Sonatype Nexus Lifecycle Software Development Lifecycle

Has this solution brought open source intelligence and policy enforcement across your SDLC (software development lifecycle)? If yes, how?

Charles Chani
DevSecOps at a financial services firm with 10,001+ employees
In terms of open-source intelligence and policy enforcement across the SDL, that's exactly what they're trying to do. They realized that there's so much ingestion of open-source software in most of the software development lifecycles, that there was a need to automate the detection of the ones that are not deemed to be safe. What Lifecycle does to its firewall product is that, as the binaries are being ingested, it's able to fingerprint them. And because there's a fingerprint, it can check with the Sonatype website and tell you exactly what you're ingesting. If what you're ingesting is not secure, it can block it. Then, you can manually say, "Okay I understand, use this." Or you can go with the suggestion that Sonatype gives you, which is a more secure alternative.
View full review »
Axel Niering
Achitekt at SV Informatik GmbH
We could improve the quality of the third-party libs we are using, and the SDLC is something we are going to improve as well. In this area, we hope Nexus Lifecycle will help us to to do so. It's just a part of what there is to do, but Nexus Lifecycle will be very helpful in this kind of process. We can get the information about vulnerabilities and licensing problems very early, when integrating a library into Eclipse, for example. Further on we can scan applications manually and integrate the evaluation into the build pipeline. These things are important as early as possible, but it's also good to have the last look if there is something we do not want in production.
View full review »
Devin Duffy
Information Security Specialist at a financial services firm with 1,001-5,000 employees
It has absolutely helped bring open-source intelligence and policy enforcement across our SDLC. In partnership with the developers who have helped get the word out there, it has given developers the tools they need to figure out what to build with. We implemented a slack bot using their data and engineers can query it to find good components and it's been working out very well for us.
View full review »
EdwinKwan
Security Team Lead at Tyro Payments Limited
It has brought open-source intelligence and policy enforcement across our SDLC. We have two kinds of build pipelines. They are centrally managed by a team which handles all the build infrastructure. We integrated it so they have to do those scans. The policy enforcement will break your build, so you can't move forward without addressing it.
View full review »
Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
Sonatype has also brought open-source intelligence and policy enforcement across our SDLC. It enforces the SDLC contributors to only use the proper and allowed libraries at the proper and allowed time in the lifecycle of development.
View full review »
JavaDevef0ca
Java Development Manager at a government with 10,001+ employees
It also brings intelligence to the open-source artifacts, because intelligent servers scan all the vulnerabilities, identify the problems, and then we can ask the individual teams to fix them. That is a plus.
View full review »
SrLeadSo5b76
Sr Lead Solution Services at a financial services firm with 201-500 employees
This solution brought open source intelligence and policy enforcement across our SDLC (software development lifecycle). The enforcement is simply because the build pipelines use Nexus IQ, then it fails when Nexus IQ has an error and identifies a component with multiple security issues because it breaks the release pipeline. The enforcement is there because you can't release anything without going through that pipeline.
View full review »
Sign Up with Email