By chaos, Jackson is referring to the avalanche of open source software code out there that’s used anonymously for some very important projects. GitHub.com alone hosts some 40 million developers, he pointed out.
“We are building the world’s critical infrastructure on software somebody else wrote, a stranger with unknown skills, motivations and desires, but the desire to innovate is so high, we’re willing to accept the risk of using some random person’s software invention,” Jackson said.
Sometimes developers understand the practical use of the open source code they’re creating, and sometimes they don’t, according to Jackson. Some of it is written by developers who work for Google, and some of it is written by a “dude in a T-shirt in the basement.”
“The code written by the guy in the basement can turn out to be valuable,” Jackson said.
Jackson, 58, compares what Sonatype is doing for open source code to what Edwards Deming, an American engineer and management consultant, did for the automobile industry when he introduced the principles of lean manufacturing, embraced most famously by Toyota.
Jackson said Deming’s four main principles for supply chains, which apply most directly to open source code, are to have fewer, better suppliers; to use the highest quality parts; to have transparency throughout the system; and to never pass defects downstream.
“We do for software development organizations what Deming did for Toyota and parts,” Jackson said. “If you think about software as a manufacturing process, which more and more often it is, the assembly line has value, but only if you are feeding it the right parts.”
Sonatype helps organizations make better decisions about the open source “parts” they’re going to use. If you’re going to help people make better decisions about open source code, Jackson said, you have identify what they’re using very precisely.
“We have close to 100 full-time data researchers every day building our knowledge of open source,” he said.
Jackson finds the world of open source software to be an “amazing phenomenon.”
“Globally, if you step back, 80 percent or more of a typical piece of software is open source, made from parts they borrowed and put glue and veneer on it to make it look like it’s theirs,” Jackson said.
That can cause some real problems.
“If you’re a chief security officer at a big bank and you hear there’s a problem wth this open source library, how do you know which developer decided to use it, which apps it went in, and what critical data is being exposed?” Jackson asked. “There’s no visibility.”
Which is exactly what happened to Equifax in September 2017, Jackson said, when it suffered a data breach that exposed the personal information of 147 million people.
“The root cause was their use of an open source component with a known security defect,” he said.
Sonatype is “bringing visibility” to open source code, according to Jackson.
Vista Equity Partners, based in Austin, recently purchased a majority share of Sonatype, buying out old investors. Jackson declined to disclose the amount of the investment.
“I will tell you in terms of our scale we’re well north of $50 million a year and we’re approaching 400 employees,” Jackson said.
Sonatype is headquartered in Fulton, Maryland, with offices in London and Sydney, Australia.