Sonatype Launches First Formal Partner Program To Boost AppSec Offerings In The Channel

The IPO-bound application security vendor currently generates half of its revenue through the channel and is looking to increase the figure, according to Sonatype executives including CEO Wayne Jackson and Channel Chief Bruce Gordon.


Sonatype CEO Wayne Jackson

Sonatype, a well-established player in securing software supply chains and the use of open source code in the enterprise, is now looking to work with partners in a bigger way with the debut of its first formal channel program, the company’s CEO and channel chief told CRN in exclusive interviews.

Announced Monday, Sonatype’s new Partner Acceleration Program aims to standardize the vendor’s engagements with partners such as resellers and system integrators, and serve as a foundation to build on for working with more managed service providers in the future, the Sonatype executives said.

[Related: 3CX Supply Chain Attack: 8 Biggest Things To Know]

Sponsored post

The launch comes as Fulton, Maryland-based Sonatype continues working toward its goal of going public, with an eye toward 2024 when the window for initial public offerings might re-open, CEO Wayne Jackson said.

“We continue to build an IPO-quality company,” Jackson said, noting that Sonatype’s annual recurring revenue has been growing at a rate of 25 to 30 percent per year.

The company, which is majority-owned by Vista Equity Partners, disclosed crossing $100 million in ARR at the end of 2021 but said it’s not updating the dollar amount for its ARR right now.

Founded in 2008, Sonatype has been working with enterprise-focused partners for years and derives 50 percent of its revenue through the channel, according to Bruce Gordon, senior vice president of global channel sales and alliances at Sonatype. With the launch of the new partner program, one goal is to increase that percentage, he said.

Key elements of the program include improved discounts for partner-sourced opportunities, based upon partner tier. “We want to invest more and incentivize more to our partners that are willing to invest with us,” Gordon said.

While selling security products to software development teams can come with challenges, Sonatype’s platform for application security includes capabilities that provide opportunities to sell to the security teams at customers, he noted. For instance, Sonatype’s Nexus Firewall can be utilized to intercept malicious open source code before it can be downloaded for use by a development team.

“It’s stopping any vulnerable code from getting into the software development supply chain. That’s a security piece,” Gordon said. “When partners are getting involved with us, they’re bringing together the developers that they may be working with, with other point solutions, and the security teams that they may be working with.”

Partner Perspective

Joey Campione, founder and CEO of Opticca Security, an AppSec specialist based in Montreal that’s been partnering with Sonatype for three years, applauded the vendor’s new partner program. In particular, Campione expects the new program will bring “better focus and attention to strategic planning.”

“That was something historically that was not formalized. Anytime that you have that level of rigor and discipline, it typically drives growth,” he said. “We anticipate that this will drive significant benefit.”

A big advantage of Sonatype’s offering is that it provides data about software vulnerabilities that is more granular and more reliable than others in the AppSec space, Campione said. That enables better triaging and prioritization of which vulnerabilities are the real threats, among the massive quantities of software flaws that are continually being disclosed, he said.

With the Sonatype platform, “we’re not spending time with irrelevant information,” Campione said.

The quality of data has long been Sonatype’s biggest differentiator, Jackson said. “We have exponentially larger investments in data research and data curation than the competitors that I know about,” he said.

That’s critical as organizations are looking to scale up their efforts around software supply chain security, Jackson said. For many customers, security for software supply chains and open source code has gone from “something they should be thinking about, to something they must be thinking about,” he said.

Driving Demand

In addition to supply chain attacks — such as the SolarWinds breach and, more recently, the attack on communications platform 3CX — vulnerabilities in open-source code such as Log4Shell have been driving this growing awareness and interest.

Likewise, the White House’s push for SBOMs (software bills of materials), which list out the components of a piece of software, has also been drumming up demand for the types of offerings that Sonatype provides, Jackson said.

On the SBOM front, “the partners are perfectly positioned to help,” he said. “Oftentimes, the partners know the businesses way better than we do. We’re a technology provider and an information provider, but we’re not usually in a position to help organizations reshape their businesses around new trends.”

‘One Common Platform’

Another major way that Sonatype stands out in the field is that it provides three options for using its platform — in the cloud, in on-premises environments and in disconnected environments, Gordon said. “I don’t know of anybody else that does that,” he said.

At Sonatype, Jackson added, “we don’t want to force our architectural preferences” onto customers. Major financial institutions, for instance, can be expected to keep a lot of their software development work in on-premises environments well into the future, and they “don’t want to be forced” to move that into the cloud, he said.

Ultimately, Gordon said that for partners who are “interested in expanding their footprint within large enterprise, and they want to bring the security team together with the developers on one common platform, we have the solution that these partners can take to market.”