What is our primary use case?
We develop software for our insurance systems. 80 percent of the software is used by third-party libraries, not self-developed. These third-party libraries have security vulnerabilities over time, license issues, etc. With the Sonatype Lifecycle solution, we can easily identify the most critical vulnerabilities and give developers easy-to-use tools to remediate issues.
How has it helped my organization?
We can now easily identify critical components and remediate vulnerabilities, especially in the new projects that we start. For legacy applications, it is also helpful to have an overview of where the critical hotspots are.
This solution has brought open source intelligence and policy enforcement across our software development lifecycle (SDLC) because currently we are focusing more on vulnerabilities.
It integrates well with our existing DevOp tools because we can integrate it in our build pipeline. We can also trigger our build pipeline to create warnings and let the build fail if there is a critical vulnerability that violates our policy.
This solution has improved the time it takes us to release secure apps to market. Now, it is easy and quick, not slowing down the development process. When developers introduce new libraries, it's quite impressive how quickly they can be fixed.
Sonatype has increased developer productivity by 20 percent because they do not have to review nor fix bugs after release/testing. They can right away fix an issue when it is introduced.
What is most valuable?
The vulnerability description shows:
- Where the problem is
- An explanation of the vulnerability
- The recommendation
- How to fix the problem, especially if there is no possibility to close it by updating the library.
Also, what is really cool is the version graph where we see the best version of which vulnerabilities to use.
The integration is easy and straightforward, which is great. The integration in our development pipeline was quite easy. With the developer IDE integration, they don't have to lock into the web application to see how to remediate vulnerabilities or integrate artifacts, if they already see there is a problem.
The solution's data quality is great and near perfect for our use cases in the field of Java applications and Telescript applications. This helps us solve our problems faster.
If it has a critical vulnerability, this solution blocks undesirable open source components from entering our development lifecycle. They cannot be introduced. There are two possibilities when this can happen:
- With configuration policy, something deployed into our staging or release environment can be blocked.
- The developer has the visibility right away to block something when he introduces new components. He might already see there is a problem and can address it then.
What needs improvement?
We cannot currently use the automated pull requests because we are missing the Bitbucket port. We use Bitbucket as our Git repository and automated pull requests only work with GitHub currently. So, we are missing this feature, but we have already addressed this with Sonatype. It is on their roadmap in the near future.
The API could be a bit better for automation and reporting functionality, but that has already been improved over the last few months. We had some minor issues with the API for reporting. There are still some minor points which could be improved. However, the rest of the solution is working well with our environment.
For how long have I used the solution?
We started three years ago with our proof of concept. After that, we extended it. Currently, we are extending it to more of our IT teams.
What do I think about the stability of the solution?
We have had no issues in regards to the stability yet. It works nice and smoothly. We only had internal IT problems, but that was not a problem of the software.
We have one person who does the deployment and updates once a month or so. The rest is mostly automated.
What do I think about the scalability of the solution?
The scalability works perfectly for us. We have had no issues to currently use it at scale. We have 30 users and are extending that to 60 this year (doubling it). Nine percent are from the DevOps team: developers, operating software engineers, and system engineers. The rest are security managers who are looking at the solution for reporting and monitoring that.
How are customer service and technical support?
The technical support has been really great. They are fast and helpful. We had some questions in the beginning, but they have always been positive and competent in answering our questions and requests.
Which solution did I use previously and why did I switch?
Previously, we used open source tools but had problems with a lot of false positives which were not well-accepted by our developers. With the Nexus solution, we have practically no false positives.
How was the initial setup?
The initial setup was straightforward and an easy integration into our environment. We had a small proof of concept at the beginning of the project that very much impressed us how easy integration would be into our environment.
Integrating the solution took two weeks, then it was done. Most of the time was for providing the infrastructure.
We first did a proof of concept to see if it fits, brought additional value, and enhanced our security. We started with two development teams. It gives great visibility to vulnerabilities with an easy possibility to remediate issues. After showing this, we extended the solution to more development teams. We are planning to extend it this year to 10 teams, then next year to the entire development community. In parallel, we were doing high level reporting for management to show how we have developed over time, e.g., what the solution brings and if we introduce it in the beginning of the development life cycle, then we have less issues when going live.
What about the implementation team?
We did the deployment ourselves.
What was our ROI?
We have seen ROI, receiving well invested money as a benefit of the tool.
What's my experience with pricing, setup cost, and licensing?
Our licensing costs are on an annual basis. The Sonatype licensing model is transparent with no hidden costs or holes.
What other advice do I have?
Do a proof of concept with Sonatype. A PoC with them is great as they support it and can clearly show the benefits to developers and management.
The default policy is already good. We did do minor adjustments to the default policy. Now, it fits well into our continuous integration lifecycle pipeline, which is quite cool. It provides the flexibility that we need.
We do not yet use this solution to automate open source governance and minimize risk.
I would rate the solution as a 10 (out of 10).
Which deployment model are you using for this solution?