Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels ▼


Sonatype Shows Some (Component) Integrity

Hitting the global software tools marketplace this week is Sonatype Insight, a new suite described as a combination of both "software products and information services" for ensuring the integrity of open-source components in the software supply chain.

Not the only tool claiming to provide "visibility and control" with a view to creating and upholding software integrity, Sonatype Insight is perhaps distinguished by its specific alignment towards open-source component usage by development teams.

Aside from Sonatype's worthy claims of speed and precise functionality, the company's product is built to combine organizational consumption awareness, real-time component change data, and a library of quality, security, and licensing information. Sonatype says that while other approaches to open-source management are either unenforceable, or find issues late in the development cycle when rework becomes prohibitively expensive, Insight is non-intrusive, non-disruptive, and tightly interwoven with existing development processes.

The central developer proposition here is that organizations can gain actionable intelligence about open-source usage at any stage of the application development process. After applications are released to production, Sonatype Insight continuously monitors their bill-of-materials and alerts users if new quality or security defects are uncovered.

Sonatype Insight leverages the Central Repository — the software industry's leading repository for open-source software (OSS) components used by more than 40,000 organizations and containing more than 300,000 Java components from all major open-source projects.

"Without a governance program and an accompanying management policy, the IT organization cannot hope to manage, audit, or track open-source assets that come into or leave the enterprise, and it cannot measure the appropriate use of open-source assets within the broader IT portfolio. At best, an IT organization can simply react tactically to risks (e.g., catastrophic technical failures) after the fact," said Mark Driver, research vice president, Gartner Inc. from A CIO's Perspective on Open-Source Software, Jan. 31, 2011

Sonatype Insight is comprised of three integrated products that support the modern, component-based development process and offer important reporting and management capabilities for application managers: legal and compliance executives, information security executives, and IT leadership:

  • Management Insight: Provides visibility, proactive monitoring, and actionable intelligence about organizational OSS usage including security, license, and quality metadata for components.
  • Development Insight: Enables proactive management of OSS component usage throughout the software development process. Plug-ins for existing development tools deliver quality, security, and licensing information where it's needed without disrupting the development process.
  • Application Insight: Analyzes and continuously monitors the composition of software applications, ensuring that they do not have hidden security, license, or quality risks caused by incorporating problematic OSS components. The product notifies users immediately of newly discovered flaws in components — even after applications are in production.

"As the pervasiveness of open source continues, the market opportunity for Insight is tremendous and should appeal to all Java software developers (6 million and counting) and any company in the world that has used open-source components at any point during the development of mission-critical applications," suggests Wayne Jackson, CEO of Sonatype.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.