Are DevSecOps policy enforcement tools a productivity benefit or burden that stifles creativity? It depends on the software.
Here at IT Central Station, we are always on the hunt for unbiased feedback from our users, to help tech professionals make educated decisions when buying enterprise software for their companies. In recent months, we gathered reviews for Sonatype Nexus Lifecycle and Nexus Repository to find out what users had to say about these two DevSecOps products.
DevSecOps promises speed, innovation, and flexibility, all while incorporating security throughout -- at least in theory. Achieving these desirable outcomes requires effort on a few fronts.
First, there’s the task of bringing three previously separate teams (Developers, Security and IT operations professionals) together in a unified, coherent group with streamlined workflows. Second, there’s governance of the process. Get either of these wrong and you create unnecessary work and unhappy people.
In their reviews, IT Central Station members speak to managing these practical issues in DevSecOps. These professionals highlight the top features in Sonatype’s product suite that enables them to balance DevSecOps speed and innovation with sound (and flexible) governance.
A single source of truth for your software parts: Sonatype Nexus Repository
Using Nexus Repository, developers are able to source the best components and combine them into a repository of trusted components.
DevSecOps relies on a high level of automation because manual processes can lead to lapses in policy enforcement. Ideally, the entire platform should automate open source governance to minimize risk and speed time to production.
Yogesh S., a Senior Information Technology Specialist who uses Sonatype Nexus Repository at a mid-sized financial services firm said, “We use it [Sonatype Nexus Repository] every day for open-source governance. We have so many applications and so many services in our software supply chain.”
Similarly, Anthony E., a Chief of the Enterprise Automated Deployment (EAD) Branch at a government agency, utilizes the Nexus Repository “to store safe open-source components that our developers can utilize in their applications, as opposed to their going out to the internet and getting potentially unsafe versions of the open-source components.”
Axel N., the architect at SV Informatik GmbH, commented, “Nexus Repository helps automate open-source governance and minimize risk. For example, a developer decides to use an open-source component, so he is going to add Wire Maven into the application. In this phase, he can already get information about possible vulnerabilities. If he ignores this, we can still absolutely detect such a problem later on and prevent it from being sent to production.”
For speed, a Senior Application Architect at a large financial services firm uses Sonatype Nexus Repository to host code. He shared, “If a team inserts a version of a library, say a Spring library, it becomes available across the organization. If our organization has between ten and 20 development teams, if you upload one library it becomes available to everyone. That helps the speed of development.”
Automated Open Source Governance and Remediation Across the SDLC: Sonatype Nexus Lifecycle + Firewall
DevSecOps requires that developers and IT ops professionals play a major role in enforcing security policies, including scanning applications across the software development lifecycle (SDLC). This practice is only continuing to grow in importance, and becoming a crucial necessity that wasn’t as prominent in the earlier days of development. Sonatype’s Nexus Lifecycle assists developers by embedding policies directly into every stage of SDLC, enabling them to continue working quickly while being aware of potential issues immediately.
Sonatype users praised Nexus Lifecycle’s ability to integrate remediation guidance throughout the SDLC. For example, Axel N., an IT Central Station member and Achitekt (Architect) who uses Nexus Lifecycle at SV Informatik GmbH, explained, “We're no longer building blindly with vulnerable components. We have awareness, we're pushing that awareness to developers, and we feel we have a better idea of what the threat landscape looks like. Things that we weren't even aware of that were bugs or vulnerabilities, we are now aware of them and we can remediate really quickly.”
Charles C., a DevSecOps professional who uses Nexus Lifecycle at a large financial services firm, put it this way: “Regarding open-source intelligence and policy enforcement across the SDLC, that's exactly what they're [Sonatype] trying to do. They realized that there's so much ingestion of open-source software in most of the software development lifecycles, that there was a need to automate the detection of the ones that are not deemed to be safe. What Sonatype does with it’s Firewall product , is that, as the binaries are being ingested, it's able to fingerprint them. And because there's a fingerprint, it can tell you exactly what you're ingesting. If what you're ingesting is not secure, it can block it.”
Sonatype Products Integrate with Existing DevOps Tools
According to IT Central Station members who use Sonatype, integration with other DevOps tools is a major benefit of the solution. Gus O., for example, a Lead IT Security Architect who uses Nexus Lifecycle at a big transportation company, said, “The solution integrates well with our existing DevOps tools.”
Charles C., the DevSecOps staffer, also praised Sonatype’s integration with existing DevOps tools. He said, “They've got very good plugins for most of the common DevOps tools, like Jenkins and GitHub. There are ways that you can work around things like TeamCity. The product is designed to help the DevOps process to be seamless in terms of security.”
And, Christophe A., an Engineering Manager at a large tech vendor with 10,000+ employees said “we had the opportunity to integrate it fully into our build generation. It's been of high value for us. We have gained a lot of time by avoiding old installations and all the sharing management is provided by Nexus Repository Manager. As we already used the tools, we built our DevOps practices around them.”
An architect who uses Nexus Repository at a consultancy with more than 5,000 employees further noted, “It [Sonatype] also has very good enterprise integration, so we are able to integrate it with the rest of our infrastructure for authentication, for role management. That is very useful.”
Want to share your opinions about Sonatype? You can do so on IT Central Station.