Are DevSecOps policy enforcement tools a productivity benefit or burden that stifles creativity? It depends on the software.
Here at IT Central Station, we are always looking for unbiased feedback from our users, to help tech professionals make educated decisions when buying enterprise software for their companies. In recent months, we gathered reviews for Sonatype Lifecycle and Sonatype Nexus Repository to find out what users had to say about these two DevSecOps products.
DevSecOps promises speed, innovation, and flexibility, all while incorporating security throughout, at least in theory. Achieving these desirable outcomes requires effort on a few fronts.
First, there's the task of bringing three previously separate teams (Developers, Security and IT operations professionals) together in a unified, coherent group with streamlined workflows. Second, there's governance of the process. Get either of these wrong, and you create unnecessary work and unhappy people.
In their reviews, IT Central Station members speak to managing these practical issues in DevSecOps. These professionals highlight the top features in the Sonatype Platform that enable them to balance DevSecOps speed and innovation with sound (and flexible) governance.
Using Sonatype Nexus Repository, developers can source the best components and combine them into a repository of trusted components.
DevSecOps relies on a high level of automation, because manual processes can lead to lapses in policy enforcement. Ideally, the entire platform should automate open source governance to minimize risk and speed time to production.
Yogesh S., a Senior Information Technology Specialist who uses Sonatype Nexus Repository at a mid-sized financial services firm, said, "We use it [Sonatype Nexus Repository] every day for open-source governance. We have so many applications and so many services in our software supply chain."
Similarly, Anthony E., a Chief of the Enterprise Automated Deployment (EAD) Branch at a government agency, uses the Sonatype Nexus Repository "to store safe open-source components that our developers can use in their applications, as opposed to their going out to the internet and getting potentially unsafe versions of the open-source components."
Axel N., the architect at SV Informatik GmbH, commented, "Sonatype Nexus Repository helps automate open-source governance and minimize risk. For example, a developer decides to use an open-source component, so he will add Wire Maven into the application. In this phase, he can already get information about possible vulnerabilities. If he ignores this, we can still absolutely detect such a problem later on and prevent it from being sent to production."
For speed, a Senior Application Architect at a large financial services firm uses Sonatype Nexus Repository to host code. He shared, "If a team inserts a library, say a Spring library, it becomes available across the organization. If our organization has between ten and 20 development teams, if you upload one library, it becomes available to everyone. That helps the speed of development."
DevSecOps requires developers and IT ops professionals to play a major role in enforcing security policies, including scanning applications across the software development life cycle (SDLC). This practice is only continuing to grow in importance, becoming a crucial necessity that wasn't as prominent in the earlier days of development. Sonatype Lifecycle assists developers by embedding policies directly into every stage of SDLC, enabling them to continue working quickly while immediately aware of potential issues.
Users praised Sonatype Lifecycle's ability to integrate remediation guidance throughout the SDLC. For example, Axel N., an IT Central Station member and Achitekt (Architect) who uses Sonatype Lifecycle at SV Informatik GmbH, explained, "We're no longer building blindly with vulnerable components. We have awareness, we're pushing that awareness to developers, and we feel we have a better idea of what the threat landscape looks like. Things that we weren't even aware of were bugs or vulnerabilities, we are now aware of them and can remediate quickly."
Charles C., a DevSecOps professional who uses Sonatype Lifecycle at a large financial services firm, put it this way: "Regarding open-source intelligence and policy enforcement across the SDLC, that's exactly what they're [Sonatype] trying to do. They realized that there's so much ingestion of open-source software in most of the software development life cycles, that there was a need to automate the detection of the ones that are not deemed to be safe. What Sonatype does with it's Firewall product , is that, as the binaries are being ingested, it's able to fingerprint them. And because there's a fingerprint, it can tell you exactly what you're ingesting. If what you're ingesting is not secure, it can block it."
According to IT Central Station members who use Sonatype, integration with other DevOps tools is a major benefit of the solution. Gus O., for example, a Lead IT Security Architect who uses Sonatype Lifecycle at a big transportation company, said, "The solution integrates well with our existing DevOps tools."
Charles C., the DevSecOps staffer, also praised Sonatype's integration with existing DevOps tools. He said, "They've got good plugins for most common DevOps tools, like Jenkins and GitHub. There are ways to work around things like TeamCity. The product is designed to help the DevOps process be seamless in terms of security."
And, Christophe A., an Engineering Manager at a large tech vendor with 10,000+ employees, said "we had the opportunity to integrate it fully into our build generation. It's been of high value for us. We have gained a lot of time by avoiding old installations, and Sonatype Nexus Repository provides all the sharing management. As we already used the tools, we built our DevOps practices around them."
An architect who uses Sonatype Nexus Repository at a consultancy with more than 5,000 employees further noted, "It [Sonatype] also has good enterprise integration, so we can integrate it with the rest of our infrastructure for authentication, for role management. That is very useful."