Sonatype Lifecycle ROI
NS
reviewer2317233
Vice President, Cybersecurity at a financial services firm with 10,001+ employees
Through our ongoing partnership with Fortify and their commitment to working closely with us, we have experienced a significant return on investment, with benefits ranging from ten to twenty times our initial investment. Additionally, the continuous introduction of new features over the years has further reinforced our assessment of Fortify's value.
View full review »AA
Amal Alshehri
Sr cyber analyst at a energy/utilities company with 10,001+ employees
It is too early to say whether we have seen an ROI, but we have had a great communication and learning experience.
Identifying vulnerabilities using Fortify SAST early in the development lifecycle saves costs versus discovering vulnerabilities later in the software development lifecycle (SDLC). If you discover a vulnerability early, it is helpful. For instance, if you are writing Java code and you know that there is a limitation or vulnerability in that version of Java, it helps to plan your journey of development earlier. You get to know that your server does not support this version of Java. It helps you make decisions earlier in the process. Time is money. The earlier you handle things, the better it is.
View full review »AA
Amal Alshehri
Sr cyber analyst at a energy/utilities company with 10,001+ employees
It is too early to say whether we have seen an ROI, but we have had a great communication and learning experience.
Identifying vulnerabilities using Fortify SAST early in the development lifecycle saves costs versus discovering vulnerabilities later in the software development lifecycle (SDLC). If you discover a vulnerability early, it is helpful. For instance, if you are writing Java code and you know that there is a limitation or vulnerability in that version of Java, it helps to plan your journey of development earlier. You get to know that your server does not support this version of Java. It helps you make decisions earlier in the process. Time is money. The earlier you handle things, the better it is.
View full review »Buyer's Guide
Sonatype Lifecycle
March 2024
Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
768,740 professionals have used our research since 2012.
IV
Ingmar Vis
Product Owner Secure Coding at a financial services firm with 10,001+ employees
For Nexus IQ, I have not seen any research that has been done for ROI. I am aware of other tools but not Nexus IQ.
View full review »ME
Michael Esmeraldo
Sr. Enterprise Architect at MIB Group
In the productivity, and the turnaround time of producing new applications and updating old applications, the return on investment is that it takes much less time to add features or produce a new product out to our subscribers than it did before. That allows us, obviously, to start billing for those services sooner. Without Nexus, it would take a considerably greater amount of time. Our return on investment is based upon how many applications we bring out and the turnaround time of the development team.
View full review »LH
ConfigManag73548
Configuration Manager at a wellness & fitness company with 1-10 employees
We haven't seen ROI as yet, simply because we haven't been harnessing the full potential of the tool. The way I think we will potentially see a return on investment is if we are using any licenses that could be costing us indirectly. We could be looking at certain technical debt which we could be dropping. Those are the aspects we could look at, but we haven't yet maximized the true, full capability.
View full review »RW
Russell Webster
VP and Sr. Manager at a financial services firm with 1,001-5,000 employees
The solution has improved the time it takes us to release secure apps to market. I can't approximate how much, there are too many factors there to consider.
If you find a problem reactively without the tool, there's the remediation cost, versus the savings of finding it in the first place. It would be really hard for me to go back right now and say how many things we found and how often because it's happening very dynamically. Those findings are not anything I can measure right now.
Then there are the things that we found that we might not have remediated. Maybe they were just okay, they weren't high-ranking and they weren't low-ranking errors. Now, we can decide that because we found them really early that we're not going to take that risk. Whereas before, we might've taken the risk - or not even have seen the risk. So it's hard to measure that.
It's not literally speeding up our release to market. It's helping us avoid reactive costs and maintenance to the cycles after the fact. If an industry vulnerability is found, we get that notification really early.
We have seen a return on our investment. In some cases, where we've needed to find out the footprint of a certain library across our enterprise, we've been able to do that research in seconds or minutes, rather than long, drawn-out processes with people and teams involved to hunt it down through source code and the like.
As far as spinning up councils and people saying, "What's our vulnerability footprint look like?" we've been able to answer those questions much quicker and remediate quicker with other tools. Those things alone will probably pay for it. The safety stuff pays for it on its own too.
We've more recently also been able to leverage it as a solid containers repository solution.
KS
Katrin Schenker
Software Engineer at a manufacturing company with 10,001+ employees
Because we have only had Lifecycle in production for around one year, it's too early to know if it has improved the time it takes us to release secure apps to market.
