Can a mature platform be further improved to help teams in their journeys through the software development life cycle (SDLC)? The answer is yes! Sonatype Lifecycle is designed to help shift development processes left, as it continuously monitors for problems at every stage of the SDLC and ensures automated remediation to keep development moving.
Powered by Sonatype Intelligence, Sonatype Lifecycle is the bridge between developers and security teams, perfectly balancing the drive to put the pedal to the metal (developer velocity) with the need to ensure that development pipelines and production setups are secure and healthy (application security).
What’s new in Sonatype Lifecycle?
As the software development landscape and security threats continue to evolve, Sonatype Lifecycle has kept pace to address new challenges and provide new features and capabilities. Sonatype's development team regularly releases updates and new versions of Lifecycle to stay current with industry trends and customer needs. Let’s take a quick look at some of the recent updates that will further modernize SDLC processes.
Drive operational excellence
- Sonatype IQ Server High Availability (HA)
Not having access to your IQ server–which powers Repository, Lifecycle, and Firewall–can bring operations to a grinding halt. The IQ Server high availability (HA) option eliminates downtime, ensuring an always-on, resilient architecture. Tested to work for on-premise as well as AWS Cloud, IQ Server HA offers horizontal scalability and an active-active cluster configuration.
Developer productivity gets a boost
- Waivers enhancements
Waivers are an important piece of the developer’s toolbox. The recent enhancements to the waivers functionality in Lifecycle help with the day-to-day management of operational risk. A key part of this is the Waivers Dashboard, which allows users to
-
- Look at waivers issued across the organizations.
- Apply filters that tell you which parts are being remediated.
- Stay aware of expiration dates on waivers.
- Gain insight into where exceptions are being made.
- Notify stakeholders and manage waivers across different applications.
- Maven Search - new portal
Publishers and consumers of open source rejoice! The new portal offers an enhanced user experience for browser-based Maven Central users. It features an improved browser layout for publishing components and an improved user interface for searching OSS artifacts. Automation allows the user inbound request process to be completed in seconds without any manual intervention.
- Organizations at scale
For many larger customers, a flat hierarchy structure within their SCA tools–such as the root org, child orgs, and the software applications they use–is just not enough. They need a much deeper and more flexible structure where they can add departments, divisions and diverse teams within departments, application groups that vary by departments, projects, and so on.
With the N-level hierarchy feature, we reworked our UI and our application logic to ensure that data changes apply to the appropriate node in an organization’s hierarchy. In simple terms, Lifecycle can now model any organizational structure and decisions; permissions, policy, and configuration can easily be managed across any node in that structure.
For example, organizations can decide if they want to apply a change to policy, permissions, or data across all companies, a particular organization, a group of applications, or just one specific application.
Organizations At Scale helps
-
- Onboard applications
- Inherit policy
- Manage open source across a multi-level management hierarchy
- Visualize application versioning within hierarchies and organizations
Additional features such as Notification and Action Overrides allow better and more timely decision-making.
Experience intelligent security
- Security customization enhancements (user-customized security data)
Security professionals can now customize Sonatype’s world class security data with fine-grained details that are pertinent to their organization and deployment environments.
Users can now add
-
- Custom CVSS metrics
- Temporal and environmental requirements
- Custom severity scores
- Custom remediation notices
- Additional meta data
Additional policy constraints have been added so that this new information can be utilized to maximize remediation efforts and ensure that teams tackle the most impactful security vulnerabilities first.
- Maven call flow analysis
In software composition analysis, users typically identify the dependencies with a vulnerability. However, just having that dependency doesn't necessarily mean that a code path exists from the application to the vulnerable method in the dependency.
Maven Call Flow Analysis solves this problem by determining if there is any path from the code to the vulnerable method. And if there is, it quickly publishes a policy alert letting users know it needs remediation first.
In essence, Call Flow Analysis allows our customers to prioritize which vulnerabilities to remediate. This helps them target and remediate those most likely to impact their security and code quality, and effectively reduce the “attack surface.”
- InnerSource Insight
Many customers have proprietary code developed in-house using open source software components. This code is then used to develop new applications which are put into production. That said, this proprietary code likely inherited vulnerabilities that can be exploited to cause severe harm to the organization. Or worse, to several group companies that may be using the affected code.
Sonatype InnerSource Insight gives organizations a look at their own innersource (proprietary components) and helps reduce overall costs and vulnerability exposure. In addition to enhancing security posture, this feature significantly improves developer productivity by reducing the time required to identify where a problem lies.
New to Lifecycle?
Sonatype is here to help however we can and offer plenty of documentation on getting started and best practices. If you have further questions about how Lifecycle can help organizations to achieve their perfect development workflow, book a demo today. Our experts are always ready to talk.
This post was co-written with Dariush Griffin.
