This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-10-13
Channels
- # ask-the-speaker-track-1 (705)
- # ask-the-speaker-track-2 (287)
- # ask-the-speaker-track-3 (195)
- # ask-the-speaker-track-4 (356)
- # bof-american-airlines (68)
- # bof-arch-engineering-ops (28)
- # bof-covid-19-lessons (4)
- # bof-cust-biz-tech-divide (2)
- # bof-leadership-culture-learning (5)
- # bof-next-gen-ops (10)
- # bof-overcoming-old-wow (7)
- # bof-project-to-product (5)
- # bof-sec-audit-compliance-grc (5)
- # bof-transformation-journeys (6)
- # bof-working-with-data (3)
- # burnout (31)
- # demos (72)
- # discussion-connect-february (1193)
- # games (114)
- # happy-hour (252)
- # help (197)
- # hiring (25)
- # lean-coffee (30)
- # networking (20)
- # project-to-product (21)
- # psychological-safety (9)
- # summit-info (798)
- # summit-stories (4)
- # xpo-atlassian (10)
- # xpo-datadog (6)
- # xpo-delphix (32)
- # xpo-digitalai-accelerates-software-delivery (9)
- # xpo-gitlab-the-one-devops-platform (5)
- # xpo-harness (3)
- # xpo-hcl-software-devops (9)
- # xpo-infosys-enterprise-agile-devops (10)
- # xpo-instana (8)
- # xpo-itmethods-manageddevopssaas (9)
- # xpo-itrevolution (20)
- # xpo-launchdarkly (6)
- # xpo-logdna (12)
- # xpo-logzio (2)
- # xpo-moogsoft (4)
- # xpo-muse (7)
- # xpo-nowsecure-mobile-devsecops (6)
- # xpo-opsani (16)
- # xpo-optimizely (3)
- # xpo-pagerduty (10)
- # xpo-pc-devops-qualifications (9)
- # xpo-planview-tasktop (14)
- # xpo-plutora-vsm (10)
- # xpo-redgatesoftware-compliant-database-devops (6)
- # xpo-servicenow (18)
- # xpo-snyk (11)
- # xpo-sonatype (43)
- # xpo-split (34)
- # xpo-sysdig (29)
- # xpo-teamform-teamops-at-scale (20)
- # xpo-transposit (11)
- # xpo-tricentis-continuous-testing (5)
<!here> Check out a demo of Sonatype's just releasedย https://doesvirtual.com/sonatypeย and the next generation of #dependencymanagement starting in 5 minutes: https://sonatype.zoom.us/j/95424985928?pwd=OWMweStmY3M0VXo4NngybTBQTDZPZz09 Don't forget to secure your free https://doesvirtual.com/sonatype while in our booth, see you soon!
Hey Derek, looking forward to your session with Brian and Dr. Magil tomorrow!
<!here> Don't miss @colin827โs presentation "The Three Anti-Patterns of DevOps" starting at 1:35 on https://doesvirtual.com/watch!
<!here> We're swapping war stories and whoever has the biggest blunder wins a Sonatype prize pack. Come share your DevSecOps failure with us tonight during the https://sonatype.zoom.us/j/95424985928?pwd=OWMweStmY3M0VXo4NngybTBQTDZPZz09 and see if your loss can also be your gain!
I am interested in getting some information about OSS scans and how is Nexus lifecyle better than tools like BlackDuck and others.
@gauravhanda25 I would start by saying that where we differentiate ourselves is in is around data quality. We were the first to build our own security research team
The highlights are: โข Precise data on component / OSS projects on which our automation is based โข Scan applications as built -- as opposed to relying manifests, wherever you have your code โข DevSecOps pipeline -- integrate where the work is done: block bad components at the repository, plug into IDEs and SCM, integrate with CI/CD and deployment automation, continuously monitor...
Yes: https://www.sonatype.com/nexus/integrations#jump_to_integrations
2, How long does it take to scan the codebase? (I know it depends on the jar size) Lets say for an enterprise grade Spring Boot app.
I had more, but let's go with the specifics ๐ ; that's definitely better
we also recently did a hobson roi exercise, let me dig up the findings
The last big highlights I was going to add are: โข Policy. Automate your OSS policy and, when applications are scanned, compare the resulting SBOM to that. It's one thing to provide a list of known vulnerabilities; it's another, altogether, to automatically act based on what vulnerabilities, licensing obligations and quality aspects mean to you (per your policy). Flexible, powerful policy engine, starting with OOTB policies that most of our customers use almost as-is (typically the configuration needed is to specify the actions that should be taken, per policy, per lifecycle stage: i.e., Warn, Fail, Monitor only)
Our ROI study showed increased productivity, improved risk management outcomes. Increased productivity also led to increased time for innovation
Yep, of course, I'm talking solution benefits. As @cyanko is pointing out, we've had studies done to show the ROI, and how we indeed accelerate innovation and save costs while increasing quality and security posture
Yes, based on policies. Most of customers donโt break build but break the pipeline inb tghe testing phase
Our DB is always being updated thanks to our Automated Vulnerability Detection system.
Yes, scan report results are accessible directly within the context of tools with which we integrate (CI/CD, IDE, SCM...)
No worries and thanks so much for taking out time to answer all my questions ๐