General Lifecycle Best Practices
Identify your Primary Desired Outcome (PDO)
- Your Primary Desired Outcome is a strategic, achievable, specific goal your organization wants from their Sonatype Lifecycle subscription.
- A PDO communicates an organization's priorities with a timeframe and includes a measurement that will indicate success.
- Reduce the severity of security violations in our apps by 50% within 12 months
- Reduce unplanned or unscheduled developer work by 30% within 12 months
- Reduce reaction time to sudden vulnerability events by 90% within 12 months
Align expectations from executive management with all stakeholders
- DevSecOps transformations are the intersection between people, processes, and technology
- This requires a tactical plan to bring these together to meet your PDO.
- This plan will change over time but needs to include expectations from upper management and other stakeholders.
- Lifecycle is a powerful technology for automatic open-source governance but is only 1/3rd of the equation.
- You will need to bring the right people together on a shared plan to be successful.
Document your open-source governance journey in a central location
- Establish channels of communication for documentation, training, support, and reporting.
- The Sonatype Definitive Guides can help you educate the basics to your team
- The Sonatype self-guided Learning Portal is available for anyone from your organization and access is managed by your admins.
- Customer Success Engineers have tested reporting tools for generating executive business reviews.
- The Sonatype Developer Relationship team publishes regular articles to keep your teams informed with important trends.
Integrate Lifecycle into your CI/CD system
Make integration with your CI/CD system a goal in your journey with Lifecycle
- Regardless of how you start with Lifecycle, full integration with your CI/CD tools should be a goal for every deployment, regardless of your organization's size, business goals, and maturity.
- Good CI/CD integration produces the highest-accuracy scans, enables automatic enforcement actions, and ensures that your in-development apps are scanned regularly.
Budget adequate time for integration efforts
- The CI/CD process is the heart of modern software development, and its efficacy probably affects every part of your development process.
- Give your Operations team the time and budget necessary to make a stable, successful integration their priority.
Configure Lifecycle for long-term success
Set up LDAP/SAML for easy login
- Tools that are time-consuming to access will go unused, so it's in your best interests to make logging into Lifecycle quick and painless.
- Don't delay in setting up LDAP/SAML for IQ Server, and then test thoroughly.
- In the ideal scenario, IQ Server roles and permissions will map to your LDAP users and groups.
Align Lifecycle role-based access to your organization’s directory service
- User access can most easily scale when aligned with your existing LDAP or Active Directory.
- Start with the inbuilt roles to follow the principle of least privilege.
Turn on notifications, and send them someplace they'll be seen
- Notifications can alert stakeholders to new and severe risks in their apps.
- Your exact notification configuration will depend on your organization's needs and maturity, but at least turn on notifications for severity levels 9 and 10 violations.
- Avoid creating noise by only notifying the stakeholders who are responsible for addressing risk.
- And be sure that notifications are going someplace they'll be seen – if no one checks their email, then sending notifications by email won't be effective.
Enforcement and remediation
Block builds that contain critical vulnerabilities at the release stage
- Vulnerabilities with a CVSS score of 9 or 10 pose a serious risk and should be prioritized
Integrate remediation efforts into your issue-tracking tools
- Aggregate all the violations for one component into a single ticket
- Often upgrading the component will remediate multiple issues at once
Avoid aggregating Lifecycle scan results with other scans
- Lifecycle results are precise and will not include false positives from other tools
- Aggregating the results will create noise for your developers to filter or ignore
Monitoring your IQ Server
As a critical part of your build pipeline, you will want to monitor the performance and operation of the IQ Server. The following are models common with Lifecycle developments.
IQ Server Health and Uptime
- Failover checks on the availability of the service using the health check API endpoint
- Tracking user activity and server performance of the server using the metrics API endpoint
- Monitor the performance of High Availability deployments
IQ Server Disk Usages and Data Retention
- Monitor the disk usage to avoid the critical issue of running out of space
- Configure data retention policies to purge old scans and reports
- Periodically delete the contents of the trash directory to reclaim used space
Logging and Activity
- Modify the log retention from the config.yml
- Backup and archive server logs based on your retention policies
- Audit access controls with the audit log
IQ Server data retention and maintenance
The IQ Server UI will display the latest scan for a given stage, however, every scan is retained as a separate report.
Configure data purging for older scan reports
- Running daily scans on hundreds or thousands of applications can consume a significant amount of space
- By default, IQ Server purges after 3 months for early scans and 10 years for scans that occur later in an app's lifetime
- Continuous Monitoring scans can be cleaned up after 30 days.
Use the purgeScanFiles property to keep scan files for scan promotion
- Scan files are deleted when the next scan for the same application happens.
- The latest files are retained for Continuous Monitoring however older scans may be needed for Scan Promotion.
- Setting the purgeScanFiles property to withReports will keep a copy around until their corresponding reports are cleaned.
Back up the IQ Server regularly
- We recommend backing up the IQ Server at least once a week up to daily
There are 3 main components to consider when backing up
Reports and Logs
Server binaries and configuration
Delete the contents of the trash directory to reclaim space
- The IQ Server data retention task will move scan reports to a trash directory.
- Clean this directory to recover server space.
- Include as a step in your regular backup process.
Plan to upgrade your IQ Server at least once a quarter (90 days)
- Sonatype frequently releases new versions of the IQ Server as functionality becomes available.
- These include performance improvements as well as security and bug fixes.
- We recommend upgrading at a minimum of once a quarter (90 days).
Upgrade your IQ Server to the latest version in your test environment and N-1 version in your production environment
- Using N-1 version in your production environment limits risk and ensures you're using a stable version of IQ Server.
- Using the latest in your test environment allows you to try out new features and identify better workflows.
Upgrade your integrations with Lifecycle
- New releases of IQ Server depend on changes to our scanners embedded in your build environments.
- Review the Downloads and Compatibilities page for integration upgrades.
- Command Line Scanner (CLI) is found within the IQ Server download archive