OutSystems announced the general availability (GA) of Mentor on OutSystems Developer Cloud (ODC).
Open-source libraries have transformed how developers work. These resources allow DevOps teams to significantly shorten their coding timelines while contributing to a growing body of libraries and containers. And, overwhelmingly, developers are capitalizing on these benefits: Today, nearly every application on the market relies on open-source code (97%), according to industry research. Additionally, nine out of 10 companies have adopted open-source code in one form or another, further cementing the dominance of open-source contributions in software development.
However, just as it invites opportunity, open-source software inherently introduces risk. Because developers don't have complete visibility into the provenance of open-source libraries, these software are more likely to contain vulnerabilities. For example, the famous Log4Shell vulnerability — borne of the ubiquitous open-source Log4j software — has been exploited by bad actors countless times since its emergence. Additionally, because the source code is publicly available, bad actors can inspect it to identify exploitable vulnerability. Upon discovery, Log4Shell was active in several leading applications, including Apple's iCloud, Amazon Web Services (AWS) and the video game Minecraft.
Companies relying on open-source libraries introduce risks to their end-users, so they're on the hook for thoroughly auditing all software. The internal security principles guiding the auditing process are often called open-source governance.
However critical, open-source governance principles can hinder vital development metrics like deployment time. Navigating the balance between organizational imperatives and risk management is thus an ever-more essential — and challenging — aspect of a developer's daily life.
The Need for a New Approach: Why Automation?
Traditional governance structures have many merits, yet they introduce bureaucracy, delays and inflexibilities to a developer's workflow, making it difficult to meet deadlines. Meticulous oversight, especially manual oversight, delays delivery and burdens developers with administrative overhead. As a result, deployed software is secure, but companies fail to meet consumer expectations or demand.
Or, in some organizations, delayed deployments pose too high of a risk, and certain security procedures are foregone in favor of speed. The manual checks-and-balances approach to governance, wherein supervisors must approve state changes, often encourages corner-cutting. Of course, these compromises wouldn't happen in a perfect world — but we've yet to reach that ideal reality. As such, an alternative approach to governance is imperative.
Automated governance provides an ideal reality by solving the issue of insecure code without delaying deployment. Automation-based governance eliminates the need for manual approvals, freeing up developer time to focus on high-impact initiatives. Because these technologies are devoted to ensuring compliance, automated governance tools alleviate concerns about neglected security checklists. Automated systems swiftly identify and address vulnerabilities, bolstering the security framework.
Last but certainly not least, automation significantly improves the developer experience (DevEx). How? By alleviating many developers' worst enemy: administrative load. When developers can focus on innovation and actual development, they're more intellectually stimulated and fulfilled. That's good news for developers and their organizations. According to Forrester, positive DevEx translates to higher productivity, profitability and satisfaction.
The Do's and Don'ts of Automated Governance
Automation offers considerable advantages, but only if implemented thoughtfully. To that end, do:
■ Adopt a phased approach to automation, ensuring technical and human factors are considered. For example, it's wise to ascertain your organization's level of digital transformation before implementing automated tools. Relatedly, are your developers aware of automation's benefits? Organizational buy-in is important to gauge before adoption. Otherwise, leaders may not be prepared for the level of after-the-fact training required.
■ Foster clear communication and collaboration between developers and governance teams to align automation initiatives with organizational objectives and developer needs. Organizations with a DevSecOps mindset will be particularly primed to take this step.
Do not:
■ Make wholesale, abrupt transitions to automated systems, as doing so can cause a bumpy rollout and incur developer resistance.
■ Employ excessive automation, particularly at the outset, because doing so can inadvertently create opacity and disconnect within governance processes.
Striking the right balance between a steady but calculated approach to automation adoption is crucial. Remember, the idea is to ease DevEx — leaders who neglect this piece of the puzzle may inadvertently impose new burdens, further slowing down the software development lifecycle (SDLC) and decreasing developer satisfaction.
Now Is the Time to Automate Governance
The modern software development industry is rife with new technologies. In this environment, it may be challenging to ascertain which technologies are here to stay and which are stuck in a never-ending hype cycle.
Leaders looking for guidance in this respect should consider their tech stack's staying power, particularly in relation to developer trends. Automation, for example, aligns perfectly with existing developer frameworks like continuous integration and deployment (CI/CD), which expedites the deployment process and increases the end-user experience significantly. Automated governance achieves the same results, and in the years to come, it will prove equally valuable to organizations of all sizes.
Industry News
Kurrent announced availability of public internet access on its managed service, Kurrent Cloud, streamlining the connectivity process and empowering developers with ease of use.
MacStadium highlighted its major enterprise partnerships and technical innovations over the past year. This momentum underscores MacStadium’s commitment to innovation, customer success and leadership in the Apple enterprise ecosystem as the company prepares for continued expansion in the coming months.
Traefik Labs announced the integration of its Traefik Proxy with the Nutanix Kubernetes Platform® (NKP) solution.
Perforce Software announced the launch of AI Validation, a new capability within its Perfecto continuous testing platform for web and mobile applications.
Mirantis announced the launch of Rockoon, an open-source project that simplifies OpenStack management on Kubernetes.
Endor Labs announced a new feature, AI Model Discovery, enabling organizations to discover the AI models already in use across their applications, and to set and enforce security policies over which models are permitted.
Qt Group is launching Qt AI Assistant, an experimental tool for streamlining cross-platform user interface (UI) development.
Sonatype announced its integration with Buy with AWS, a new feature now available through AWS Marketplace.
Endor Labs, Aikido Security, Arnica, Amplify, Kodem, Legit, Mobb and Orca Security have launched Opengrep to ensure static code analysis remains truly open, accessible and innovative for everyone:
Progress announced the launch of Progress Data Cloud, a managed Data Platform as a Service designed to simplify enterprise data and artificial intelligence (AI) operations in the cloud.
Sonar announced the release of its latest Long-Term Active (LTA) version, SonarQube Server 2025 Release 1 (2025.1).
Idera announced the launch of Sembi, a multi-brand entity created to unify its premier software quality and security solutions under a single umbrella.
Postman announced the Postman AI Agent Builder, a suite empowering developers to quickly design, test, and deploy intelligent agents by combining LLMs, APIs, and workflows into a unified solution.
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of CubeFS.