Creating a Coherent and Efficient Flow of Dependencies
Combining Artifactory Pro’s ability to manage binaries and Black Duck’s OSS Logistics solution, we have reduced the legal department’s open source-related workload by 75%. With this change, we also eliminated a technology review team that vetted open source license compliance under the old system. Now all tracking of open source code is automated. We’ve even improved visibility by creating a continually-updated open source bill of materials (BOM).
“Under the old system, everything had to be tracked up front as part of the process. Now, we track open source code usage on an exception basis only, because of the BOM,” Gaitanos explains. “A human only gets involved in the event of an exception. This saves a lot of time.”
These two systems have made it easier for developers. Carbo explains: “For us, the main thing is to get out of development’s way. The old system really slowed down development, but with Black Duck, they don’t have to worry about filling out spreadsheets. Plus the legal team would have to get involved to vet each usage, and they don’t have to do this now. Changing a version doesn’t prompt all this work.”
With these new systems, developers are saving, on average, three “person days” per app. With over 100 apps, that’s 300 days of developers’ time and work.
But the savings don’t stop there, says Gaitanos. “We’ve seen a huge savings not only from a human interaction and effort perspective, but in the way folks behave towards the process. The more hurdles you put in front of developers, the more likely it is they will work around you. We’re taking hurdles out of their path and making things easier for them.” As this pilot program expands, we expect to simplify our workflows even further.
Security has also become easier. Our internal security group can now easily identify which artifacts and versions are affected by any security vulnerability. Now they can focus on the select applications impacted rather than constantly check 100+ applications. This new capability has been huge to maintain and protect not only our technology, but also all the data and services we provide.
This piece was adapted from an original Black Duck case study.