What is our primary use case?
Our primary use case is as a manager and storage location for open-source software components. We utilize the Nexus repository to store safe open-source components that our developers can utilize in their applications, as opposed to their going out to the internet and getting potentially unsafe versions of the open-source components.
We use it to manage binaries both in the IMR and in staging. Our biggest use of the software, as stated before, is to store open-source software components for user applications. The second biggest use is as a staging repository. We'll stage binaries for changes that are ready for deployment across to a production environment. We'll stage them there so we know they're centrally located. If we want to do any scans we can do them right there before they're deployed to our enterprise.
How has it helped my organization?
It has improved the organization in that it has helped us ensure that developers are utilizing the safe, open-source components we provide to them. We know who they are, through the use of the Nexus software, when they took them, and where they're being used. It has helped us to increase the security of our applications.
What is most valuable?
One of the most valuable features is the variety of permissions you can use on the repository. That helps us protect access to the information inside of the repository.
What needs improvement?
I would like to see them build in some scanning features out-of-the-box, as opposed to only getting them by buying the add-ons of Nexus IQ Server. I would like to see some level of ability to filter in the tool itself, through scanning the binaries in there.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
Thus far, the reliability has been good. I haven't seen any problems with the Nexus software breaking down.
What do I think about the scalability of the solution?
How are customer service and technical support?
Tech support is fine, they're very responsive.
Which solution did I use previously and why did I switch?
They were using SharePoint sites, file folders on servers. We still using them to some degree. They switched to Sonatype because they wanted to get the increased security portion of Sonatype, known as Nexus IQ Server, but they had to purchase the repository first. They're just now getting the money for the rest of it.
How was the initial setup?
I wasn't here when they did the initial setup, but they did it in a slow manner. They started off with a proof of concept. It took at least a year. It was easy to install on the servers, but the politics and building up users took six months.
It looked like the implementation strategy they came up with was to do the proof of concept, then get some projects to start, and grow it slowly until the value was seen. And then they forced everybody, so they had no choice but to use it.
What about the implementation team?
What was our ROI?
Using it for the IMR we have a sense of security now that we control what goes out to changes in our enterprise.
What's my experience with pricing, setup cost, and licensing?
It seems like a fair price, based on other software solutions I've purchased.
Which other solutions did I evaluate?
There were other options. Veracode was one of them.
What other advice do I have?
Make sure you know how you want to use it, and set up your rules, processes, and policies before you implement it.
Their customer service is pretty good. Their software does what it says it does. They've got another component add-on we're looking to purchase that will assist us. Sonatype has business relationships with other companies which sell their software, and their name is known in the DevOps world. They're a stable company and have a stable product.
In terms of the number of users using our Nexus Repository, just about every developer who programs in Java has to use one portion of it, and we have about 500 of them. At least 300 users in the IT community use it. For deployment and maintenance of the solution I've got three people. One of whom is on contract. They're involved in maintaining the software, keeping it up to date, configuring it for better security, training users, etc.
We are looking to increase usage up to 500 people when we get the next component.
I'd give the product an eight out of ten. If they want a ten, they should cut their price in half and they should increase the security capabilities out-of-the-box.