Sonatype Introduces Next Generation Dependency Management | Press Release

blog-logo Sonatype Blog

Considering Nexus Auditor? You Should, But Know These Things First

June 25, 2020 By Kadi Grigg

I field a flood of requests every week asking to learn more about Nexus Auditor. I get it. Nexus Auditor, in the right use case, is a solid, cost-effective solution.

Is Nexus Auditor the solution for you? Maybe, maybe not. I thought it would be beneficial to explain who should consider Nexus Auditor. So here is an example that I received this week.

First, meet Stephen (not his real name). Stephen is a Senior Security Architect who has worked at ABC Corp. for 10 years. Stephen read a Gartner whitepaper about getting started with Software Composition Analysis (SCA). He thinks this type of solution could help his organization better manage risks around OSS components. Even more importantly, he needs a way to verify license compliance.

Like many others, Stephen did his research on Sonatype.com and other competitor sites before reaching out to me. He is now interested in learning more about Nexus Auditor. Stephen already uses some free tools like OWASP Dependency-Check. However, now that solution is no longer meeting his organization’s scalability and tracking requirements.

Often people like Stephen are confused about the differences between Auditor and Nexus Lifecycle. Is it right for Stephen? Is it right for your organization? Let’s take a look...

Keep it Simple

Do I need Nexus Auditor? Here’s a simple flow chart to walk yourself through:

Kady_Grigg_Auditor_Flowchart

Ask yourself:

Where do you want to manage OSS in your application?

In Development, or in Production?

>Does someone else develop the application I manage?

Yes or no?

Do I need to integrate OSS management into the development pipeline (e.g., IDE, CI Server, GitHub)?/h4>

Yes or no?

All of these answers will determine if Nexus Auditor is a good fit for you.

Nexus Auditor is Superb for Monolithic, Legacy Applications

The people who benefit most from Nexus Auditor are those who manage monolithic applications that have little to no current development being done on them. I repeat: little to no development being done. Nexus Auditor works best when your legacy application is still integral to the organization and necessary to meet a variety of industry standards. The most popular standards that I run into are ISO and SOC2 compliance.

The other use case for Nexus Auditor is to understand what open source components are utilized in outsourced, third party application development. Nexus Auditor notifies you if those applications pose a security or legal risk.

To be clear, you need software composition analysis. This way you know the third party, open source components within a legacy application. With a software bill of materials you know exactly what is inside an application. You need to analyze and understand the risk exposure of outdated open source components.

Everyone Benefits from a Software Bill of Materials (SBOM)

Nexus Auditor enables your organization to automatically generate a software bill of materials to help identify open source components within your legacy and third-party applications. We also provide you with the ability to triage license and security risks.

What I like best about this functionality is the visualization. Nexus Auditor helps you quickly see the severity of your risk. It also shows which version of the component is safe, and which is most utilized within the industry. This also provides you with the ability to continuously monitor applications for new risks and the ability to triage before being exposed to risk.

Need Integrations? Nexus Lifecycle or Nexus Lifecycle Foundation Are Better Solutions

If you are looking for integrations into your IDE of choice, such as Jenkins, or Jira, this indicates you’re actively developing and upgrading applications. In that case, Nexus Auditor is not the best solution for you.

If you are looking for integrations, Nexus Lifecycle or Nexus Lifecycle Foundation provide automated component scanning and more robust, ongoing security protection. They provide everything Nexus Auditor does, plus more.

Today, 1 out of 10 components downloads will contain a known vulnerability. While your application is safe today, it may not be tomorrow, three months from now, or six months from now. So the question becomes, how do you manage open source risk in production or third party applications? I invite you to contact me and learn more about your options and what will work best for you. Yes, the best solution for you could be Nexus Auditor. But, in competitive environments actively producing new software, Nexus Lifecycle is your friend.

As PSAs say, "the more you know."

Tags: JIRA, jenkins, Software composition analysis, featured, Product, Nexus Auditor

Written by Kadi Grigg

Kadi is passionate about the DevOps / DevSecOps community since her days of working at Micro Focus with COBOL development and Mainframe solutions. Having been at Sonatype for over a year, she loves working with the Open Source community and seeing the collaboration across the industry. She is currently a Territory Manager at Sonatype covering the Southeast and TOLA regions in the USA, where she has the opportunity to work with great companies seeing how they transform their software development processes.In her spare time, this small dog-owning, coffee-loving, Penn State grad enjoys traveling across the globe with her fianceé, running, and spending time with her family.