Sonatype Nexus Lifecycle Other Advice

Security Team Lead at Tyro Payments Limited
My advice is that you should definitely use it. You need to think about the rollout and to make sure you integrate it into the software development lifecycle. That's where you get the most value because it provides quick feedback for developers. Be mindful of the rollout and breaking the builds. I don't think other companies that we spoke chose to break builds, but we do that and that is a sensitive topic for developers if you choose to do that. We don't use the application onboarding and policy grandfathering features at all. I suggested that to them, but the main reason we don't use them is, while we had that problem when we started out, we don't have the problem anymore. We don't use the Success Metrics feature as much. When it first came out I was quite excited about it, I thought it would be quite useful. But it hasn't really been as useful as I would have liked it to be. I was going to use it for figuring out trends. I was hoping to figure out how are we are tracking the number of vulnerabilities being discovered, and the trend, over time in terms of: Are we actively addressing them? I was hoping to break that down to engineering departments so could create a report and say, "Hey, this particular department has been really good, they're actively fixing vulnerabilities as they're coming out. This other department could be a lot better." I was hoping to get that, and it kind of had that. To be honest, I haven't looked at it for quite a while. But when I first looked at it, it looked quite good, but I didn't understand quite a bit of the graphs. I ended up using my own data set instead. We do have metrics on how much faster it helps us to fix issues but that's more because we have a company policy, we have an SLA there. It's based on the severity of the issue. There is a CVSS code. We map that into criticality, so if it's a ten, we say it's a severe security issue. There are ranges: critical, high, medium, low. This is actually mapped out to some standard policies that come with Nexus Lifecycle when you first install, so we just kept that in there because we thought that was best practice. But what we did say is that if there is anything that's critical, we want the team that's looking after the application to immediately stop work and address it straight away. If it's a "high," they have one month to address it. If it's a "medium," they've got three months, and if it's a "low," they've got six months. That's how we choose to address it, but that's set by us and it's enforced by Lifecycle. We have done something to integrate with it. It's not part of the feature set that it has. We integrated with it such that when we do discover something that's new - nothing that's introduced; rather something that's already in there that was okay yesterday but isn't okay today - we put a policy waiver (which is the term they use in Lifecycle) in place so it doesn't break the build. Once that SLA has expired, it will break the build and teams cannot make any more changes until they address it. That helps us conform to the SLA. The data quality is generally pretty good. We're pretty happy with it. We have seen a few cases in the last year where there were things that came out, and the teams came to us and said, "Hey, it's saying this, but we investigated further, it's not really an issue." So we've gone back to Sonatype and told them about these things. But, having said that, across the board, we feel that Nexus has been the most accurate so far, compared to all the other ones that we have used. It integrates fairly well with our existing DevOps tool. We had to do some work to get the metrics that we can show teams. We had to do some work to hand it the SLA stuff that we want our teams to go by. We are trying to do some work now where we want to create a defect ticket automatically. It hasn't been very good at that. It has some basic functionality but not as good as what we want. But generally, I would say it's good. I would also add that I don't think that it's any better or worse than the other products out there. It's doing all right. The primary integration was to enforce our SLA. The other integration we have done is we created another tool that acts as a proxy. There are applications and applications belong to a team. It allows us to give immediate feedback to the teams. When the teams choose to build it locally and they run this tool, they don't use the Lifecycle tool, they use this tool that we wrote. The reason why we did that was for our SLA, because then the report comes back to the team. It actually shows them how many days remain for those things that are subject to the SLA. We also did some work to create a Wiki page, one for each team, that we update every day. This is more to give to team leaders, who are not always on the code, an overview of what the outstanding security issues are, in which applications they are found, and how much time they have to fix them. Regarding the time it takes to release apps, it hasn't changed the amount of time. We would like to move to continuous deployment but, at the moment, some of them are continuous and some are weekly and this has had has no impact on that. We have about 135 users of the product in our organization. Software engineers are using it, DevOps engineers are using it, we've got some testers using it. We also have some delivery managers using it and they're using it more for the reporting to see how things are going. We also have some operations people using because it can also scan containers. It has been utilized quite extensively. I don't think it's going to increase any more. It would increase if we had more applications, but we are also using a lot more technologies. I give it a nine out of ten because of the accuracy. I like the information that it provides in terms of how to address issues. It would have been a ten, but there are other things that require integration, the extra stuff that we had to do, which I wish we didn't have to do, that it was all done for us. But we're probably not using it in a way that they envisioned most people would use it. View full review »
Configuration Manager at a health, wellness and fitness company with 5,001-10,000 employees