But it has definitely increased developer productivity. If you manually download a package, you're not sure if it is the right package because you cannot test it. But now, we can automatically download packages. It's much more effective and more productive for each software developer using it. I would estimate we have seen a 20 percent increase in productivity.
It's also helping our security because that is an aspect we did not check before. That is new for us and very valuable.
View full review »WK
Wes Kanazawa
Sr. DevOps Engineer at Primerica
We don't have any evidence that the solution improves the time it takes us to release secure apps to market because we haven't released an app yet, but I'm sure it will.
Just the dev happiness is already a type of ROI, in addition to how fast they're able to go using it.
View full review »We are a development company, and we use open-source heavily, like 95% source code. So the return on investment on the main security check is very high.
When I started with Sonatype six months back, I knew that I wanted to do 10 integrations. When I started integrating with a development team, and getting them more usability, I understood the reality was not 10, it was actually 100. When I ran with another vendor, even though I started with a small price, when I looked at the total cost of ownership or the return on investment, it was totally different. With Sonatype there is definitely a return on investment in the number of integrations and the personal support. In that sense, there has been a lot of value.
In addition, the bundled licensing is a huge difference and provides flexibility. We are not limited by the number of integrations, like in other products. We have flexibility and scalability. For us, the return of investment or value is huge, when it comes to the licensing model.
View full review »TW
reviewer2322627
Security DevOps Engineer at a legal firm with 1-10 employees
We have seen a return on investment using Fortify Static Code Analyzer.
View full review »SS
Shubham Shrivastava
Engineering Tools and Platform Manager at BT - British Telecom
Our ROI is moderate. It has definitely helped us in avoiding a lot of security miscues., but the adoption of IQ hasn't been as much as I would have liked. It has nothing to do with Sonatype. It has more to do with BT's culture and BT's engineers adopting it.
View full review »RV
Ricardo Van Den Broek
Software Architect at a tech vendor with 11-50 employees
This product was cheaper than the one we were using, so that is a direct savings. Though, it's hard to estimate time saved.
There is definitely a lot less frustration with it, because we had some frustration earlier with the last product. Some of the frustration that we still have was trying to find an updated version of the library, which is not really Sonatype's fault. That is just how open source software works. However, there is definitely a lot less frustration with a lot more clarity about what exactly we're looking at and what the step is needed to get rid of the vulnerabilities that we do find. It's hard to measure the impact of reducing developers' frustration, but I think we can all agree that having happy developers is good for a company!
Another thing that's hard to measure is the positive impact on company image. We get security questionnaires from potential clients, which will ask how we detect and address security issues. In our industry, what is that worth to a health system that houses patient information that we continuously monitor for security vulnerabilities? And that we are able to address these concerns as soon as they come out? It's a marketing thing and it's hard to quantify what that's worth, but we know in healthcare these things are definitely valued and appreciated.
View full review »AB
Austin Bradley
Enterprise Infrastrcture Architect at Qrypt
Since the developers weren't doing really thorough vulnerability assessments in the past, I can only estimate how many hours it's saved and allowed them to continue developing the applications.
For example, if one of our pipeline applications has 15 dependencies and a developer had to look for vulnerabilities in that list of 15 dependencies, it could take a half-hour every day for one application. If they're developing six applications at once, then it could be a couple of hours a day per developer. It would quickly get out of hand.
View full review »CC
Charles Chani
DevSecOps at a financial services firm with 10,001+ employees
We see ROI in terms of better visibility into what we have in our developed software.
View full review »RS
reviewer1535436
Senior Architect at a insurance company with 1,001-5,000 employees
How do you prove that you've not gotten hacked because of the tool? We've definitely gotten better visibility into how we're using older components and when we need to migrate away from them. We're much better positioned now to keep things patched and if there's another Struts 2, armageddon-type vulnerability in a library we use, we'll be much quicker to get on it.
It's like any security tool. How do you know that the door lock paid for itself? You really don't know who would have knocked your door down. But once our developers get more used to the tool over time and we get the technical debt driven down, they will be more productive in terms of making sure the libraries are up to date.
