MuseDev Is Joining Sonatype!

I’m thrilled to announce today that MuseDev and Sonatype are joining forces. Together, we’ll continue Muse’s mission to empower software developers with exceptionally effective and easy-to-use code quality and security tooling.

As we team up with Sonatype, our obsessive focus on improved developer flow will continue and evolve. Muse is a developer-first platform. We’re more interested in giving developers gentle, timely, and effective nudges than weighing them down with process-heavy gates. We believe in aligning development and security teams around common tooling and goals. We prioritize giving developers the right results at the right time, which is why we tune out false positives, rather than padding our results to claim that we find more bugs. Sonatype shares these goals and together, we will expand Muse’s capabilities in exciting new ways.

How Our Partnership Evolved

I first met the team at Sonatype back in 2018 when MuseDev and Sonatype partnered to take a deep look at a wide variety of open source projects to identify exemplary patterns and extract best practices for dependency management. This effort led to new analysis in the 2019 State of the Software Supply Chain Report (link), where we discovered a slew of interesting connections between “update hygiene” and open source security practices. Follow-up work in 2020 revealed tradeoffs software engineering teams face when trying to enforce security and quality without impacting developer productivity.

Muse was designed for those teams that are trying to “have it all” and ship high-quality code while being agile, efficient, and productive. Muse works with developers as part of the development team, commenting on pull requests and suggesting changes or pointing out bugs in a timely and focused manner. Developers see actionable results for the code they just wrote and are able to efficiently fix those issues without slowing down development. Muse provides broad coverage of not just security bugs, but also reliability, performance, and style issues. In this way we help developers write great code generally, and address security as a piece of that. And so when we see products like Sonatype’s Advanced Development Pack and other near-term roadmap deliverables, we see great product alignment that reflects our shared philosophy.

And finally, both companies value doing the technical research work necessary to not just deliver *an* answer, but deliver the *best* answer. You can see this on the Sonatype side in their work on detecting malicious contributions to open source code and preventing dependency confusion attacks. And on the Muse side, Muse has performed work with DARPA, DoD, and university partners to develop and democratize advanced new analysis capabilities for the entire software engineering world, not just those fortunate enough to have security PhDs on staff.

As we join forces with Sonatype and begin this next stage in our growth, I can’t wait to see what the future holds for our products, our customers, and software quality and productivity.