Gene and I love your sticker submission!!!

<!here> Check out a demo of Sonatype's just released https://doesvirtual.com/sonatype and the next generation of #dependencymanagement starting in 5 minutes: https://sonatype.zoom.us/j/95424985928?pwd=OWMweStmY3M0VXo4NngybTBQTDZPZz09 Don't forget to secure your free https://doesvirtual.com/sonatype while in our booth, see you soon!

hello!

Hey Derek, looking forward to your session with Brian and Dr. Magil tomorrow!

<!here> Don't miss @colin827’s presentation "The Three Anti-Patterns of DevOps" starting at 1:35 on https://doesvirtual.com/watch!

<!here> We're swapping war stories and whoever has the biggest blunder wins a Sonatype prize pack. Come share your DevSecOps failure with us tonight during the https://sonatype.zoom.us/j/95424985928?pwd=OWMweStmY3M0VXo4NngybTBQTDZPZz09 and see if your loss can also be your gain!

Hi

Hi

I am interested in getting some information about OSS scans and how is Nexus lifecyle better than tools like BlackDuck and others.

@dharvey is Dwayne around?

Hi Guarav, happy to help you with that

@gauravhanda25 I would start by saying that where we differentiate ourselves is in is around data quality. We were the first to build our own security research team

Thanks so much, how about ROI for customers?

Let me ask specific questions

The highlights are: • Precise data on component / OSS projects on which our automation is based • Scan applications as built -- as opposed to relying manifests, wherever you have your code • DevSecOps pipeline -- integrate where the work is done: block bad components at the repository, plug into IDEs and SCM, integrate with CI/CD and deployment automation, continuously monitor...

1. Does it integrate well with Jenkins/Bamboo and others ?

Yes: https://www.sonatype.com/nexus/integrations#jump_to_integrations

2, How long does it take to scan the codebase? (I know it depends on the jar size) Lets say for an enterprise grade Spring Boot app.

I had more, but let's go with the specifics 😄 ; that's definitely better

oh Sorry, please go ahead

Scan times tend to be ~2-3 minute

I can wait to hear more 🙂

we also recently did a hobson roi exercise, let me dig up the findings

The last big highlights I was going to add are: • Policy. Automate your OSS policy and, when applications are scanned, compare the resulting SBOM to that. It's one thing to provide a list of known vulnerabilities; it's another, altogether, to automatically act based on what vulnerabilities, licensing obligations and quality aspects mean to you (per your policy). Flexible, powerful policy engine, starting with OOTB policies that most of our customers use almost as-is (typically the configuration needed is to specify the actions that should be taken, per policy, per lifecycle stage: i.e., Warn, Fail, Monitor only)

Our ROI study showed increased productivity, improved risk management outcomes. Increased productivity also led to increased time for innovation

Awesome !

Does it provide the summary of vulnerabilities in CICD pipeline?

And fail the build automatically?

Yep, of course, I'm talking solution benefits. As @cyanko is pointing out, we've had studies done to show the ROI, and how we indeed accelerate innovation and save costs while increasing quality and security posture

Very nice and how frequently the database is updated?

Yes, based on policies. Most of customers don’t break build but break the pipeline inb tghe testing phase

Is it a cloud offering or can be installed on-prem?

Our DB is always being updated thanks to our Automated Vulnerability Detection system.

Yes, scan report results are accessible directly within the context of tools with which we integrate (CI/CD, IDE, SCM...)

It can deployed where you want but is self-hosted, no SaaS, yet ;-)

This is great. Can I have email to contact for demo later?

Of course!

I can have our guy reach out to you if that works?

sure.

Done, I think it will be Patrick McGovern

Thanks so much for stopping by!

No worries and thanks so much for taking out time to answer all my questions 🙂

Pleasure! You're welcome