Have a key, a defined goal because, as much as the tool is there, it isn't able to create a goal. The goal is, "We would like to improve the security of our codebase by at least X percent, ensure that 90 percent of our applications, for example, going to market are secure applications." With that goal in place, I would look at purchasing the tool because it would be an immediate implementation of that strategy. We bought the tool with that idea in mind, but nothing clearly defined on a granular policy level. But that's ultimately what makes the difference, to say we are focusing on looking at these types of either licensing or dependencies. The tool is then just automating that process or enabling us to do that. It's taken us about two-and-a-half years to implement a strategy. Whereas, if we had the strategy initially in place, it would have gone much faster. The governance is centered around security and licensing. Those are the core governance factors around the policy. From a dev SecOps perspective, it's fundamental for governing your third-party dependencies. That's where the enforcement comes in. Once you've defined the policy, it becomes the law, and you can enforce that law. If you are working in a SecOps-type environment then you would sign off on that policy to enforce that. We haven't used the Success Metrics to its full potential. We understand it revolves around targets that need to be set and how far you are from those success targets, but we haven't used that as yet. I wouldn't look at it as a root-cause analysis or a monitoring tool. Yes, it does scan for security vulnerabilities and where we've violated licensing, but it's not used as an Elasticsearch, a Splunk-type, or Dynatrace-type of tool. When it comes to troubleshooting and root cause analysis, will we use our Dynatrace and our Elasticsearch to look at the logs. A lot of the third-party dependencies are open-source dependencies. A lot of them are provided through Apache, etc. We always look at enterprise solutions because of the nature of our business, but where the is an open-source piece of software which we can utilize as part of our enterprise solution then we do. We haven't scoped Nexus IQ to focus on open-source software. Nexus IQ in and of itself is commercial. If we had to use Jenkins or any of the open-source build tools, it would easily integrate with those open-source tools. Using Nexus Lifecycle, it might end up taking longer to release to market because you may need to refactor. In an industry where these applications have already been developed and now you end up scanning them and you pick up all these issues, you are going to have to refactor them. That means that either new requests must go into a backlog or you fix technical debt, which is what Nexus IQ is going to tell you to do. It might have an adverse impact at first, but the goal is to get to a point where you break even. Now we are at a point whereby our apps are being released into production as secure applications. There is the opportunity with new applications, from the onset, to ensure that they are released as secure apps into the market. That doesn't mean that they might be released faster because that could depend on a number of factors. It could depend on your testing cycle, it could depend on your release process, etc. We haven't had a one-on-one sit-down, or a survey done to really gauge the type of developer engagement. Our level of adoption has been a little inconsistent. Right now, they're getting the visibility of these metrics, but they don't actually have to do anything about it. But once we enforce the policy that their builds and releases will fail, then they will be forced to do something about it. From a SecOps perspective, it enables them to put that application on a risk register and say, "Listen, we need business to focus on fixing this application, making sure it's secure." That's the direction we are currently headed in. Developer productivity could be based on how automated our pipeline is. We are there. We just have to focus on dev and nothing else. This might actually give them that awareness. View full review »
Charles Chani
DevSecOps at a financial services firm with 10,001+ employees
My advice is "do it yesterday." You save yourself a lot of money. Even during one, two, or three weeks, it's going to cost you a lot of money to fix the security vulnerabilities that you are ingesting in your development lifecycle. You could be avoiding that by using a product like Lifecycle. With Lifecycle, the product itself, the intelligence is contained in the implementation called IQ Server. IQ Server has a component called Firewall. The Firewall, as the libraries are ingested into the organization, will scan each and every one of them. Depending on the policies, it's customizable as well. You can put policies there to say, if the library missed this criteria, block it. And you can say, if you block it, "But this library's okay, allow it in." You can waive policies. It's very highly customizable, such that you can block it at ingestion and you've got five other levels through which you could disallow a library. You could block a library from going into your staging or your development. It will be used by over 2,000 developers in our organization, and that is just Phase One. Other phases will be rolled out, so it will be an enterprise deployment for the whole bank. It's a financial institution, an investment bank that is very big. We may have over 10,000 developers. For all organizations - but most of all for financial institutions - security is very important. Somebody in the bank gave a mandate that we need to be more secure and this was implemented. The best way is to get the developers into the idea is that, by using the product, they'll be actually be saving themselves some time, because as far as security is concerned, they won't be required to change their programs as much. I would give this product a nine out of ten, knowing that I'll have a full report of artifacts that would have been ingested into our organization - artifacts that are not secure - if I didn't have the product. That information is priceless. View full review »
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: October 2019.
