Skip to main content

Project Initiation (1st month)

Meet with a Sonatype Customer Success representative

  • Our Customer Success Engineers are the coaches who filter what's important for your deployment.

  • Establish a regular cadence with your Account team to guide you along the way.

    • Plan to meet weekly for the first month.

    • Move to biweekly for the next six months.

    • Meet monthly or quarterly depending on additional needs.

Start your deployment with a project plan that aligns with your primary desired outcomes (PDOs)

  • We recommend that you define and regularly review your primary desired outcomes.

    • These are specific business results or strategic objectives that your company would like to achieve with the Sonatype Platform.

  • Results to report to your primary stakeholders by next year's renewal.

  • Associate with specific goals

  • Measure throughout the deployment.

  • A guiding star to keep your team focused on what is most important.

Set a timeline to achieve and review your strategic outcomes

  • Start with clear goals that are meaningful and measurable.

  • It is seldom possible to do everything, right away.

  • Use a short-cycle agile pilot team to document how to expand.

  • Report successes and challenges back to management to drive the project forward.

Determine your open-source governance champions

  • DevSecOps initiatives require key individuals aligned to a shared goal.

  • Responsibilities of champions include:

    • Maintain internal documentation

    • Determine acceptable risk

    • Set expectations for stakeholders

    • Design workflows for deployment

    • Drive expansion to the rest of the organization

    • Respond to questions and feedback

  • Publish a list of champions and their roles to assist with adoption.



Lifecycle Sponsors
  • the primary point of contact for Sonatype Customer Success and Support

Server Administrators
  • maintains the IQ Server software and infrastructure

  • responsible for: upgrading, cleanup, backup/restore, testing, monitoring, reporting

Policy Owners
  • designs and implements the open-source governance policy

  • set notifications workflow

  • manages enforcement through the application lifecycle

Operations / Build Engineers
  • integrate Lifecycle scans into the application build pipeline

Application / Project Owners
  • prioritizes remediation efforts

  • accepts open-source risk

  • manages technical debt

  • research reported risk

  • remediate issues in the code base

  • request policy waivers

  • proactively follows good open-source hygiene

Use an internal wiki to document requirements and processes

  • Plan for long-term success by documenting from the beginning.

  • Have Champions own their respective sections of the documentation.

  • Include a review of team documentation as a regular task.

  • Use Sonatype learning resources to augment developer enablement.

  • Use a component remediation catalog for faster remediation of common libraries and vulnerabilities.

Deploy the IQ Server to a testing environment before rolling it out to production

  • First, deploy integrations to a testing environment to reduce the impact on production.

  • Use a backup of the production in your testing environment to minimize the impact of running intensive reports and scripts.

  • Consider using an A/B testing environment to manage upgrades.

  • Your Lifecycle license can be used in any of your testing and production environments.