Sign up for our newsletter - Navigating the horizon of business technology​
Leadership / Strategy

Five Questions with… Sonatype CTO Brian Fox

Every Monday morning we fire five questions at a C-suite tech industry interviewee. Today we’re pleased to be joined by Sonatype CTO Brian Fox

Brian: What’s the Biggest Challenge for your Clients

 In the early years of Sonatype, we did a lot of training and consulting revolving around the Apache Maven build system for Java that we helped create. A necessary part of this was helping people through a modernization of their entire software development process. During this phase, I was exposed to a lot of, frankly, horrifyingly draconian workflows that required manual approval of every software dependency, as well as finger pointing, and shell games caused by these outdated processes.

When effectively enforced, these workflows were a major impedance to the throughput of the engineering team, requiring turnarounds on approvals usually in the six-week timeframe. They were also often ineffective as engineers simply worked around them, setting up a showdown with legal or security late in the process when a release was imminent that more often than not would result in a waiver of the process and more bad blood.

Sontatype CTO
Sonatype CTO Brian Fox

At the same time, we recognized that the need to be aware of open source licenses, the security posture of a given dependency, as well as general hygiene and quality attributes was an important business function, equally as important as innovation and time to market. The problem was in the implementation.

White papers from our partners

With this deep understanding of the challenges, we set out to develop products that help solve the important legal, security and quality concerns and at the same time, doing so in a way that enhances engineering’s ability to move fast and innovate, rather than impeding it. What we see in the market is that our customer’s greatest challenge today is often the cultural change required to get all of the process owners to think outside the legacy process box they find themselves in. Very often we see people wanting to solve the open source dependency problem using new data layered into a legacy, very manual process because that’s just how it’s always been done. Bringing the separate disciplines together (Lawyers, Application / Operational Security, and Architects) to recognize a new process is hard at some organizations.

 Technology that Excites you Most?

 In my field it has to be Machine Learning. Our continuously improving ability to train computers to process vast amounts of data and recognize new patterns is the type of technology transformation we see once in a generation. ML has the potential to affect every aspect of technology from self-driving cars to how groceries are ordered.

See also: Five Questions with… SolarWinds CTO Joe Kim

As it relates to my work at Sonatype, we see an exponential increase in the amount of data that can be leveraged to determine how safe a particular component is to use. This spans from things such as the standard hygiene practices of the development team historically, to understanding what normal release behavior looks like.

Processing all of this data in traditional manners to find outliers that may warrant deeper inspection transcends our ability to scale via qualified humans. I’m excited to see how these new technologies can push the state of possible further faster than ever.

 Greatest Success?

My greatest success so far has been co-founding Sonatype. It has provided an opportunity over the last 11 years to play many roles as we worked to get traction in the market and hire professionals for each discipline. It is still really humbling when we have our yearly meetups to see just how much we’ve grown (we’ll surpass 400 employees sometime this year).

My favorite part has been working with customers to really understand their needs and to be able to deliver products to make their own developers more efficient and the organization safer from a legal and security perspective.

Worst Failure?

Oh, but there are so many choices!

The one I have learned the most from comes from the early days at Sonatype. As we observed many of the challenges I described above, many customers were asking for us to effectively automate their manual process, whitelist/blacklist style. It seemed logical and an easy place to start. We essentially built exactly what they asked for, without realizing it wasn’t what they needed. It was the classic “faster horses” scenario.

It wasn’t long until I saw how this new capability was being leveraged as a weapon against developers in that we made enforceable a previously horrible but unenforceable process in many organizations. The resulting anti-patterns of behavior took years to unwind.

We did eventually land in a much better place in the end, but I find myself still skeptical every day to make sure we are looking further over the horizon than any single feature or product request to avoid making the same mistake again.

In another life I’d be…

An Air force pilot.

Not many people know this about me: Since I had always been in love both with computers and with flying, my plan throughout high school was to be a pilot or an aerospace engineer.

To that end, I was enrolled in Navy JROTC for four years in High School and two years of Air Force ROTC in College. At the time, the Air Force was offering full boat, three-year scholarships for anyone taking Computer Science as their major. So that’s what I did, going so far as to score very high on the Air Force Officer Qualifying Test, which qualified me to choose any specialty, including Pilot, upon graduation.

That was my destiny until the end of my Freshman year when the government was shutdown. The Commander called me and said that all new scholarships were now delayed another year, they don’t do two years, nor would they pay for grad classes with the third year. That would have basically forced me into a five-year undergrad plan if I wanted to continue towards a scholarship…. And I really needed that scholarship to continue.

I took this as a strong sign, particularly given the thriving market for Software Engineers that was developing. I was able to find part time work as a developer that helped pay to stay enrolled.  I dropped ROTC a year later and picked up some business electives instead and continued with a Computer Science major.

Although it was quite devastating at the time to have my whole career plan blown up in my face after getting so far, it was a great learning experience that certainly applied to launching a startup. Things don’t always turn out as you planned, but you need to be open to seizing new opportunities when you least expect it, and keep moving forward.

See also: Five Questions with… Tradeshift Cofounder Gert Sylvest


This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.