Onboarding Applications Best Practices
How you onboard applications will depend on a rough idea of your total inventory of applications.
No. of Apps | Method | Details |
|---|---|---|
< 50 | Manually onboard |
|
< 500 | Automatic Application Creation |
|
> 500 | Onboarding Scripts (REST API) |
|
any | Easy SCM Onboarding | |
any | Config-as-Code project |
Manually Onboard
Add applications using the Organizations and Applications menu of the IQ Server user interface (UI).
Recommended for a limited (<50) number of applications
Great for testing and pilot teams
Not an effective long-term strategy
Common for third-party software and legacy code
Application ids and names will need to be unique
Consider using an onboarding script if you already have a complete list
Potential Pitfalls:
Manually adding applications can be slow.
Does not scale.
Easy to make mistakes:
Avoid duplicating application ids when using a build configuration template
Noisy notifications and faulty metrics
May break remediation waivers
Automatic Application Creation
Configure the IQ server to allow applications to automatically be added when using an unused PublicID during a scan.
Applications are automatically added to a default organization.
The default organization may be configured in the UI.
Recommended for applications that would need to be onboarded over time.
Application Categories will need to be manually set.
Recommendations:
Assign someone to review in a holding organization
assign Application Categories
move to the correct organization
rename the applications to something more human-recognizable
Not recommended for confidential applications.
Pitfalls:
Very easy to create new applications unintentionally
Currently cannot track the scan back to the source
Only a single default organization
The scan may not have the correct policy
Access controls may not be set correctly
Notifications may be sent to the wrong people
Resources:
Onboarding through Source Control Managers
Easy SCM Onboarding lets you select applications to onboard through a point-and-click menu in the UI.
Scans are run against the source code.
Scanners will look for dependency lock files as well as binaries.
Look for common language-specific patterns.
Review the analysis documentation for details.
Pitfalls:
Manifest scanning does not provide a complete risk analysis of your built application.
A complete scan will still need to be added during the build process.
Onboarding Scripts (REST API)
Using the REST API to configure applications preemptively or in real-time.
Directly integrate into your application management systems
Recommended for a large number of applications or self-service growth
Match to your internal systems using ids, application names, and existing groups
Pitfalls:
DO NOT test onboarding scripts in production; start with a backup.
Major deployments are challenging to roll back or correct.
Fully test scripts in a development environment before production.
Monitor systems for irregularities and stability.
Resources:
Onboarding Organizations - python script
Adding Applications - python script
Config-as-Code Tool
Config-as-Code is the DevOps principle of treating configuration resources like versioned artifacts.
Configuration is checked into source control, assigned a version, and associated with versioned builds.
This config-as-code toolis a Python script that captures IQ Server’s configuration as a JSON.
This JSON is applied to other IQ Server instances to set the same configuration.
The iq-config-as-code/onboarding/templates can help new users prepare their first IQ Server.
Note
This tool is not officially supported by Sonatype.
Recommendations
Be sure to version your scraped .json files appropriately.
Debugging is limited, so it will be easy to make mistakes.
Avoid editing the template .json files if you are not familiar with scripting.
Start with test environments before connecting to a product instance.
Pitfalls
The apply command completely overwrites your IQ Server’s configuration with the data in the target .json file.
Be cautious when applying new configurations, and scrape your existing configuration as a backup.
This tool makes it easy for misconfigurations to propagate.
Version your scraped configurations so that you can track changes and recover from misconfigurations.