What is our primary use case?
We use it to scan applications for open source libraries and to find libraries with a clean version for developers. If one version is vulnerable, they can switch to another version which is clean.
Our situation is that we are running it as a pilot. Hopefully, this year we will be moving the environment into production. Delays happened due to some of our workforce being allocated to different organizations, and then we had the pandemic.
It's deployed on-premise, on a virtual host.
How has it helped my organization?
We can automate the pipeline of CI/CD. For example, if a publication uses an open source library and it's vulnerable, then the security team will mark it in the Lifecycle suite and it can go through the pipeline without manual interaction by the developer.
I'm not a security guy but I have sat with the security team. Once you set the policies, you wont need to change them. The policies wouldn't change that frequently. It covers the needs that we have.
Using the solution we have been able to clean our environment, providing more protection for our applications. We have a more hygienic environment than before. Before using Lifecycle we were almost blind to whatever we had and didn't look into the vulnerabilities within open source libraries. Now we do.
It has helped to increase our productivity a lot, especially with Nexus Repository Manager. It is way more agile. There is no comparison between our productivity before and now.
In terms of the accuracy of the data from Sonatype, at first the teams were challenging whatever the solution provided, but they then verified with the vendor of the open source libraries or via the related community, and they realized that the data from Sonatype is something that is done carefully. It's accurate and valid data. We are now introducing a security layer for open source. Before, there was no security on open source and they did whatever they wanted but that is no longer the case. They have to fix things before deploying them. It helps them resolve issues. It works most of the time, but sometimes there are challenges for the developer in solving them.
We also use the solution to automate open source governance and minimize risk with policies. Some of our developers, although not all of them, have their own Jenkins installed and they set rules and policies. They have integrated Jenkins with Lifecycle and, whenever they push into production, it verifies they are not violating any policies. Once everything is smooth, it goes into production. We haven't formalized that process yet.
What is most valuable?
It's a great tool. We have it connected live to the Sonatype database. Whenever there is a new vulnerability, it's discovered. We have early detection of any vulnerability in our open source library. The scanning capability is its most valuable feature, discovering vulnerable open source libraries.
What needs improvement?
The reporting capability is good but I wish it was better. I sent the request to support and they raised it as an enhancement within the system. An example is filtering by version. If I have a framework that is used in all applications, but version 1 is used in 50 percent of them and version 2 in 25 percent, they will show as different libraries with different usage. But in reality, they're all using one framework.
For how long have I used the solution?
This is my second year using Sonatype Nexus Lifecycle.
What do I think about the stability of the solution?
It's very stable. I don't recall ever seeing problems. The main concern would be data-disk corruption, but I haven't seen it, even though the server, due to patching, has been rebooted multiple times.
What do I think about the scalability of the solution?
When it comes to scalability, there's a limitation in terms of high-availability. Sonatype recommends you go with high-availability. However, you have to have an Active-Passive solution and we don't use a separate installation for each organization. I know there are ways you can install multiple instances for each organization and proxy between them. Because we are a single organization that uses one installation, we have to set it to Active-Passive and manually switch the Passive on and off.
How are customer service and technical support?
My experience with their technical support has been good, overall.
The problem for us is that we work in a different time zone than they do and the workdays are different. We don't work on Friday and Saturday. If we send them something on Sunday, we don't hear until on Monday. If it is urgent they get back to us.
Which solution did I use previously and why did I switch?
We used OWASP Dependency-Check, but for only about five months. It needs maintenance. You have to maintain the database library manually, and install it on the developers' workstations. There are a lot of drawbacks with that solution.
If we depend on OWASP Dependency-Check, it is a public vulnerability tool and it is not a good database, to be honest. If you have a library where one version is marked as vulnerable and you go to the community, the owner of the library says all versions are vulnerable. You would not see the vulnerability reflected regarding the versions. You would see it on one version and the others would be marked as clean. The team at Sonatype is doing a good job of maintaining this information very well.
We were working with Repository Manager and the security team switched to a Nexus server to reduce the effort and eliminate duplication. We now also have one, unified solution to cover all the possibilities.
How was the initial setup?
The installation is straightforward in terms of the application itself. However, with our setup, with our environment and the restrictions we have, we had to do a lot of things. But that work was from our side, not from the application's side.
We did the installation within about two to three days. I was part of our support team at that time. Later on, I added enhancements on-the-go, such as certification. If I were to do the installation now, I would do it within an hour. It is the configuration that you have to get to know. Once you know it, that's it. When it's new to you, you have to take the time to read the documentation to understand what's going on and do things right.
What about the implementation team?
I only worked with the support from Sonatype and I was the only person in our organization involved in the installation. I am also the only one who runs this part of our environment, in terms of maintenance.
What was our ROI?
We expect to see ROI once we're using it fully in production.
What's my experience with pricing, setup cost, and licensing?
Lifecycle, to the best of my recollection, had the best pricing compared with other solutions.
What other advice do I have?
We ran into too many debates and there was this culture of "security is not mine" and someone else should have to deal with it. After using the solution, they realized this is not the case. Security vulnerabilities had to be addressed. I was a developer and I understood their complaints, but security is important and you have to go with it. The tool is there to automate and simplify your work and you should utilize it. It has been a very good experience.
We are introducing Lifecycle and developers will be aware, with the IDE plugin, from the beginning, whether whatever libraries they are using are vulnerable or not. There should be no delays if they work with it from the beginning.
It is used, or should be used, by all of our 120 developers. But in a group developing a given application, not everyone would commit to it and scan the application. One would do the scanning. But, overall, all of them should be directly or indirectly using it or depending on it.
When we move it to production we will need to do a recertification of the users and find out who is not using it, who would use it, and who is shifting to other organizations. Then we will decide on the number.
Which deployment model are you using for this solution?