382,547 professionals have used our research since 2012.
Devin Duffy
Information Security Specialist at a financial services firm with 1,001-5,000 employees
Have an idea of where you're going to put it in the SDLC. Have an idea of where it's going to catch builds. Know what it does and how it works, to understand how the proxy and the firewall work. Understand how to scan components. Be ready to have an "orange team" - that's a new term - to have "success engineers," people to work with developers. People who can say, "Hey, this is how you use this, this is how you check your builds," people who will be able to help the developers transition to coding more securely. Also, learning to scope and prioritize remediating stuff, learning to scope down your issues, is really important, to figure out which vulnerability in your existing code base you're going to tackle first. That's something I learned while using it. You can look at the entire threat landscape and just be overwhelmed and not get anything done. It's like a messy house. You've got to start somewhere, in a corner, and make that corner clean. Same thing here: You've got to pick your biggest pain point, you've got to pick the easiest way to fix it, and you've got to move forward from there. It blocks undesirable open-source components from entering your development lifecycle. Sometimes we have to let the components in. The design of it says that if we let one component in for one team then we let it in for everybody else. That's a bit of a pain, but they are taking care of it and figuring out how to deal with that sort of issue. It's an unintended consequence. It's doing a great job at keeping stuff out but when we have to let something in for one team, we let it in for all the teams because that's the way the proxy works. I feel that it has increased the time it takes for apps to go to market but that's only because it's a new mitigating control. Before, nobody really cared about what they were throwing into their builds. All of a sudden that became a security concern and we needed a vendor like Sonatype. Once we started this, it was a necessary evil to make people examine what they are throwing into their builds and explore other components that are not vulnerable to things, right out of the gate. It is a new mitigating control to find a new class of vulnerability. It helps enforce secure coding practices and that can have a time cost when you're first rolling it out but, after a while, it may not have as much of a cost because more developers are familiar with it. Regarding the Success Metrics feature, I sort of use it, but I built a framework using their scanning engine, so I actually keep track of metrics on my own. It's okay, but it's not really my thing and we don't really have much of a use for it, to really invest in integrating the Success Metrics into what we've got going on, pipeline-wise. In terms of its integration with our existing DevOps tools, they've addressed these issues since then, but I ended up having to build a whole pipeline off of what they had, an undocumented API. They made it into a regular, documented API at a later point in time and that was just pulling vulnerability details for a specific component. Other than that, it works well. In terms of the number of users we have on the solution, "using it" is a very loose term. My team is automating it, other teams ingest the results, and between 900 and 1,500 people see the messages or have been impacted by it somehow. There are two or three people who work to maintain it who are Linux administrators. We're planning on rolling it out two more pipelines. In about a month we're going to triple our audience. Overall I would rate this solution at nine out of ten. Most everything that I've tried to do with it has been possible. I've had very few complaints that they didn't immediately address, or didn't explain that remediation would be unfeasible. They never talk down to me like other vendors do. They're a good vendor and they provide what I feel is a solid product. View full review »
Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
In the early stages of planning and design for rolling this out, ensure that you get all of your stakeholders involved; those who will have an input on the policy settings. Also, ensure you have a process and people involved to deal with the findings. Have that baked into your standard enterprise processes. Don't just turn it on and not know what to do with it. View full review »
Axel Niering
Achitekt at SV Informatik GmbH
