What is our primary use case?
With the security concerns around open source, the management and vulnerability scanning, it's relatively new. In today's world more and more people are going through the open source arena and downloading code like Python, GitHub, Maven, and other external repositories. There is no way for anyone to know what our users, especially our data scientists and our developers, are downloading. We deployed Sonatype to give us the ability to see if these codes are vulnerable or not. Our Python users and our developers use Sonatype to download their repositories.
Given the confidentiality of our customer, we keep everything on-prem. We have four instances of Sonatype running, two Nexus Repositories and two IQ Servers, and they're both HA. If one goes down, then all the data will be replicated automatically.
How has it helped my organization?
We have visibility into what developers are downloading now. We had an incident recently where a few of the packages from PyPI were vulnerable, and we knew. Another example is that we were working on an open source project, enterprise-wide, and we wanted to do a PoC. When the company doing the PoC started downloading the packages, even they didn't know that those packages were vulnerable. Sonatype detected that.
Nexus Firewall has also significantly improved the time it takes us to release secure apps to market. Before, we needed to manually do a security evaluation for the static and dynamic code. While Sonatype does not do static analysis, it's been fine for dynamic. We don't have the headache of worrying about what our developers are downloading. Sonatype is taking care of all that. We have a very closed environment; nothing is allowed. Everything is "deny, deny." It used to be that for a user to request a package from PyPI, for example, they would need to submit a firewall request and to go through a CRV meeting. People would need to review it and approve it or reject it. Once that was done, we would need to whitelist that URL into the proxy. To download simple packages it would take users two weeks. Now, they can do it instantly.
It has helped developer productivity because they can do things right away now. For the majority of the code they're downloading, the URLs are already whitelisted through Sonatype. Our development has been pretty fast, as a result. Overall, the executives have been happy, because now we have something that is evaluating the open source code.
What is most valuable?
The Nexus Firewall itself, with its sheer ability to ensure that you're downloading safe code, is a big win for our environment.
Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you.
When you go to the IQ Server dashboard, it will tell you, "Version 1.2 is not good. You should upgrade it to version 1.3." You have that visibility, and you can whitelist things based on your business justification, and you can add notes in there as well.
In terms of securing our software supply chain, what we're trying to do is set things up so that they're upstream from our developers' work stations. Aside from downloading the code safely through Sonatype, a second way is by pushing our developers' code into a repository and Sonatype will do the security evaluation. You can use it as a hosted repository, versus using ADO which does not provide security evaluation and scanning. It helps bring open source intelligence and policy enforcement across our SDLC.
For how long have I used the solution?
I've been using Sonatype Nexus Firewall for two years.
What do I think about the stability of the solution?
The stability has been okay. I can't complain. It hasn't broken down on us.
What do I think about the scalability of the solution?
It hasn't been hard to scale it. We're in the process of integrating with ADO and our CI/CD pipeline.
At the moment, any developer who needs to download anything from the open source world must do so through Sonatype. All other access is blocked on the servers themselves. The servers cannot directly go through to PyPI, for example. Everything has to go through Sonatype. I can confidently say that we are using it enterprise-wide and everything is coming through Sonatype.
How are customer service and technical support?
I love the product and the team, and their support is phenomenal. You send them an email and they reply back to you within minutes. In general, they're responsive and helpful.
The guys from Sonatype who helped me build our dev environment for the PoC were on the ground with us, helping, running around the room, talking to people, and implementing it. But for the production, we had to do everything on our own.
If I have any questions in terms of implementation, or any high-level ideas, the guys from the customer success team that I'm good friends with, throughout this process, always schedule a time to meet or call. It does take them time, but they always make themselves available.
What I don't like is the lack of an option to pick up the phone and call someone for support. That is something they need to improve on. They need to have a professional services package, or they need to include that option with their services. If something breaks at the customer that we work with, I should be able to call someone at Sonatype, get them on the line, share a screen, and fix it right away. They don't have that at the moment.
Which solution did I use previously and why did I switch?
We did not have a previous solution. This was the first solution we were introduced to. Open source security is new to everyone, and recently were finding a lot more security vulnerabilities in the open source stack. We saw what Sonatype was capable of, we saw that it was blocking stuff. We saw that we had a log of user XYZ downloading this package and, when it was blocked, we were able to whitelist it or blacklist it, and provide a justification for why it was blocked. So far, everything has been pretty good.
How was the initial setup?
For people who don't have a lot of Linux knowledge—including myself, I'm purely a Windows guy—it can be very tricky. It did take us a long time to stand up the environment.
The fact they don't have professional services to implement it for you is a big gap. I have a good relationship with everyone on the Sonatype team. I sent them an email and they made time to jump on a call and help us build it. That is what is expected from a large, enterprise-level company. We have Azure Sentinel and F5 and these companies have professional services. They help you from end-to-end, starting with the implementation. Sonatype does not have been at the moment. It does become challenging when you're not a Linux guy and you need to learn and implement it and to make sure that you're deploying it securely.
To be fully ready, it took us two months. I was involved, along with one of my engineers, and we had the help from Sonatype team.
In terms of an implementation strategy, we had the whole high-level architecture set up, which was not very hard. But to engineer it and do it was a little challenging for me, but it could be different for people who have Linux knowledge.
There are about 200 people using it across our organization. Most of them are developers and data scientists. I take care of the day-to-day maintenance. The upgrades are easy, the directions are easy. If you do need help, you can reach out to the support.
What was our ROI?
From a security perspective, it has made a significant difference.
What's my experience with pricing, setup cost, and licensing?
The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive. There are no costs in addition to the standard fees.
Which other solutions did I evaluate?
I know there are others in the market, like JFrog, but it was quite an easy setup and then we just rolled with it. We didn't really bother looking at other products.
What other advice do I have?
You should have some knowledge of Linux before implementing it, because to set up the rsync and to make sure your data is being replicated and that it's HA, you need to know Linux.
We took a look at the demo of Nexus Container and, although I haven't used it hands-on so I cannot say too much about it, it looks like a freaking awesome product. We are in the process of evaluating it and may do a PoC. It looks like it's easy to use, easy to integrate, and does not require a lot of RAM or storage. You can install it on existing Kubernetes clusters, so there's not a lot of infrastructure needed. Using it, I expect we'll find out if the images that we're downloading for the containers are secure or not. It's definitely worth taking a look at it.
Default policies are never really a good idea, anywhere. You need to adjust them based on your environment's needs. When we deployed Sonatype, the policies were not automatically configured so that if a packet is malicious it would block it. You need to manually set those up. But their policy engine provided the flexibility that we need. It was really a quick, easy setup.
The biggest lesson I've learned from using Sonatype is that open source security is very important and it's getting crazy these days, because there's so much hacking and so many breaches going on, so much vulnerability. Even Microsoft codes and some of the packages in PyPI are not secure. You trust a repository like Microsoft or PyPI, but there are still some vulnerabilities out there. That is why it was so important for Sonatype to be implemented in our environment.