Skip Navigation
Resources Blog A Simply Brilliant Way to Improve the Security Pipeline

A Simply Brilliant Way to Improve the Security Pipeline

*Note: Join us live and online for the 2019 Nexus User Conference on June 12. Registration is free.

Sometimes, the simple ideas are the most genius.

Xin Xu presented one such idea at our 2018 Nexus Users’ Conference. Xin is an information security principal for Kaiser Permanente, a health care provider in the U.S. with 12.2 million customers and 200,000 employees. So, yes, there is a lot of application development happening at Kaiser, and they use Nexus IQ to manage the repositories.

In a typical build process, the application would query the component repository during to ask about a library. Firewall would then ask if the library is secure. If it is, the host repository would provide the applicable, approved code. If it isn’t, the firewall would not provide the applicable code, and break the build.

Kaiser 1


Kaiser 2

This is the typical - but not the ideal - time to tell a developer they can’t use a library. They have already written code against it, and now have to rework it.

Kaiser, on the other hand, built a tool to provide input to architects/developers before they decide which open source libraries to use. That is, they can query Nexus IQ through a simple search tool at the beginning of the design process to ensure it can be used, and, if so, which features are available. The search is setup so that you don’t need to be a developer to use it since many of the users don’t have any programming background.

The app has a simple interface (note: the screenshots are stripped of any product-specific information).

Kaiser 3

After hitting the search button, the information is sent to the web application and mimics the Maven process, sending an http request to the component repository. It goes through the Nexus evaluation process and returns it to the application. It then tells the end user if it was found and what details it knows. What is the security status? What are the licensing details?

Kaiser 4

Kaiser managed to shift the security process fully to the left so that it can be part of the whiteboard part of design. It has the potential to save a tremendous amount of rework.

It is such a simple idea, it is brilliant in its simplicity.

The 2018 Nexus Users’ Conference was held in June. You can watch Xin’s full presentation here and all of the sessions here.

Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.