golden repository
DESCRIPTION
Understand the ecosystem of modern software development and the opportunities to transform the historical conflict between developing feature-rich applications quickly for operational benefit, and the increasing need for applications to be developed methodically, securely, in ways that reduce organizational risk.TRANSCRIPT
The Component Lifecycle Management Company
The Golden Repository of
Yesterday is NOT the Answer
Go Fast. Be Secure.
The Webinar will start at 12 PM EDT
Tweet your thoughts: #sonatype
The Component Lifecycle Management Company
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 -
1,000
2,000
3,000
4,000
5,000
6,000
7,000
8,000
Re
qu
est
s in
Mill
ion
s
8 BillionRequests in 2012
The Component Revolution
#sonatype
The Component Lifecycle Management Company
The Need for Repository Management
Why Use a Repository?
Reduce Build Times by proxying cloud repositories and caching components locally.
Improve Collaboration by providing a central location to store, manage, and share common components used across developers and teams.
Enhance Control by providing a mechanism to observe, manager, and govern component usage.
#sonatype
The Component Lifecycle Management Company
Foundation for Agile, Component-Based Development
#sonatype
The Component Lifecycle Management Company
Nexus Pro
Go Beyond Basic Repository Management
Know Your Components with Repository Health Check.
Gain Control with automated controls for component management.
Ensure Security with access controls and secure connectivity to the Central Repository.
Scale with Ease with smart proxy to ensure your repos are always available and your teams are in sync.
Manage All Your Components with support for .NET / Nuget repositories.
#sonatype
Why Yesterday’s Golden Rep isn’t so Golden
The Component Lifecycle Management Company
Developers Will Bypass Your Repository
#sonatype
The Component Lifecycle Management Company
Repo-Only Approaches Aren’t Flexible Enough
Flexibility Control
#sonatype
The Component Lifecycle Management Company
Golden Repo Component Approvals Can’t Keep Pace
#sonatype
The Component Lifecycle Management Company
Without Governance, Components Become Stale
Versions without the vulnerabilities exist but they aren’t in the Repo
#sonatype
The Component Lifecycle Management Company
Vulnerability Discovery is Required
Proactive identification and analysis of security vulnerabilities & licensing issues needs to be
ongoing and comprehensive
#sonatype
The Component Lifecycle Management Company
Your Strategy Must Extend to Production Apps
Component threats are not static – hackers are
not complacent –Continuous protection for
production apps is needed
#sonatype
The Component Lifecycle Management Company
Risk Profiles Vary by App & Organization
#sonatype
Why not use multiple repositories to address these
challenges?
The Component Lifecycle Management Company
Multiple / Segmented Repositories are Not the Answer
Reconciliation tends to happen late in the Dev
Cycle
Managing multiple repositories increases the administrative burden
Developers don’t know what will or
won’t be approved
Playing the “let’s change the repo URL and see what breaks” game is problematic
#sonatype
So what do you need to solve this problem?
The Component Lifecycle Management Company
Fast
Precise
Contextual
Actionable
Continuous
A New Approach is Needed
17 #sonatype
The Component Lifecycle Management Company
The Component Lifecycle Management Company
Automated Policies Free Humans
1.Humans define policy.
2.Machines automate the implementation of policy.
3.Humans manage exceptions.
Fast: Automated Policies Speed Development
The Component Lifecycle Management Company
The Component Lifecycle Management Company
The Component Lifecycle Management Company
Info Must Be Specific to My Apps & Toolchain
• Information needs to apply to my application.• SQL Injection vulnerabilities only apply to DB
apps.• CopyLeft licenses may not be a problem for
internal applications or services.
Contextual: Info Must Be Relevant to My Needs
#sonatype
The Component Lifecycle Management Company
The Component Lifecycle Management Company
Only Developers Can Fix It: Guidance is Key
• Now that you've told me about a problem, tell me what I can do to fix it.
• Suggest alternatives. • Even if I don't completely understand the risk, if
you show me an easy fix, I will take it.
Actionable: Help Developers Fix Problems
#sonatype
The Component Lifecycle Management Company
The Component Lifecycle Management Company
The Component Lifecycle Management Company
Component Vulnerabilities are not Static
• Applications that have "left the building" don't age like wine.
• They age like milk and you need to monitor for newly discovered threats.
Continuous: Constant Diligence is Needed to Prevent Rot
#sonatype
The Component Lifecycle Management Company
The Component Lifecycle Management Company
Only Sonatype is designed for how applications are constructed today.
Only Sonatype provides automated policies that guide development and
production effort for the entire software lifecycle.
The Component Lifecycle Management Company
Sonatype Product Family
Nexus OSS
Sonatype CLM Component Lifecycle Management• Centrally define governance policies• Enforce throughout the lifecycle• Integrate with existing developer tools• Build security in from the start• Continuous trust for production apps
Sonatype Nexus Repository Management• Improve collaboration• Controlled release process
Industry standard open source repository manager
Nexus Pro
Enterprise features, enterprise support
Nexus Pro CLM Edition
Component governance in the repo
Sonatype CLM
Nexus OSS Repository• Speed Builds
#sonatype
The Component Lifecycle Management Company
Want to Learn More?
#sonatype
Download a Free Trial – Updated Trial Guide and New Ant & Gradle Samples http://www.sonatype.com/nexus/free-trial
Join Nexus Live – Automated Deployment of Nexus as Part of a SaaS Platform http://www.sonatype.com/october-nexus-live October 23rd
Yes, Policies Can Speed Development: November 6th at 12pm EDT
Register Now - http://www.sonatype.com/request/nexus-webinar-series
Exclusive Brief – Successful Agile Development Efforts Require Automated “Golden” Policies
Available Only to Registrants