“Sonatype Lift was designed to intuitively blend into developer workflows”
What is Sonatype Lift and how can it help enhance security? We had a chat with Stephen Magill about how Sonatype Lift can help bring security beyond silos. Stephen also shares some security tips, how false positives affect cybersecurity, and where the biggest security threats lie in organizations.
JAXenter: How can Sonatype Lift help enhance security?
Stephen Magill: By bringing security beyond the silos it currently sits in. The system most businesses work under now is based on an unproductive division between security and development teams, where the inherent workflow is set up to fail.
You have security teams tasked with finding and reporting every flaw to developers, creating more work for already overstretched teams. And then you have developers who are also too overwhelmed to follow through on all the bug fixes, leading to even larger security issues. That’s a workflow problem and an organizational problem, with an achievable solution! If we can focus on the most important and actionable parts of those security reports, and bring them inside developer workflow, we can get bugs fixed more efficiently — improving security without slowing down development.
JAXenter: Can Sonatype Lift integrate with tools that teams already use?
Stephen Magill: Yes! Lift was designed to intuitively blend into developer workflows, and integration is a key part of success there. Right now we support managed cloud and on-prem offerings that users can integrate into their existing CI/CD infrastructure. Lift integrates with GitHub, GitLab, and BitBucket, and is supported by modern infrastructure like Docker and Kubernetes.
JAXenter: Are there any future plans that you can share with us? What new features can we look forward to seeing?
Stephen Magill: We plan on leveraging the years of experience Sonatype has in supporting software security practices at enterprise scale to bring new advanced capabilities to Lift customers like insightful reporting, remediation recommendations, and robust integration with other services.
JAXenter: How do false positives affect security and how can Sonatype Lift help eliminate them?
Stephen Magill: False positives are incredibly detrimental to overall security posture. While some see them as necessary side effects of having a robust scanning process, the truth is they keep developers from trusting and implementing bug fixes. If you received a hundred emails a day with the title “Urgent!” and only 10 actually required immediate action, you’d start blocking or spamming those email addresses, right? That’s how it works with
developers too, and that’s a failure in seeing them as “resources” or endless code generators instead of people with finite energy in a day.
Lift was developed to acknowledge this, by centering the developer experience on delivering fewer false positives through the workflows they already use. One example I find particularly compelling is the results seen when you integrate security reporting into a developer’s pull request. Just like a Word Doc that highlights typos as you write, integrating bug fixes into the pull request, versus an after-the-fact report, improves the fix rate by up to 70X. That’s what we’re trying to achieve here: strong security posture through common sense, high-adoption solutions.
JAXenter: Is automation a necessity for high-level security?
Stephen Magill: Absolutely. Even if we didn’t have a cybersecurity hiring crisis, the natural advantage would still rest with attackers, who only have to find one weak spot, versus defenders, who have to secure the entire system. Security teams were already overburdened tracking open source risk and attending to the security of their own code. And now we’re seeing the effects of upstream attacks targeting the build environment, as well as over-tapped developers increasingly being asked to take on security. Businesses need solutions that take the busy work out of workflows for both security and development teams, and that provide single sources of truth and resolution. With the level of data, cross-team collaboration, and workflow management this requires it can only happen through automated solutions.
JAXenter: Which poses more of a risk to security: malicious attacks from outside, or code mistakes from inside of the company?
Stephen Magill: Definitely code mistakes from inside the company. Malicious attacks are only as successful as your company’s weakest link, and unfortunately the weakest link are those internal code mistakes. So, while malicious attacks can have severe consequences if successful, they’re only possible if there is a code or configuration mistake available to be exploited. We, as software professionals, must be better about seeing and prioritizing the
real sources of risk and continuously analyzing, evaluating, and remediating this risk during software development.