Skip to main content

Phase 3 - Removing Risk

Remediating Component Risk

Once your risk has been prioritized, it's time to begin fixing it. The typical strategy for this is to upgrade to versions with less risk whenever possible, then waive non-applicable vulnerabilities, replace components that are vulnerable and cannot be upgraded, and finally accept any necessary risk.

  • Upgrade Components

    This is the easiest and quickest way to remove policy violations.

  • Determine if the remaining vulnerabilities are exploitable

    Oftentimes, vulnerable components can be used in secure ways. If a violation doesn't apply to your application you can accept that risk and review that component regularly until a safer version is released.

  • Apply time-bound waivers

    Apply time-bound waivers to components with non-exploitable vulnerabilities.

  • Replace exploitable components with no safe upgrade path

    If a component is vulnerable and exploitable, it may need to be substituted with a similar one with less risk.

  • Accept necessary risk -

    Apply time-bound policy waivers to violations that cannot be remediated.

Preventing Risk

Sonatype Lifecycle's automated policy enforcement tools let you keep components with the greatest risk from ever entering production. They're powerful and potentially disruptive. By this point your teams should be adept at remediating policy violations, and you are ready to begin automatically enforcing your policy standards. Policy enforcement can be done at the organization and application level. This enforcement should be introduced gradually.

  • Review Enforcement Best Practices

  • Establish criteria for enabling enforcement

    Decide when you'll begin enforcing policy violations by breaking builds.

  • Determine feedback channels

    Enabling enforcement can be challenging. Having a way to solicit and respond to feedback will help you successfully turn on policy enforcement.

  • Set expectations

    Be clear about what violations will be blocked and when. Also remind all teams of SLOs and other expectations.

  • Enable Enforcement for critical violations

    Prevent components with known risk from entering production.

  • Gradually enable enforcement of other policies

    Over time enforce more policies to lower the acceptable risk level in your applications.

Shifting Left

So where do we go from here? With enforcement enabled, it's time to begin making good component decisions and proactive choices earlier in your development process. This is called shifting left.

  • Make Intentional Upgrade Decisions

  • Empower Developers to pick better components

  • Configure IDE Plugins

  • Configure Chrome Plugin

  • Leverage Data Insights