Considering Nexus Auditor? You Should, But Know These Things First

I field a flood of requests every week asking to learn more about Nexus Auditor. I get it. Nexus Auditor, in the right use case, is a solid, cost-effective solution.

Is Nexus Auditor the solution for you? Maybe, maybe not. I thought it would be beneficial to explain who should consider Nexus Auditor. So here is an example that I received this week.

AWS Builder Community Hub

First, meet Stephen (not his real name). Stephen is a Senior Security Architect who has worked at ABC Corp. for 10 years. Stephen read a Gartner whitepaper about getting started with Software Composition Analysis (SCA). He thinks this type of solution could help his organization better manage risks around OSS components. Even more importantly, he needs a way to verify license compliance.

Like many others, Stephen did his research on and other competitor sites before reaching out to me. He is now interested in learning more about Nexus Auditor. Stephen already uses some free tools like OWASP Dependency-Check. However, now that solution is no longer meeting his organization’s scalability and tracking requirements.

Often people like Stephen are confused about the differences between Auditor and Nexus Lifecycle. Is it right for Stephen? Is it right for your organization? Let’s take a look…

Keep It Simple

Do I need Nexus Auditor? Here’s a simple flow chart to walk yourself through:

Ask yourself:

Where do you want to manage OSS in your application?

In Development, or in Production?

Does someone else develop the application I manage?

Yes or no?

Do I need to integrate OSS management into the development pipeline (e.g., IDE, CI Server, GitHub)?

Yes or no?

All of these answers will determine if Nexus Auditor is a good fit for you.

Nexus Auditor is Superb for Monolithic, Legacy Applications

The people who benefit most (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Kadi Grigg. Read the original post at: