Endress+Hauser and the Nexus Platform

Instrumentation and Process Automation Software Leverages the Nexus Platform

Endress+Hauser (Endress and Hauser) is a Swiss-based instrumentation and process automation company with a network of 100 companies in 44 countries. In 2017 the Group generated net sales of €2.1 billion. Production facilities for E+H are located in Germany, Switzerland, France, Italy, South Africa, the United States, China, India, Japan and Brazil.

The in-house software development team uses the Nexus Platform for open source software licensing and governance, while managing component vulnerability and risk assessment.

The Challenge: Tracking and Monitoring Library Consumption for Open Source Hygiene

Lars Brößler, Senior Software Developer, is on a team responsible for development of new software as well as  maintaining the system's legacy features. His team developed and maintains a large number of applications for in-house consumption. 

“We evaluated Black Duck, Veracode and Nexus Lifecycle. My colleagues and I chose Lifecycle because it is the best user interface for what we are trying to do: remove all critical findings before they reach production.”
— Lars Brößler, Senior Software Developer, Endress+Hauser

Lars describes challenges he was having with the use of open source components and libraries in the existing workflow. "Too many libraries were being downloaded and used. There was no tracking or monitoring of component or library consumption. Anyone could download, leaving no clues as to which libraries were being used, or where."

The most difficult challenge was the use of a manual tracking process. "We had setup a process to manually track hundreds of applications. We stopped after assessing fifteen libraries," Lars said, shaking his head. "There was no way we would be able to scale or handle the volume of consumption."

The Solution: Embracing Nexus Lifecycle to Reduce False Positives When Monitoring Application Health

Lars and his team began looking for a solution. They narrowed the search down to three possible solutions.

"We evaluated Black Duck, Veracode and Nexus Lifecycle. We found that Nexus Lifecycle was the best on the market for managing software licensing of open source and component vulnerabilities. My colleagues and I chose Lifecycle because it is the best user interface for what we are trying to do: remove all critical findings before they reach production."

Compared with Veracode and Black Duck, Nexus Lifecycle presented minimal false positives. The team created a proof of concept (PoC) to present to the board. "It was a logical decision for them to approve the purchase."

The Outcome: Automatically Track and Monitor Deployed Components in Both Development and Production

The challenges Lars was having with open source consumption and management have all but disappeared through the use of the Nexus Platform. Nexus Lifecycle gives the team the ability to automatically track and monitor deployed components not only in development, but in production as well.

"We are able to access the same libraries for multiple builds," Lars explains. "We have the ability to see libraries within the entire company, down to which versions appear in which apps."

Tracking and Monitoring Open Source ConsumptionThe Conclusion: Integrating Sonatype Nexus Into the Security Pipeline Removes Critical Findings Before They Reach Production

When asked why Endress+Hauser chose the Nexus Platform, Lars didn't hesitate. "We evaluated Black Duck, Vericode and Nexus Lifecycle. My colleagues and I chose Nexus Lifecycle because it has the best usability for what we are trying to do: newly developed apps must have all critical findings removed before they reach production."

"The Nexus Platform will be integrated into the security pipeline and be mandatory as soon as our updated security guidelines go into effect. The goal is to have no application going into production without the automated evaluation by Nexus Lifecycle."

Lars concluded by expressing his satisfaction with the Nexus Platform. "I personally chose Nexus. Not only does it make my work easier, it simplifies our security process. I definitely recommend it.“


Ready to Try Sonatype?

Secure and automate your software supply chain.