Skip to main content

Assessing Component Risk Checklist

Once you have scan results, you can begin prioritizing risk. In this step, you want to identify the highest-risk applications and formulate a plan to address that risk. This series of steps will prepare you to remediate the risk in your applications.

Goals

  • Continue onboarding applications

  • Identify the largest sources of risk

  • Define Service Level Obligations for addressing violations based on severity

  • Enable Notifications

  • Create a remediation plan

Action Items

  1. Continue onboarding applications - Now that your pilot applications have been onboarded, it's time to bring on all of your applications. This initial onboarding can be one of the most time-intensive parts of adopting Sonatype Lifecycle.

  2. Identify Targets for Remediation - Identify the most important applications to focus on for remediation. Consider both the potential cost of an application breach and the severity of an application's policy violations when prioritizing applications.

  3. Define Service Level Obligations for Remediation - Work with development, application security, and legal to set timelines for development teams to address violations of different severity.

    • Communicate these SLOs to all relevant stakeholders - Making sure everyone is aware of these new SLOs is vital to your success with Lifecycle. Communicate these new expectations through multiple channels.

    • Document SLOs - Add the SLOs to your wiki and any other relevant locations.

  4. Enable Notifications - Begin turning on notifications for policy violations. This will alert teams when they have a new violation.

    • As a best practice, any new violations should have notifications enabled.

    • Set expectations for how teams should address a new policy violation.

  5. Create a Lifecycle Remediation Plan - This is the way your development teams will use Lifecycle to find and address open source risk.

    • We recommend prioritizing components that can be remediated with a simple upgrade and then focusing on manually resolving or waiving other violations based on severity.

  6. Establish License Violation Workflow - License risk can't usually be resolved by upgrading to a newer version of the same component. This may result in a separate workflow with your legal team to address components with risky licenses.

    • Create License FAQ - Add a FAQ for developers to your wiki.

    • Review Lifecycle Legal tools - Lifecycle has a number of features to generate attribution reports and help with license identification.

Measuring Success

This is measured withthe Success Metrics script by looking at the number of onboarded applications and the number of scans. If 90% to 100% of all apps are onboarded and regularly scanned, you're ready to move on.