IQ for Developers 100 - Foundations

Overview


 


Goals

This course describes "What's In It For Me?” and ”Where Do I Fit In?" for developers using Nexus IQ. At the end of this course, developers using Nexus IQ will be able to communicate its benefits for various roles in the organization, know where they fit into the Nexus IQ policy process, and understand how that improves the quality and security of their work.

Learning Objectives

By the end of this course, you will be able to:

  • Identify risks and vulnerabilities in using open source software and ways to mitigate those risks

  • Articulate the benefits of using Nexus IQ

  • Describe where the developer fits into the Nexus IQ policy process

  • Define what is a policy

  • Recognize when remediation is required

Prerequisites

There are no required prerequisites.

Target Audience

The primary audience for this course includes software developers/engineers new to Nexus IQ, but a secondary audience could include  anyone who wants to learn more about how Nexus IQ might benefit your organization.

System Requirements

There are no system requirements for this course.  However, if you wish to learn more about the system requirements for using Nexus IQ, that is documented here:

https://help.sonatype.com/iqserver/product-information/system-requirements  

Setting Expectations

We will discuss the foundations of using Nexus IQ. We will touch on, but not take a deep dive into, the following topics:

  • How to use the Nexus IQ Server application

  • How to triage and remediate issues


As these topics are critical aspects of Nexus IQ, they are covered in greater detail in separate course of the Nexus IQ Track.There are three solutions/licenses that unlock various features. For the sake for this course we will refer to features as either Nexus IQ Server or Nexus IQ.

Refer to our Glossary for more information on any of the terms used throughout this course.


Questions for Reflection

Complete the following activity. There are no right or wrong answers, just a few questions for reflection before you learn more about the benefits of Nexus IQ.

Activity:

  1. In your current process, how you discover vulnerabilities in the components you select?   






  1. Where in your software development process does this discovery occur?  

    • At build

    • During testing

    • During release to production

    • Other (List those here)

  2. In your current development process, how easy is it for you to know:

    • Who downloaded the component?

    • Who authorized the component for use?

    • Where is the component in the application(s)?

  3. Do you know if the Open Source Software (OSS) components you use to build your software are secure?  Do those components have direct and/or transitive dependencies?




5.  Are you still using the OSS component that you used years ago when you first developed your product? Is it time for a better component selection?  Have you taken into account the security and legal risks that you take when you incorporate components?

6. Do you understand your license obligations in light of you OSS component selection?