Onboarding Applications Best Practices

How you onboard applications will depend on a rough idea of your total inventory of applications. 

No. of AppsMethodDetails
< 50Manually onboard
< 500Automatic Application Creation
> 500Onboarding Scripts (REST API)
anyEasy SCM Onboarding
anyConfig-as-Code project



Manually Onboard

Add applications using the Organizations and Applications menu of the IQ Server user interface (UI).

  • Recommended for a limited (<50) number of applications
  • Great for testing and pilot teams
  • Not an effective long-term strategy
  • Common for third-party software and legacy code
  • Application ids and names will need to be unique
  • Consider using an onboarding script if you already have a complete list

Potential Pitfalls:

  • Manually adding applications can be slow.
  • Does not scale.
  • Easy to make mistakes: 
    • Avoid duplicating application ids when using a build configuration template 
    • Noisy notification and faulty metrics 
    • May break remediation waivers 

Automatic Application Creation

Configure the IQ server to allow applications to automatically be added when using an unused PublicID during a scan.

  • Applications are automatically added to a default organization.
    • The default organization may be configured in the UI.
  • Recommended for applications that would need to be onboarded over time.
  • Application Categories will need to be manually set.

Recommendations:

  • Assign someone to review in a holding organization
    • assign Application Categories
    • move to the correct organization
    • rename the applications to something more human recognizable
  • Not recommended for confidential applications.

Pitfalls:

  • Very easy to create new applications unintentionally
  • Currently cannot track the scan back to the source
  • Only a single default organization
  • The scan may not have the correct policy
  • Access controls may not be set correctly
  • Notifications may be sent to the wrong people

Resources:


Onboarding through Source Control Managers

Easy SCM Onboarding lets you select applications to onboard through a point-and-click menu in the UI.

  • Scans are run against the source code.
  • Scanners will look for dependency lock files as well as binaries.
  • Looks for common language-specific patterns.
  • Review the analysis documentation for details.

Pitfalls:

  • Manifest scanning does not provide a complete risk analysis of your built application.
  • A complete scan will still need to be added during the build process.

Onboarding Scripts (REST API)

Using the REST API to configure applications preemptively or in real-time.

  • Directly integrate into your application management systems
  • Recommended for a large number of applications or self-service growth
  • Match to your internal systems using ids, application names, and existing groups
  • The Lifecycle license is limited to onboarding 5000 applications
  • This is to keep scripts from overloading the system
  • Talk with your account team to raise the cap

Pitfalls:

  • DO NOT test onboarding scripts in production; start with a backup.
  • Major deployments are challenging to roll back or correct.
  • Fully test scripts in a development environment before production.
  • Monitor systems for irregularities and stability.

Resources:


Config-as-Code Tool

  • Config-as-Code is the DevOps principle of treating configuration resources like versioned artifacts.
  • Configuration is checked into source control, assigned a version, and associated with versioned builds.
  • This config-as-code tool is a Python script that captures IQ Server’s configuration as a JSON.
  • This JSON is applied to other IQ Server instances to set the same configuration.
  • The  iq-config-as-code/onboarding/templates can help new users prepare their first IQ Server.

This tool is not officially supported by Sonatype.

Recommendations

  • Be sure to version your scraped .json files appropriately.
  • Debugging is limited, so it will be easy to make mistakes.
  • Avoid editing the template .json files if you are not familiar with scripting.
  • Start with test environments before connecting to a product instance.

Pitfalls

  • The apply command completely overwrites your IQ Server’s configuration with the data in the target .json file.
  • Be cautious when applying new configurations, and scrape your existing configuration as a backup.
  • This tool makes it easy for misconfigurations to propagate.
  • Version your scraped configurations so that you can track changes and recover from misconfigurations.

Additional Resources: