Code quality management vendor Sonatype has had a busy first half of the year.
In March, the US-based firm introduced a new product called SBOM Manager, to help companies more easily track the components of their internal software, a tool that is able to provide insight on whether an app contains an open-source library with a known vulnerability.
More recently, Sonatype struck a partnership with AI platform ServiceNow to roll out Sonatype’s open source testing tools directly into existing workflows.
Teaming up with ServiceNow allows Sonatype, a major software supply chain optimisation player, to incorporate its Sonatype Lifecycle software composition analysis and open source vulnerability scans.
Sonatype was founded in 2008 in Maryland and sold by founders Jason van Zyl and Brian Fox and sold to Vista Equity Partners a decade later. The firm provides a collection of developer tools with around 15 million users worldwide.
Time for QA Financial to catch up with Mitchell Johnson, since August 2022 the company’s chief product officer.
QA Financial: You recently introduced Sonatype SBOM Manager, which aims to identify and mitigate vulnerabilities within the software supply chain. Tell us a bit more.
Mitchell Johnson: SBOM Manager provides the industry’s easiest solution to maintaining compliance with Executive Order 14028, NIST2, and PCI4. The tool removes all complexity because it automates component scanning and vulnerability monitoring. It enhances security by providing the most thorough and reliable data. SBOM Manager works with your current security program despite the tooling you have and validates software risks before you distribute or consume it. The key to keeping vulnerabilities and intentionally malicious packages out of your network is having comprehensive data, which only Sonatype has.
QA Financial: This launch came only a few weeks after your company introduced a new tool for the way AI components are managed. How does this platform work?
Mitchell Johnson: AI and ML have exploded onto the software scene, accelerating the speed of developing software and expediting product innovation. While this AI boom has introduced a whole new set of opportunities from a productivity perspective, the risks it can pose to the software supply chain are equally as great.
“So-called ‘jack of all trades, master of none’ solutions lack effectiveness. Ultimately, they hinder progress and efficiency.”
– Mitchell Johnson
Sonatype’s customers want to use AI and ML safely, just like they do with any other piece of software, which is why our platform integrates AI and Machine Learning management into their existing Sonatype tools. Managing AI and ML is just like handling open source components, you cannot manage the supply chain without comprehensive data and shared policies. We’ve taken our pedigree in this field, creating best-in-class solutions, and applied it to help our customers tackle their biggest worry.
QA Financial: Speaking of ML, and then particularly AI, how important is AI in your product offering, and the way you develop and design new testing tools?
Mitchell Johnson: AI is critically important to our product offering and how we develop and design new testing tools. We use AI and ML to accelerate our software and product development lifecycles, resulting in faster and more efficient processes. Our AI/ML component detection technology, which is part of Sonatype Lifecycle, transforms how organizations select and monitor AI/ML software components. This integration means that our products help ensure the safe use of the best AI/ML suppliers, monitoring of AI usage, and managing the associated risks. By doing so, we maintain the highest security standards, legal compliance, and risk management.
QA Financial: You mentioned compliance. There’s increasing scrutiny of AI-based applications – how are you building anticipated compliance requirements into your apps?
The first step is to make compliance as easy as possible, which starts with having an awareness of what compliance means and having reasonable shared policies to help get you there. We purposefully built Sonatype Lifecycle and SBOM Manager to provide ongoing visibility and management of all components within the software supply chain, including those related to AI and ML. With these tools, you can effectively define and uphold internal policies as well as comply with regulatory standards like EO14028, NIST2, and PCI4.

Challenge yourself by asking “If you discovered an exciting new AI component or an open-source vulnerability, would you know if it’s used within your organization?” Would you be able to identify which applications? Could you track these down and implement fixes across your portfolio? Time is of the essence. How swiftly could you ship or deploy an update?
QA Financial: As Chief Product Development Officer, you oversee product management, engineering, development, delivery and design. To what extent do you define, or redefine, how Sonatype delivers software supply chain platforms?
Mitchell Johnson: One of the best parts about working at Sonatype is that our engineers, product experts, and security team need our products to build our products. We call this feedback loop Sonatype4Sonatype. It allows us to have a constant, constructive, and collaborative dialogue between our customers and the product development team, meaning that our solutions meet the highest standards of scale and usability demanded by enterprise environments. Our engineers are actively engaged with customers every day, pushing the platform to its performance limits. We don’t just build software; we live and breathe it as customers ourselves.
QA Financial: How do you test the functionality and performance of your applications, given that your algos are your competitive edge?
Mitchell Johnson: We’ve built our platform with a core focus on leveraging W. Edwards Deming’s time-tested quality management principles, empowering our customers to streamline their software supply chain. An integral aspect of Sonatype’s development process is our commitment to “dogfooding” – our own engineers, product specialists, and security professionals use our products daily to rigorously test their capabilities. We harness cutting-edge technologies, employ diverse test frameworks, and use advanced analytics to engineer exceptional quality in our solutions. This multifaceted approach ensures our algorithms retain a competitive edge, high functionality, and performance, resulting in applications that meet and exceed industry standards.
QA Financial: As vendors merge and consolidate, will the value-add of that proposition have to be refined, slimmed down and reinforced?
Mitchell Johnson: We’ve seen some consolidation in the market. Usually, this is driven by vendors looking to improve developer productivity, security outcomes, and overall efficiencies. Demonstrating tangible returns on investment concerning developer efficiency and heightened security standards is crucial for remaining competitive in the current landscape. The value of comprehensive, accurate data exclusive to Sonatype has never been more pivotal in effectively managing your software supply chain.
“Demonstrating tangible returns on investment concerning developer efficiency and heightened security standards is crucial for remaining competitive.”
– Mitchell Johnson
QA Financial: Looking ahead, what are some of the key challenges you and the wider industry currently are currently facing?
Mitchell Johnson: One pressing issue we’ve seen stems from the relentless onslaught of attacks on the software supply chain perpetrated by highly sophisticated criminal organisations and nation-state actors who intentionally inject malicious components into critical software. This, exacerbated by the proliferation of low-quality suppliers of open-source software, only serves to drive up technical debt, stall innovation, and raise the overall cost of software ownership.
There’s a concerning trend towards embracing “jack of all trades, master of none” solutions that may superficially meet requirements but completely lack effectiveness. Ultimately, they hinder progress and efficiency in software development and implementation.
QA Financial: Finally, anything else you would like to share with our readers?
Mitchell Johnson: Software development stands as a cornerstone for global businesses and governments. With the emergence of AI, the widespread adoption of open source solutions, and the unfortunate rise of intentionally malicious components, we find ourselves navigating uncharted territory.
The development tempo and product innovation cycle are speeding up, with no sign of slowing anytime soon. Despite these circumstances, security teams already find themselves stretched thin. Without adequate resources, they are at a real risk of falling behind. That is unless they swiftly implement robust software supply chain security measures. Automation and data analytics are key to staying ahead of the curve and ensuring resilience in the face of new and emerging threats.
Become a QA Financial subscriber – for FREE
News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events
