Fork me on GitHub
Margueritte Kim (CEO, IT Revolution, she/her)15:10:56

Gene and I love your sticker submission!!!

thankyou 3
Dessie, Sonatype18:10:08

<!here> Check out a demo of Sonatype's just releasedยย and the next generation of #dependencymanagement starting in 5 minutes: Don't forget to secure your free while in our booth, see you soon!

๐Ÿ‘ 1
๐Ÿ˜ 1
Robb Barwis20:10:52

Hey Derek, looking forward to your session with Brian and Dr. Magil tomorrow!

โ˜๏ธ 1
Dessie, Sonatype20:10:55

<!here> Don't miss @colin827โ€™s presentation "The Three Anti-Patterns of DevOps" starting at 1:35 on!

Dessie, Sonatype22:10:18

<!here> We're swapping war stories and whoever has the biggest blunder wins a Sonatype prize pack. Come share your DevSecOps failure with us tonight during the and see if your loss can also be your gain!

๐Ÿ‘ 1
Gaurav Handa22:10:23

I am interested in getting some information about OSS scans and how is Nexus lifecyle better than tools like BlackDuck and others.

Curtis Yanko - Sonatype22:10:27

@dharvey is Dwayne around?

Dwayne Dreakford - Sonatype22:10:09

Hi Guarav, happy to help you with that

Curtis Yanko - Sonatype22:10:47

@gauravhanda25 I would start by saying that where we differentiate ourselves is in is around data quality. We were the first to build our own security research team

Gaurav Handa22:10:36

Thanks so much, how about ROI for customers?

Gaurav Handa22:10:42

Let me ask specific questions

Dwayne Dreakford - Sonatype22:10:56

The highlights are: โ€ข Precise data on component / OSS projects on which our automation is based โ€ข Scan applications as built -- as opposed to relying manifests, wherever you have your code โ€ข DevSecOps pipeline -- integrate where the work is done: block bad components at the repository, plug into IDEs and SCM, integrate with CI/CD and deployment automation, continuously monitor...

Gaurav Handa22:10:56

1. Does it integrate well with Jenkins/Bamboo and others ?

๐Ÿ‘ 1
Gaurav Handa22:10:56

2, How long does it take to scan the codebase? (I know it depends on the jar size) Lets say for an enterprise grade Spring Boot app.

Dwayne Dreakford - Sonatype22:10:22

I had more, but let's go with the specifics ๐Ÿ˜„ ; that's definitely better

Gaurav Handa22:10:31

oh Sorry, please go ahead

Curtis Yanko - Sonatype22:10:35

Scan times tend to be ~2-3 minute

Gaurav Handa22:10:46

I can wait to hear more ๐Ÿ™‚

Curtis Yanko - Sonatype22:10:20

we also recently did a hobson roi exercise, let me dig up the findings

Dwayne Dreakford - Sonatype23:10:11

The last big highlights I was going to add are: โ€ข Policy. Automate your OSS policy and, when applications are scanned, compare the resulting SBOM to that. It's one thing to provide a list of known vulnerabilities; it's another, altogether, to automatically act based on what vulnerabilities, licensing obligations and quality aspects mean to you (per your policy). Flexible, powerful policy engine, starting with OOTB policies that most of our customers use almost as-is (typically the configuration needed is to specify the actions that should be taken, per policy, per lifecycle stage: i.e., Warn, Fail, Monitor only)

Curtis Yanko - Sonatype23:10:14

Our ROI study showed increased productivity, improved risk management outcomes. Increased productivity also led to increased time for innovation

Gaurav Handa23:10:45

Does it provide the summary of vulnerabilities in CICD pipeline?

โœ… 1
Gaurav Handa23:10:54

And fail the build automatically?

โœ… 1
Dwayne Dreakford - Sonatype23:10:59

Yep, of course, I'm talking solution benefits. As @cyanko is pointing out, we've had studies done to show the ROI, and how we indeed accelerate innovation and save costs while increasing quality and security posture

Gaurav Handa23:10:22

Very nice and how frequently the database is updated?

Curtis Yanko - Sonatype23:10:42

Yes, based on policies. Most of customers donโ€™t break build but break the pipeline inb tghe testing phase

Gaurav Handa23:10:23

Is it a cloud offering or can be installed on-prem?

Curtis Yanko - Sonatype23:10:32

Our DB is always being updated thanks to our Automated Vulnerability Detection system.

Dwayne Dreakford - Sonatype23:10:52

Yes, scan report results are accessible directly within the context of tools with which we integrate (CI/CD, IDE, SCM...)

Curtis Yanko - Sonatype23:10:11

It can deployed where you want but is self-hosted, no SaaS, yet ;-)

Gaurav Handa23:10:29

This is great. Can I have email to contact for demo later?

Curtis Yanko - Sonatype23:10:20

I can have our guy reach out to you if that works?

Curtis Yanko - Sonatype23:10:40

Done, I think it will be Patrick McGovern

Curtis Yanko - Sonatype23:10:08

Thanks so much for stopping by!

Gaurav Handa23:10:50

No worries and thanks so much for taking out time to answer all my questions ๐Ÿ™‚

Dwayne Dreakford - Sonatype23:10:19

Pleasure! You're welcome