer Matt Howard told us, “if you’re not innovating fast enough, you’ll get run over by someone who is.”
One way that developers have answered this need is by embracing open source software development, which utilizes premade, community-developed software parts in the creation of new programs. This frees up developers to focus on what novel features they want to generate and keeps them from spending time and money on recreating program components that someone has already created.
In addition to saving their companies time and money, open source software can also enable developers to more quickly turn around solutions that keep their company on that ever more important bleeding edge of software innovation.
Amid this development in the software industry, Sonatype saw an opportunity. With literally millions of software components coming from an unthinkable number of sources, there is a lot that needs to be done to make sure that they are organized, managed well and – most importantly – don’t become security vulnerabilities in the finished product.
Sonatype has answered this need in the market so well with its platform of products that it earned ACG National Capital’s 2019 Emerging Growth Company of the Year award and is poised for even further growth as this market expands and investors continue to see its value.
In order to get the details on how Sonatype positions itself for growth and why their solution is so vital to the changing face of the software industry, we sat down to talk further with Mr. Howard. Here is what he had to say:
Corporate Growth, Capital Style (CGCS): First, tell us a little bit about Sonatype. What services does it offer and how did the company get its start eleven years ago?
Matt Howard: A decade ago, the concept of “open source” software and community development was gaining steam. Soon after, and despite potential risks, commercial organizations began embracing open source to accelerate the pace of application development. That’s where Sonatype’s founders saw an opportunity – and why they set out to invent a collection of tools that would help organizations automatically harness all the good in open source software, without any of the risk.
Over time, we witnessed the staggering volume and variety of open source libraries that began flowing into every software development environment in the world – consumption of open source parts is now in the hundreds of billions annually. We understood that when open source components are properly managed, they provide a tremendous energy for accelerating innovation.
Conversely, when unmanaged, open source “gone wild” can lead directly to security vulnerabilities, licensing risks, enormous rework, and waste. In 2017, Equifax became the poster child of the risks associated with unmanaged open source supply chains.
CGCS: Since those risks are now such a concern for businesses, how can Sonatype help to manage those vulnerabilities?
Matt Howard: We are laser focused on helping companies continuously harness all of the good that open source has to offer, without any of the risk. In order to do this, we have invested in knowing more about the quality of open source than anyone else in the world. This investment takes the form of machine learning, artificial intelligence, and human expertise, which in aggregate produces highly curated intelligence that is infused into our suite of products.
Time and again, we have seen, organizations equipped with Sonatype products make better decisions, innovate faster at scale, and rest comfortably knowing that their applications always consist of the highest quality open source components. Today, over 1,000 large enterprises use our software to manage their quality and security of open source following through their software supply chains.
CGCS: What is behind this rising demand for open source governance? Why is it essential to businesses success today?
Matt Howard: To understand exactly why open source governance is so important – it’s vital to understand today’s software development landscape. For every company in every industry, competition is as likely to come from an unknown startup as it is from long – established rivals. In the modern economy, if you’re not innovating fast enough, you’ll get run over by someone who is.
This fear of death, is why many organizations no longer view software development as a cost of doing business, but rather as a core competency and strategic imperative that defines the entire enterprise. All companies are now software companies. It’s also why organizations around the world are increasingly embracing a concept called DevOps – where the walls between IT operations and developers are torn down, wasteful practices ripped out, and collaboration at scale rewarded.
Enter open source development practices – the miracle drug of choice powering DevOps and modern software innovation.
CGCS: Can you briefly explain what an open source component is?
Matt Howard: Open source components, or reusable, community developed software parts, allow companies to save time and money, improve quality, deliver business agility, and mitigate (some) business risk. The concept is not new. Long before the advent of open source, Isaac Newton famously said, “I see further by standing on the shoulders of giants and I discover truth by building on previous discoveries.” This idea is a primary reason why open source components are so attractive to development teams. Simply stated, free and open access to pre-existing software components eliminates the reinvention of wheels and exposes software to a global community of “co-developers,” to ideate on and expand upon.
With so many benefits – it’s no wonder that 80 – 90 percent of a modern application is composed of open source components. And also why 80 – 90 percent of modern infrastructure is being containerized.
CGCS: Before, you mentioned that open source parts can lead to security vulnerabilities. How widespread is the problem and how can it be addressed?
Matt Howard: Well – while these parts play a vital role in driving innovation and powering the world as we know it, not all parts are created equal. Our analysis of downloaded open source components from the Central Repository, the largest and most active database of Java open source components, found that in 2018, 1 in 10 components downloaded by developers contained a known security vulnerability.
While these truths are not unknown in the market, addressing them in a way that is scalable and adaptable at all points in the developed lifecycle can be a challenge. That’s where Sonatype comes in.
Application attacks and breaches are often the result of easily exploited – and easily rectified – vulnerabilities. Fortunately, using Sonatype, many of the challenges related to the use of known vulnerable software components are easily solved.
CGCS: To get more specific, what do Sonatype’s product offerings do that protects users from those kinds of vulnerabilities?
Matt Howard: At a high level, our integrated open source governance and software supply chain integrity platform, Nexus, helps more than 1,000 large enterprises and 10 million software developers simultaneously accelerate innovation and improve application security.
Going a little deeper, our tools locate, manage, and protect the best quality open source software components, which in turn, allows developers and security professionals to automatically identify, locate and fix a defective or compromised component. We also enable developers to identify vulnerability or licensing risks before one enters their software supply chain – or development environment – stopping it at the front door.
This is all powered by our machine learning and artificial intelligence engine, Nexus Intelligence, which has analyzed more than 31 million open source components. We continuously feed this intelligence to our customers so they make better innovation decisions early and everywhere across their development lifecycle. Subsequently, DevOps teams eliminate friction associated with manual governance and ship secure software faster than ever – which makes everyone happy: developers, security professionals, and IT ops.
In the second half of our discussion with Mr. Howard, he discussed the company’s growth over the past year and how that led to their win of the Emerging Growth Company of the Year award.
Want to make a nomination for next year’s Corporate Growth Awards? Click HERE for more information.