IQ for Developers 100 - Foundations
This course describes "What's In It For Me?” and ”Where Do I Fit In?" for developers using Nexus IQ. At the end of this course, developers using Nexus IQ will be able to communicate its benefits for various roles in the organization, know where they fit into the Nexus IQ policy process, and understand how that improves the quality and security of their work.
By the end of this course, you will be able to:
Identify risks and vulnerabilities in using open source software and ways to mitigate those risks
Articulate the benefits of using Nexus IQ
Describe where the developer fits into the Nexus IQ policy process
Define what is a policy
Recognize when remediation is required
There are no required prerequisites.
The primary audience for this course includes software developers/engineers new to Nexus IQ, but a secondary audience could include anyone who wants to learn more about how Nexus IQ might benefit your organization.
There are no system requirements for this course. However, if you wish to learn more about the system requirements for using Nexus IQ, that is documented here:
We will discuss the foundations of using Nexus IQ. We will touch on, but not take a deep dive into, the following topics:
How to use the Nexus IQ Server application
How to triage and remediate issues
As these topics are critical aspects of Nexus IQ, they are covered in greater detail in separate course of the Nexus IQ Track.There are three solutions/licenses that unlock various features. For the sake for this course we will refer to features as either Nexus IQ Server or Nexus IQ.
Refer to our Glossary for more information on any of the terms used throughout this course.
Questions for Reflection
Complete the following activity. There are no right or wrong answers, just a few questions for reflection before you learn more about the benefits of Nexus IQ.
In your current process, how you discover vulnerabilities in the components you select?
Where in your software development process does this discovery occur?
During release to production
Other (List those here)
In your current development process, how easy is it for you to know:
Who downloaded the component?
Who authorized the component for use?
Where is the component in the application(s)?
Do you know if the Open Source Software (OSS) components you use to build your software are secure? Do those components have direct and/or transitive dependencies?
5. Are you still using the OSS component that you used years ago when you first developed your product? Is it time for a better component selection? Have you taken into account the security and legal risks that you take when you incorporate components?
6. Do you understand your license obligations in light of you OSS component selection?