Nexus Lifecycle Champion Workshop

Course Overview

The Nexus Lifecycle, formerly Component Lifecycle Management (CLM), Champion Workshop provides an in-depth review of deployment strategies, policy maintenance, risk mitigation, and socializing adoption. The one-day workshop is strategic, including determining how to deploy and ensure your teams adopt Nexus Lifecycle, enforcing policies and resolving violations, as well as understanding reporting on risks.

Key accomplishments:

  • Identify deployment strategy
  • Review approaches to ongoing enforcement
  • Develop proficiencies in policy violation resolution
  • Understand reporting on application and enterprise-wide risk
  • Develop a strategy for socializing Nexus Lifecycle adoption

Recommended for:

Ideal for anyone involved in policy creation and management. This typically includes open source review board members, application security staff, architects, and the legal/compliance team.

Related Product:

Nexus Lifecycle (formerly Component Lifecycle Management - CLM)

Detailed Nexus Lifecycle Champion Workshop Outline

Module I: Review Policy Violations

  • Confirm efficacy of existing policies
  • Adjust policies to reflect new requirements as necessary

Module II: Security Defect Remediation Workflow

  • Understand the types of security issues
  • Design triage and remediation workflows to handle each type of security issue
  • Determine when a security issue requires further research versus a policy waiver

Module III: License Threat Remediation Workflow

  • Understand how license threat level is assessed
  • Design triage and remediation workflows to address license risk
  • Determine when to accept license risk versus selecting a less risky component

Module IV: Component Triage

  • Handling "similar match" findings
  • Identifying proprietary components
  • Claiming unknown components

Module V: Targeted Reporting

  • Discussion of report sources (command line, server)
  • Discussion of roll-up dashboard report and metrics
  • Verify appropriate personas are notified of security violations and license violations, respectively

Module VI: Long Term Expectations & Adoption Plans

  • Encouraging – not forcing – developer adoption of Nexus Lifecycle
  • Effectively balancing, communicating, and meeting the needs of Development, Operations, and Security
  • Maintaining a Nexus Lifecycle deployment scalable for future needs

Module VII: Beyond Policy

  • Minimizing "noise" whilst still maintaining your organization’s risk tolerance threshold
  • Consider where good component practice can be employed even in the absence of a policy violation
  • Define communications process for issues where no obvious path forward exists

Module VIII: Summary

  • Review any outstanding questions
  • Develop plan to leverage Sonatype resources for ongoing success

Download a pdf description of this information

For information, please email us at success@sonatype.com