IQ for Developers 101 - Organizational Policies
This course describes organizational policies in IQ Server, and how they are used to determine and report vulnerabilities in your Open Source Software (OSS) components.
By the end of this course, you will be able to:
Differentiate between four main types of policies in Nexus IQ
Define various matches that result from the “other” policy type
Interpret each element of a policy
Describe the sections of the Application Composition Report
Define the sections of the Summary tab
Describe the data in the Policy Violations tab
The target audience for this course includes developers, software engineers, and anyone who wants to learn more about how to interpret IQ server policies and the vulnerabilities detected by them.
There are no system requirements for this course. However, if you wish to learn more about the system requirements for using Nexus IQ, that is documented here:
For the purpose of this course, we will discuss IQ server’s set of reference policies, which are those ‘out-of-box’ policies. While these out-of-box policies are very good and many of our customers use as-is, other organizations create their own policies. Your organization may have policies other than those in this course. Consult your legal team.
Questions for Reflection
Complete the following activity. There are no right or wrong answers, just a few questions for reflection before you learn more about the benefits of IQ Server.
1.In your current process, what are some of the defined traits of a bad component? How do you know the level of risk involved with that component?
2. What types of vulnerabilities should you avoid when selecting OSS components?
3. Do you currently have a streamlined process for constant monitoring of open source vulnerabilities in your applications?
If not, what are some ways that might benefit you and your organization?
If so, how might that be improved for faster, more accurate notification?