In the meantime, when they're onboarding and trying to figure it out, it's going to slow them down a little bit, to get oriented. If they're dealing with a legacy of technical debt and there are a lot of things that have to be fixed, because nobody has updated an internet app in 10 years, it's not going to make them more productive. But if you're willing to pay down that technical debt, it's totally worth it, but it's hard to quantify. But if you consider keeping your apps up to date as productivity then it helps with productivity.
View full review »BS
reviewer1381962
Enterprise Application Security Analyst at a comms service provider with 5,001-10,000 employees
I'm not sure it's saving us anything. I don't have a way to gauge that as far as return on investment goes.
The return on investment for us is that we have the process in place that has our security aspects tied into it. That's more the type of return on investment we were looking for, and it is doing that. We're still in the early stages.
View full review »AC
Andy Cox
Product Strategy Group Director at Civica
We have seen return on our investment, but it's a difficult one to quantify because, unless you have a problem, it's like any sort of security or testing; it's difficult to quantify unless you have an issue. In terms of protecting our IP it certainly has provided ROI and, in security issues as well, it has helped us to identify them, reducing our risk. There has been a big risk reduction for us.
View full review »LR
reviewer1960260
Section Chief at a government with 201-500 employees
We've seen ROI from Sonatype Nexus Lifecycle, mainly connected to the number of attacks. For example, we've calculated the number of hours our employees put into analyzing a vulnerability and looking for that vulnerability in the different components. We saw that the main benefit of using Sonatype Nexus Lifecycle is quickly finding which components have vulnerabilities. As a result, two to three employees save on a week's work because that's how long it takes to look through all the different components with vulnerabilities.
Vulnerabilities could also cause a significant outage or complete data loss, which comes at a high price. Sonatype Nexus Lifecycle could help prevent that or help eliminate the risks. Hence, there's ROI from the tool, but we still need to evaluate the data fully.
View full review »EK
EdwinKwan
Security Team Lead at Tyro Payments Ltd
The area where we've seen ROI is security hygiene. We're using a lot fewer vulnerable libraries. What we have seen is that when there is news about something that is vulnerable, and that there is a tool that someone has created that allows you to exploit it, we normally already know about it and we've addressed it. There's peace of mind knowing that we're on top of it.
View full review »SL
Sebastian Lawrence
Solutions Delivery Lead at a financial services firm with 201-500 employees
We have seen ROI.
Nexus has improved the time it takes us to release secure apps to market by saving us weeks of rework.
View full review »MA
reviewer1380810
Computer Architecture Specialist at a energy/utilities company with 10,001+ employees
We expect to see ROI once we're using it fully in production.
View full review »AM
JavaDevef0ca
Java Development Manager at a government with 10,001+ employees
We have only been using the licensed version for six months. But long-term, we definitely see it saving time and that will be our long-term return on investment.
View full review »FT
reviewer1268016
IT Security Manager at a insurance company with 5,001-10,000 employees
ROI on a security product is always hard to argue because you never know how expensive a security issue could become.
View full review »We are still on our PoC, so there has been no investment up until now. We have just decided to invest in Nexus Lifecycle. I am sure that there will be a return on investment very soon.
View full review »RH
reviewer1342230
Application Development Manager at a financial services firm with 501-1,000 employees
This solution has increased developer productivity by 20 percent. They know the version that they need to use. It is a lot easier.
View full review »RC
Ryan Carrie
Security Analyst at a computer software company with 51-200 employees
We have absolutely seen ROI with Sonatype. The more proactive approach is definitely a return on investment. It significantly lowers the turnaround for responding to incoming issues. It also empowered our support staff to be able to pass along audit results without having to loop in the security team directly. There is a much lower overhead involved when doing it that way.
Also, the ability to better manage our vulnerability management by getting the detailed information from the scan results or the listings, and being able to audit them thoroughly and test them really helps with development resources in our case. We do not have to cram in a bunch of upgrades just for the sake of upgrading if we're constrained elsewhere. It really helps prioritize dev resources.
I don't know if it has directly saved time in releasing secure apps to market. It has definitely made everything more efficient, but unless things are critical and can definitely be leveraged, we don't necessarily delay a release.
The upgrade processes are definitely a quicker turnaround because it allows us to actually target versions that are not vulnerable. But it is hard to quantify whether, in the grand scheme of things, our developers are more productive as developers.
View full review »Buyer's Guide
Sonatype Lifecycle
March 2024
Learn what your peers think about Sonatype Lifecycle. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
768,740 professionals have used our research since 2012.