NexusIQ Development Security
DevSecOps, a blend of development, security, and operations, is all about integrating security into every stage of the IT lifecycle. Simply put, it’s about making security everyone’s responsibility from the beginning, without slowing down the DevOps workflow.
In this post, we won’t delve into the nitty-gritty of DevSecOps; instead, we’ll focus on how we bring security into our pipelines to prevent potential breaches. If you want a more detailed understanding of DevSecOps, check out this blog by Red Hat: What is DevSecOps.
Securing Development with NexusIQ and Nexus Repository
Let’s talk about two essential tools in our CI/CD pipelines: NexusIQ and Nexus Repository. NexusIQ is the tool that identifies security and quality issues early in the development cycle by scanning project dependencies for known vulnerabilities. On the other hand, Nexus Repository is a storage manager for build artifacts and dependencies.
In our CI/CD pipeline, when code is committed, the build system retrieves necessary dependencies from Nexus Repository, builds the application, and then stores the built artifact back in the repository for deployment.
We’ve established a set of application policies across different projects. Additionally, for numerous open-source libraries/packages, Sonatype employs its built-in intelligence to identify and address policy violations.
I encourage you to explore the offical documentation for a more profound insight into the product.
A Success Story with NexusIQ
Here’s a practical example of how we benefited from these tools. Some platform users reported failing pipelines due to policy violations and required frameworks. Upon investigating with NexusIQ, we discovered that Moq, a popular mocking framework for .NET applications, was quietly collecting data in versions above 4.18.4.
To prevent data collection from infiltrating multiple projects, Nexus IQ promptly blocked all versions of Moq above 4.18.4. This simple action helped us maintain the integrity of company projects and ensure a more secure development environment.
