We have previously used Synopsys, Coverity, and Checkmarx. Fortify stands out for its comprehensive language support, which is a major reason for our satisfaction with their product. For example, Fortify is the only tool that supports mainframes and COBOL. It's encouraging to see their turnaround in this area, and they now support over 30 languages. Checkmarx excels in the design simplicity of its open-source integration in FOD, a new feature, and its cloud-native capability. Checkmarx boasts a sleek user interface that is highly intuitive for new users, while Fortify may require some time to get accustomed to. Coverity used to be a top contender, known for its accuracy and effectiveness. However, their quality and execution speed significantly deteriorated following the Synopsys acquisition. Synopsys has shifted some of its engineers to other projects, negatively impacting the quality of its Coverity product. Despite these drawbacks, Checkmarx remains a strong competitor to Fortify in terms of quality. While Synopsys invests heavily in marketing, its product no longer meets the standards of a robust enterprise tool.

We were using IBM Appscan. We switched because of limitations and support. We found that developers were able to tweak it and play with it. They could play with the results. Its support had also ended, and it supported fewer languages. There were multiple reasons, and this is why we had to switch to something else.

We were using IBM Appscan. We switched because of limitations and support. We found that developers were able to tweak it and play with it. They could play with the results. Its support had also ended, and it supported fewer languages. There were multiple reasons, and this is why we had to switch to something else.

Our company didn't use any other solution.

We weren't using anything prior to this.

We did not have a previous solution. We brought on Nexus Lifecycle because there has been a heightened, more aggressive stance on security.

We did not previously use a different solution.

We did not have a solution with this type of capabilities. We had some type of Nexus product but we layered this on top. We didn't have that capability.

This is the first solution we're using. We had a Nexus repository for several years, and we added Nexus Lifecycle on top in the last one to two years. Before, we would just manually download libraries and clear them by checking the download status. It was a manual task and now it's automated.

We didn't have something that does what a firewall does. We used a different repository and used Nexus IQ to do the enforcement of policies by scanning OSS's individually. It's nice having it happen automatically on the repositories now.

We were using Sonatype open source, the repository server, for a long time, as a free edition and as a PoC. That's why we picked Sonatype Nexus Lifecycle. 

Before that, we were using a different solution for a period of time. We jumped to Sonatype from our previous solution because it had a limitation on the modules. If I go for a multiple module integration, there is additional cost, whereas with Sonatype, they bundle licenses. There's no limitation. I can go for any number of integrations. That's the reason we switched to Sonatype.

We were using a product before and weren't super happy with it. I found this solution through an Instagram ad. I don't even know how it popped up there, but it was an ad on Instagram that was from Sonatype about one of their free publications that you could get about issues in DevOps. After that, we talked as a team, decided to check it out, and that's how it happened. As annoyed as I've been by those Instagram ads, this one actually worked out very well for us. I guess for Sonatype too.

We used a different enterprise solution (Palamida/Flexera) previously which was a bit cumbersome to run. It would only check when we manually triggered it. Previously, because the scan was sort of deferred, you would find out a month or two later (or whenever you did the scan) that the library might have an issue. Then, we would have to find an alternative library. However by that time, you've already used it and have to refactor what you were doing before. A refactor like this will take time away from our developers and testers and also will require a redeploy. The process now is a lot smoother because the scan is done automatically and immediately after each build, so we get feedback right away.

Additionally, with the plugin for our IDE that Sonatype provides, we can check whether a library has security, quality, or licensing issues very easily. Which is nice because Googling for this stuff can be a bit cumbersome. By checking it before code is even committed, we save ourselves from getting notifications at all.

Nexus IQ Server integrates well with our other ecosystem. Palamida required us to run it locally, like physically, because they would send you the hard drives that had all the mappings on it. These were used to index the components our software is using. We had trouble trying to figure out how to keep it up to date because they would have to send this to us every couple of months or so. Whereas now, we're running IQ Server in AWS and it actually connects to Sonatype's own service for updates. These live updates are a huge improvement to what we were using before.

Releasing a new version of our application used to take between three to six months. What would happen is before we would release it, that's when we'd do a scan and see if there was anything that we needed to fix. We have had it where enough issues came up where we're like, "We need to decide should we still release this or continue trying to work out all these different issues, then release it?" This would push back the release by two to four weeks. Now, because it's a continuous process and we can evaluate new components early on, it doesn't mess with that timeline so much. We know what the status is already at this point. If something comes up, then we can address it right away instead of having to do it near the end. It has helped us to solidify timelines a bit. Because of it, we have not had a delay in a release due to unknown security issues that we found near the end of our version release cycle.

