General Lifecycle Best Practices

Your Primary Desired Outcome is a strategic, achievable, specific goal your organization wants from their Sonatype Lifecycle subscription.

A PDO communicates an organization's priorities with a timeframe and includes a measurement that will indicate success.

Reduce the severity of security violations in our apps by 50% within 12 months

Reduce unplanned or unscheduled developer work by 30% within 12 months

Reduce reaction time to sudden vulnerability events by 90% within 12 months

DevSecOps transformations are the intersection between people, processes, and technology

This requires a tactical plan to bring these together to meet your PDO.

This plan will change over time but needs to include expectations from upper management and other stakeholders.

Lifecycle is a powerful technology for automatic open-source governance but is only 1/3rd of the equation.

You will need to bring the right people together on a shared plan to be successful.

Establish channels of communication for documentation, training, support, and reporting.

The Sonatype Definitive Guides can help you educate the basics to your team

The Sonatype self-guided Learning Portal is available for anyone from your organization and access is managed by your admins.

Customer Success Engineers have tested reporting tools for generating executive business reviews.

The Sonatype Developer Relationship team publishes regular articles to keep your teams informed about important trends.

Regardless of how you start with Lifecycle, full integration with your CI/CD tools should be a goal for every deployment, regardless of your organization's size, business goals, and maturity.

Good CI/CD integration produces the highest accuracy scans, enables automatic enforcement actions, and ensures that your in-development apps are scanned regularly.

The CI/CD process is the heart of modern software development, and its efficacy probably affects every part of your development process.

Give your Operations team the time and budget necessary to make a stable, successful integration their priority.

Tools that are time-consuming to access will go unused, so it's in your best interests to make logging into Lifecycle quick and painless.

Don't delay in setting up LDAP/SAML for IQ Server, and then test thoroughly.

In the ideal scenario, IQ Server roles and permissions will map to your LDAP users and groups.

User access can most easily scale when aligned with your existing LDAP or Active Directory.

Start with the inbuilt roles to follow the principle of least privilege.

Notifications can alert stakeholders to new and severe risks in their apps.

Your exact notification configuration will depend on your organization's needs and maturity, but at least turn on notifications for severity levels 9 and 10 violations.

Avoid creating noise by only notifying the stakeholders who are responsible for addressing risk.

And be sure that notifications are going someplace they'll be seen – if no one checks their email, then sending notifications by email won't be effective.

Vulnerabilities with a CVSS score of 9 or 10 pose a serious risk and should be prioritized

Aggregate all the violations for one component into a single ticket

Often upgrading the component will remediate multiple issues at once

Lifecycle results are precise and will not include false positives from other tools

Aggregating the results will create noise for your developers to filter or ignore

Failover checks on the availability of the service using the health check API endpoint

Tracking user activity and server performance of the server using the metrics API endpoint

Monitor the performance of High Availability deployments

Monitor the disk usage to avoid the critical issue of running out of space

Configure data retention policies to purge old scans and reports

Periodically delete the contents of the trash directory to reclaim used space

Modify the log retention from the config.yml

Backup and archive server logs based on your retention policies

Audit access controls with the audit log

Running daily scans on hundreds or thousands of applications can consume a significant amount of space

By default, IQ Server purges after 3 months for early scans and 10 years for scans that occur later in an app's lifetime

Continuous Monitoring scans can be cleaned up after 30 days.

Scan files are deleted when the next scan for the same application happens.

The latest files are retained for Continuous Monitoring however older scans may be needed for Scan Promotion.

Setting the purgeScanFiles property to withReports will keep a copy around until their corresponding reports are cleaned.

We recommend backing up the IQ Server at least once a week up to daily

The IQ Server data retention task will move scan reports to a trash directory.

Clean this directory to recover server space.

Include as a step in your regular backup process.

Sonatype frequently releases new versions of the IQ Server as functionality becomes available.

These include performance improvements as well as security and bug fixes.

We recommend upgrading at a minimum of once a quarter (90 days).

Using N-1 version in your production environment limits risk and ensures you're using a stable version of IQ Server.

Using the latest in your test environment allows you to try out new features and identify better workflows.

New releases of IQ Server depend on changes to our scanners embedded in your build environments.

Review the Downloads and Compatibilities page for integration upgrades.

Command Line Scanner (CLI) is found within the IQ Server download archive