Legal at DevOps Speed

Author, Derek Weeks

Author, Derek Weeks

Our general counsel, Paul Bosco, is a super nice guy.  Among his many responsibilities, he helps Sonatype make the right decisions about appropriate license use of open source components within our software.  But you would think that having a lawyer hang over the shoulders of a developer would get a little uncomfortable.

Paul is not part of our development team, he doesn’t want to be, and he certainly does not slow them down.  But with that said, Paul knows how to work at DevOps speed.

He knows legal reviews need to happen at the speed of development on every component, every build, and every release.

So how much time does Paul spend reviewing open source and third-party software components in the software we are building?  Almost none.  Yup.  That is because we have automated him.

It’s all about dogfooding.  At Sonatype, we have automated our open source policies.  Paul’s guidance on the proper use of every component license we use is built into Sonatype CLM.  CLM is then integrated with our developer IDEs and our Bamboo CI platform.  With CLM performing the adjudication, Paul is free to focus on other more pressing matters.  At the same time, our developers have instant access to the legal analysis run by CLM.  Therefore, no time is wasted on legal reviews at the end of the development lifecycle.

Legal at Speed

Sonatype CLM’s IDE integration provides rapid, data-based feedback on versions, licenses, and known security vulnerabilities

Reviews are built-in, automated, instant and continuous.  CLM is not just discovering problems with open source and third-party licenses.  If issues are discovered, it also guides our developers to alternative component versions that may meet acceptance criteria.  By selecting the best components from the start, we eliminate long legal reviews and rework that negatively impact our release velocity and add to operational costs.  With CLM in place, Paul can keep up with our development team at any pace they choose to run.

The following two tabs change content below.

Derek Weeks

VP and DevOps Advocate at Sonatype
Derek is a huge advocate of applying proven supply chain management principles into DevOps practices to improve efficiencies, reduce security risks, and sustain long-lasting competitive advantages. He currently serves as vice president and DevOps advocate at Sonatype, creators of the Nexus repository manager and the global leader in solutions for software supply chain automation. Derek is a distinguished international speaker and lectures regularly on modern software development practices, continuous delivery and DevOps, and application security. He shares insights regularly across the social sphere where you can find him at @weekstweets and

Related posts