Onboarding Applications Best Practices
How you onboard applications will depend on a rough idea of your total inventory of applications.
No. of Apps | Method | Details |
---|---|---|
< 50 | Manually onboard |
|
< 500 | Automatic Application Creation | |
> 500 | Onboarding Scripts (REST API) |
|
any | Easy SCM Onboarding | |
any | Config-as-Code project |
Manually Onboard
Add applications using the Organizations and Applications menu of the IQ Server user interface (UI).
- Recommended for a limited (<50) number of applications
- Great for testing and pilot teams
- Not an effective long-term strategy
- Common for third-party software and legacy code
- Application ids and names will need to be unique
- Consider using an onboarding script if you already have a complete list
Potential Pitfalls:
- Manually adding applications can be slow.
- Does not scale.
- Easy to make mistakes:
- Avoid duplicating application ids when using a build configuration template
- Noisy notification and faulty metrics
- May break remediation waivers
Automatic Application Creation
Configure the IQ server to allow applications to automatically be added when using an unused PublicID during a scan.
- Applications are automatically added to a default organization.
- The default organization may be configured in the UI.
- Recommended for applications that would need to be onboarded over time.
- Application Categories will need to be manually set.
Recommendations:
- Assign someone to review in a holding organization
- assign Application Categories
- move to the correct organization
- rename the applications to something more human recognizable
- Not recommended for confidential applications.
Pitfalls:
- Very easy to create new applications unintentionally
- Currently cannot track the scan back to the source
- Only a single default organization
- The scan may not have the correct policy
- Access controls may not be set correctly
- Notifications may be sent to the wrong people
Resources:
Onboarding through Source Control Managers
Easy SCM Onboarding lets you select applications to onboard through a point-and-click menu in the UI.
- Scans are run against the source code.
- Scanners will look for dependency lock files as well as binaries.
- Looks for common language-specific patterns.
- Review the analysis documentation for details.
Pitfalls:
- Manifest scanning does not provide a complete risk analysis of your built application.
- A complete scan will still need to be added during the build process.
Onboarding Scripts (REST API)
Using the REST API to configure applications preemptively or in real-time.
- Directly integrate into your application management systems
- Recommended for a large number of applications or self-service growth
- Match to your internal systems using ids, application names, and existing groups
- The Lifecycle license is limited to onboarding 5000 applications
- This is to keep scripts from overloading the system
- Talk with your account team to raise the cap
Pitfalls:
- DO NOT test onboarding scripts in production; start with a backup.
- Major deployments are challenging to roll back or correct.
- Fully test scripts in a development environment before production.
- Monitor systems for irregularities and stability.
Resources:
- Onboarding Organizations - python script
- Adding Applications - python script
Config-as-Code Tool
- Config-as-Code is the DevOps principle of treating configuration resources like versioned artifacts.
- Configuration is checked into source control, assigned a version, and associated with versioned builds.
- This config-as-code tool is a Python script that captures IQ Server’s configuration as a JSON.
- This JSON is applied to other IQ Server instances to set the same configuration.
- The
iq-config-as-code/onboarding/templates
can help new users prepare their first IQ Server.
This tool is not officially supported by Sonatype.
Recommendations
- Be sure to version your scraped .json files appropriately.
- Debugging is limited, so it will be easy to make mistakes.
- Avoid editing the template .json files if you are not familiar with scripting.
- Start with test environments before connecting to a product instance.
Pitfalls
- The
apply
command completely overwrites your IQ Server’s configuration with the data in the target .json file. - Be cautious when applying new configurations, and scrape your existing configuration as a backup.
- This tool makes it easy for misconfigurations to propagate.
- Version your scraped configurations so that you can track changes and recover from misconfigurations.