Sergey Nivens - Fotolia

Sonatype buys MuseDev to boost code analysis

Sonatype has expanded its addressable market for developers with the acquisition of code analysis tool vendor MuseDev. The move builds out Sonatype's software quality platform.

Sonatype has enhanced its software supply chain management platform with the addition of the Muse code analysis technology.

The Fulton, Md., company acquired MuseDev, maker of the Muse tool, to help developers write higher-quality code and avoid bugs. Terms weren't disclosed.

Muse automatically analyzes and provides feedback on each developer pull request to help them find and fix security, performance, and reliability bugs during code review, said Stephen Magill, CEO of MuseDev.

The acquisition of MuseDev boosts the breadth and depth of Sonatype's Nexus platform.

Stephen Magill, CEO of MuseDevStephen Magill

"We're really expanding our addressable market and our platform and solving a broader set of problems that our customers have as it relates to the quality of the code that they're writing in addition to the quality of code that they're borrowing from open source communities," said Matt Howard, executive vice president and chief marketing officer at Sonatype.

Muse provides 24 preconfigured code analyzers to automatically assess each developer pull request and then report any bugs as comments in code review, Magill said. The Muse code analyzers are integrated into GitHub, GitLab and Bitbucket, and are pretuned to minimize false-positive noise so developers can focus on the most important bugs. In addition, Muse provides developers with guidance on how to fix the bugs that have been identified.

Code analysis choices abound

The acquisition of MuseDev augments Sonatype's Software Composition Analysis (SCA) with source code analysis, functionality that is core to Static Application Security Testing (SAST), said Sandy Carielli, an analyst at Forrester Research.

"There are a number of vendors that offer a full suite of pre-release testing tools -- including, but not limited to, SAST and SCA," she said. "Synopsys, Veracode and Checkmarx each offer both SAST and SCA. Snyk announced a SAST offering late last year. Combining these tools gives security and dev teams a fuller view of their application risk, as they can identify and remediate both the first-party and third-party application security flaws."

Because Muse works to provide information to developers in the peer code review process, it makes it easier for the developer to address and fix the bug immediately.

"The peer code review process is the place where developers most benefit from automation in terms of feedback, with respect to code quality and security," Howard said. "Because if you give the developer the feedback at that point in the engineering process, they appreciate it and they're most likely to act upon it by fixing the bug."

In addition, Muse automatically installs and configures itself from a one-click setup.

The DevSecOps, shift-left revolution is definitely in full swing, so Sonatype's ability to beef up its Nexus Lifecycle offering with static analysis capabilities from MuseDev makes good sense.
Chris GonsalvesSenior vice president of research, Channelnomics

Shifting left

"The DevSecOps, shift-left revolution is definitely in full swing, so Sonatype's ability to beef up its Nexus Lifecycle offering with static analysis capabilities from MuseDev makes good sense," said Chris Gonsalves, senior vice president of research at Channelnomics in Port Washington, N.Y.

A spinoff of R&D firm Galois, MuseDev reverse-engineered the best of the in-house approaches used by big players such as Google and Facebook and turned them into an open source solution that analyzes GitHub pull requests and flags problems as in-line code comments, Gonsalves said.

"They're a legit player," he said. "But the DevSecOps environment is evolving and churning pretty rapidly. How a combined Sonatype/MuseDev approach to keeping code secure will stack up against some of the more celebrated SAST players in the space right now -- [companies] like Snyk and SonarSource, or the old guard in app testing like Veracode -- remains to be seen."

Enhanced Sonatype Nexus

Meanwhile, Sonatype also enhanced its Nexus platform with a new Nexus Container offering and an Infrastructure as Code Pack for Nexus Lifecycle.

Nexus Container is a Kubernetes-native, full lifecycle container security tool that helps lock down containerized applications from development to delivery to run time. The Infrastructure as Code Pack helps developers configure cloud infrastructure and comply with privacy and security standards.

Dig Deeper on Agile, DevOps and software development methodologies