4.4. Stages of CLM Adoption and Performance
When endeavoring to initially implement, and subsequently establish, CLM as an
ongoing process, a number of stages and actions are commonly required:
-
Integrate Sonatype CLM Sample Policy
-
What can tend to be the most difficult part to new users of Sonatype CLM is
something that is developed outside the application, policies. Policies are a
set of rules that you expect a component to meet as it relates to a particular
application. These rules should include the level of risk you are willing to
accept. Given this, policies starts as a statement of what you do and do not
desire to be included in your applications. This is something that is dynamic
though. Meaning, that over time your policies will change and evolve to adapt to
your business. So, instead of trying to determine that all upfront, make your
first stage on of seeking out the sample policies we’ve provided to get you
started.
-
Improve Component Selection
-
With policies created (or hopefully the sample policies implemented), it can be
enticing to begin calling a full stop on development when something negative is
found. While that is an approach, it’s not the recommended path. Instead, start
by only implementing the developer set of CLM tools. This will allow you to
expose your development teams to the information that Sonatype CLM has. When
they encounter components that would violate a policy, it will be apparent. They
will also be able to easily select alternatives, by quickly finding the best
version. Development teams want to do the best job they can, and this stage puts
them first and foremost in improving your applications, they way it should be.
-
Establish Component Inventory and Governance
-
The component selection phase allowed the development team to make better
choices for components they use. Now that they are familiar with the type of
information the Sonatype CLM provides, it is time to start tracking the
inventory and approval of components used in applications that make up the
enterprise.
Sonatype CLM provides tools to integrate into the build release management
systems to validate and ensure the components in use are Sonatype CLM policy
approved components. Governance sets the expectations of what components will be
approved and allows for starting the dialog, with the Development teams, to
provide business justification for why a risky component should be allowed.
-
Monitor Component Usage
-
At this point, you will also need to make sure security and licensing policies
have been established, and are continually reviewed and updated. This works most
effectively if carried out during your ongoing development efforts, as well as
for any components already in production. Ultimately, this will allow you to
both preemptively address any issues, or react to any that are newly discovered.
Remember to evaluate your applications often, and at major milestones during
development (e.g. during builds and when staging a release). In this final
stage, you should begin to consider putting gates, which Sonatype CLM provides,
making sure a balance between ongoing fluid development and releasing software
with unwanted components is achieved.