Nomura and Sonatype | A Customer Success Story

As a leading global financial services company, Nomura operates in a highly regulated environment where security and compliance are paramount. The organization’s complex software development ecosystem spans multiple tools, including JIRA, GitLab, SonarQube, ServiceNow, and Jenkins Deploy. Managing all of this requires seamless integration and automated security controls to maintain operational efficiency while meeting stringent security requirements.

Overwhelmed by Manual Security Processes and Limited Visibility

Nomura's development teams were overwhelmed by manual security processes that created bottlenecks throughout their software supply chain. Cross-functional application teams struggled with time-consuming vulnerability management tasks, including manual integration of security scans into CI pipelines. The lack of automated controls meant developers spent valuable time on remediation and analysis instead of building new features. Additionally, the organization lacked comprehensive visibility into the health of its software components, making it difficult to proactively identify and address vulnerabilities before they reached production environments.

The Problem

Manual Security Processes

Limited Visibility into Vulnerabilities

Inefficient Developer Workflows

Time-Consuming Remediation

Delivering Shift-Left Security and Self-Service Automation to Empower Developers

Nomura successfully transformed its software development lifecycle by implementing the Sonatype Platform for comprehensive software supply chain security. By integrating Sonatype Nexus Repository Manager, Sonatype Repository Firewall, and Sonatype Lifecycle with its existing toolchain, they eliminated manual security processes, achieved industry-leading scanning coverage, and empowered developers to focus on innovation rather than remediation work.

“We’ve built security into our standard CI pipelines, and Sonatype Lifecycle scans are part of every release build in our modernized flow. The data is used throughout the organization to drive security actions, as well as make risk-based release decisions. Combined with our use of Nexus Firewall, we have built up a secure and streamline software supply chain with the Nexus suite taking a key enabling role”

Ryan Mills

Group Software Engineering Lead

Nomura achieved a remarkable 630% increase in scanning rates, 91% scanning coverage across more than 6,000 applications, and reduced Very High Exposure Risk to just 1.13%. Nomura implemented a comprehensive software supply chain security strategy centered on Sonatype's Nexus IQ and Nexus Repository Manager. The solution included enforcing Malicious Code and Integrity rating policies in Nexus IQ while enabling Audit and Quarantine capabilities in Nexus Repository Manager for all external proxy repositories. They established compliant version policies on NPM and PyPI repositories to reduce vulnerable artifacts during development phases.

The implementation featured sophisticated risk-based pipeline gates that integrate SAST and SCA scan results to create predictive risk scoring. This approach incorporates Security Agency

Known Exploited Vulnerabilities Catalogue (CISAKEV) indicators, aggregate risk scores, and healthy flags as gate decision inputs, providing developers with enriched risk findings and shift-left feedback. Nomura also introduced 14 automated self-service ServiceNow forms, eliminating the need for developers to contact the Toolchain team for routine tasks.

The transformation delivered exceptional results across multiple dimensions. Nomura achieved a staggering 630% increase in scanning rates when comparing six-month periods, demonstrating the platform's ability to scale security operations effectively.

Integrated across the organization’s ecosystem, Nomura’s team was able to leverage Sonatype’s security capabilities within the tools they use most. The SonarQube integration contributed to scanning 76 million lines of code across 7,137 projects and 693 application teams, with developers addressing over 319,000 flagged issues as part of their code quality exercises.

The platform's high-availability architecture processes almost 7,000 daily push requests and nearly 500,000 daily pull requests from GitLab, totaling over 8.5 million combined requests per day. This massive scale demonstrates the solution's ability to support enterprise-grade operations without compromising performance.

The integration between GitLab and Nexus Repository Manager enables processing over 10,000 requests per minute and handling 4.6 million requests on peak days.

Building a High-Performance, Secure Software Supply Chain

Nomura's software supply chain transformation exemplifies how strategic implementation of automated security controls can simultaneously improve developer productivity and strengthen security posture. By shifting left with risk-based approaches and consolidating tools around a lean suite of best-in-class applications, they've created a high-performance, secure software supply chain that empowers developers to focus on innovation rather than manual security tasks.

Ready to transform your software supply chain security like Nomura? Book a demo to discover how Sonatype can help your organization achieve similar results.

Nomura Transforms Software Supply Chain with 630% Scanning Increase

Overwhelmed by Manual Security Processes and Limited Visibility

The Problem

Delivering Shift-Left Security and Self-Service Automation to Empower Developers

Enterprise-Scale Transformation Drives Unprecedented Security and Performance Gains

Building a High-Performance, Secure Software Supply Chain