Skip to main content

Growing Product Adoption

Sonatype Lifecycle is a powerful way to proactively manage your risk from open source software. This section aims to outline the steps to introduce these automated risk strategies into your development process. Up to this point, these lists have been focused on implementing technology. From this point on success these checklists will focus more on the processes you create for your organization.

We break the Sonatype Lifecycle adoption process into five phases:

  • Onboarding Applications - Understand the different ways to import applications and decide on an onboarding strategy.

  • Scanning Applications - Begin regularly scanning a handful of applications while you develop templates and strategies for onboarding all your applications.

  • Assessing Risk & Onboarding Applications - Prioritize which risk to risk remediating and continue onboarding applications.

  • Remediating Risk - Fix the highest priority risk identified in the previous phase

  • Preventing Risk - Begin enabling enforcement across your software development lifecycle to prevent new risk from entering your applications.

The goal for each phase is to ready your organization to begin the next phase. There are also a few items to take care of before onboarding your pilot applications.

Goals

Your goals for this stage are:

  • Create the reference wiki with material on how to navigate your Lifecycle workflow.

Action Items

Note

Much of the items below are about documenting the outcomes of the processes you set up. Representatives from your Development, Legal, & AppSec teams should work together to define the right workflows for your organization. See Planning for Lifecycle for more information.

  • Set up a reference wiki for your teams - This can be a section in an existing internal wiki. It should include:

    • Developer Resources

      • Violation Handling Process - How teams should handle new policy violations.

        • Service Level Obligations for remediation - The time allotted to developers to fix the various types of policy violations.

        • Waiver Workflow - How to request a waiver for a component that cannot be remediated.

      • Component Details Page information

      • IDE Plugin installation and configuration

      • How your development teams communicate with AppSec.

      • How your development teams communicate with Legal.

    • Build Resources

      • Build Templates (once created)

      • CI Installation Process

    • Document decision-making workflows and remediation resolutions

    • A Frequently Asked Questions section

    • Links to external resources