Look very closely look at Nexus Lifecycle to check whether the system is a possibility in your environment. It has good data quality and good integration in our build environment. Everyone must check for themselves whether it is the right solution for them. But I would always advise to have a close look at Nexus Lifecycle, if there are similar requirements to ours. The Success Metrics feature is something we have not used too much up until now. It's unused because when we started was it was very basic. However, it is a very good means for seeing how successful we have been in reducing the issues that are connected with applications. We could improve the quality of the third-party libs we are using, and the SDLC is something we are going to improve as well. In this area, we hope Nexus Lifecycle will help us to do so. It's just a part of what there is to do, but Nexus Lifecycle will be very helpful in this kind of process. We can get the information about vulnerabilities and licensing problems very early, when integrating a library into Eclipse, for example. Further on we can scan applications manually and integrate the evaluation into the build pipeline. These things are important as early as possible, but it's also good to have the last look if there is something we do not want in production. In terms of blocking undesirable open-source components from entering our development lifecycle, we could configure the solution to do so but we haven't done so yet. This is, of course, something we want to do. As for the tool increasing developer productivity, I would say yes and no. Now we can better deliver secure applications but, on the other hand, there's more to do. Of course, it was just not done before so it would be comparing apples and oranges. It is possible that we will extend the tool to other development departments, or even to those who are looking at the licenses. We are using it on-premise, right now, and this is something we would continue. We are integrating it with our Jenkins and Nexus-based build pipeline, which is also here on-premise. This is what we are going to do in the next weeks. View full review »
Java Development Manager at a government with 10,001+ employees
Their support is good. They help with understanding the environment. They helped us with the initial PoC work. Their product is configurable. We can customize the policies. We had some hiccups, but it was pretty self-explanatory once we understood all the different parts. It was easy to set up and get going. From an implementation perspective, it's not a complex setup, which is a good thing. We have ten people using the solution, which includes developers, some of our managers, and architects. For deployment and maintenance of Nexus, we need just one person, a developer. We have pretty much scanned all of our applications. We have around 30-plus Java applications. Based on the current set of applications and the number of users who are using this product, there are no plans to increase usage at this time. View full review »
Systems Analyst at Thrivent Financial for Lutherans
There are demo licenses so ask them for one to try the solution. They will get back to you for sure. I would tell others how easy and how good the product is, and how easily they can implement, integrate it, and secure it. I refer this product to most of my colleagues and friends. We integrated with Nexus IQ. The Sonatype people visited us three or four times. They explained to us how to use it, how Sonatype works, as well as the best features. They explained everything briefly and gave me the best examples and features and comparisons with other companies; how they're using it and how we could improve our organization. I liked that. We have about 300 developers using it in our organization and they just use our global configuration files. They don't know what is going on in the background, it's completely infrastructure-driven. We used to give them instructions on how to use Nexus and how to check their security levels. Staff for deployment and maintenance includes six people in our team. Two are in the US and four are offshore in India. It's a 24/7 process so we need to cover everything. We do have plans to increase usage, but that's not my role. The solution is awesome, the way they have implemented it, the way they help us know what is good. We haven't found any difficulties. Overall, I give the solution a nine out of ten. It's a very user-friendly product and it is very easy to integrate with any other products. It's more reliable and more securable. View full review »
Gus Orologas
Lead IT Security Architect at a transportation company with 10,001+ employees
We have one person assigned to this solution for maintenance. It's not being used extensively, and there's no plan to increase it, even though there's a desire to increase use of it. In other words, everyone wants to deploy this, but no one has figured out how they're going to do that enterprise-wide. It's a process problem, not a technology problem. Overall, I give it a nine out of ten. It has a very intuitive interface and clearly displays the problems and the solution. View full review »
Find out what your peers are saying about Sonatype Nexus Lifecycle vs. WhiteSource and other solutions. Updated: October 2019.
382,547 professionals have used our research since 2012.
Sign Up with Email