We weren't doing automated vulnerability scans or license scanning. We were pulling straight from the public repositories so everybody had local caches of varying packages, which was different from the repositories of packages on our build servers. It was like the Wild West, but the Nexus products have helped us consolidate our repositories.

The primary reason why our senior director of product management decided he wanted to do this was that we develop sensitive software and need to ensure we don't have vulnerabilities from third party open source packages. We needed an automated way to do scanning instead of having the developers look at a list of their packages and compare them to a list of new vulnerabilities themselves. That would've been a nightmare. That central repository management was a secondary reason, but it was also important.

As important as vulnerability scanning, the licensing was essential to us too because around the time we were evaluating the Nexus product, there was a large company that was getting sued for violating open source GPL-2 license requirements. We wanted to avoid problems like that. Those are the two primary reasons.

We did not have a previous solution. We had nothing.

We weren't using a previous solution, we were using a different approach which was very old and which doesn't work. It was penetration testing which is very problematic. The way it worked was that an application was made and deployed. Then, you or a specialist firm tested the security of that application. You would get a report saying, "Okay, this is what we found." Then you would have to go back and change the application and, after that, get it tested again. You can see how much time it could take you - three, four, five, six months, a year, two years - to get your application tested. It was very inefficient.

The department that is concerned with best practices was obviously doing its homework and that's when they consulted Sonatype. They had some discussions and then the decision was made that this was the way forward. In fact, it is the only way.

We used OWASP Dependency-Check. It's a good resource for security standards and, occasionally, free tools, and it was a good command-line checker. It matched heuristically, so it would find a lot of false positives. It got us started and gave us an idea of how much debt we had, so it was useful. It just required a lot of tuning to weed out false positives.

We did not have a previous solution.

As I was moving into my security role, the pipeline team was already looking at something and it played nice with Nexus. It was an extra add-on piece or something like that. They were the ones who actually introduced it. I liked it and pushed it along.

Our company tried with Black Duck, but that was it.

Sonatype Nexus Lifecycle was the first tool we used with dependency scanning functionality, though we used other vulnerability scanning tools such as Docker and Trivy before Sonatype Nexus Lifecycle. We also scanned for vulnerability in images with Harbor. Sonatype Nexus Lifecycle is the only tool we've used for scanning dependencies.

Nexus was our first implementation.

We didn't have a previous solution.

We are looking back almost five years. We used a lot of IBM products and we used in-house products. With them, we were able to directly copy the dependencies we had in Maven Central to our local repositories.

I have not used another similar solution previously.

We used OWASP Dependency-Check, but for only about five months. It needs maintenance. You have to maintain the database library manually, and install it on the developers' workstations. There are a lot of drawbacks with that solution.

If we depend on OWASP Dependency-Check, it is a public vulnerability tool and it is not a good database, to be honest. If you have a library where one version is marked as vulnerable and you go to the community, the owner of the library says all versions are vulnerable. You would not see the vulnerability reflected regarding the versions. You would see it on one version and the others would be marked as clean. The team at Sonatype is doing a good job of maintaining this information very well.

We were working with Repository Manager and the security team switched to a Nexus server to reduce the effort and eliminate duplication. We now also have one, unified solution to cover all the possibilities.

We used the open-source version before moving to the licensed version of Sonatype.

We did not have another solution that we previously used before Sonatype.

We had one job file we used a long time ago (it was over 10 years ago). At that time, we had purchased a license, but nobody has really used it for a really long time.

Before IQ server we used an open-source solution called OWASP Dependency-Check. We wanted something a little more plug-and-play, something a little more intuitive to configure and automate.

Twelve years ago we tried other solutions, like Artifactory. But we quickly moved to Nexus. We may change the solution in the next month or year. It's a possibility. It depends on the pricing and whether the solution provides HA.

The main purpose of using the IQ solution was to have an efficient solution to spot and block security risks. We tested and compared a lot of solutions and found that IQ was the best and the most evolved. But a lot of it is not completed, it's still a prototype, from my point of view. That means it cannot yet be used exactly the way it is marketed. There are some features that are missing. But compared to other products on the market, it appeared to be the most accurate one.