Sonatype Lifecycle
Automation has strengthened devsecops and has enabled faster secure releases
What is our primary use case?
Sonatype Lifecycle is basically a central use case for scanning applications in the CI/CD for vulnerabilities or non-compliant open-source dependencies and enforces policy across the dev lifecycle. It is reactive, continuous monitoring of what's already in your application. This is the benefit of it.
What is most valuable?
The benefits or features that I appreciate about Sonatype Lifecycle are that it is reactive and it supports CI/CD. There is early detection, so it will flag the vulnerabilities in the open-source dependencies straight away. Also, if you have the policies, it will automate the enforcement for you. If you have severity thresholds or you define something, it enforces them automatically in the CI/CD builds.
There is also the remediation guidance. It will give you the best version to upgrade to. It will not just flag that there is a CVE, but it will also give you recommendations on what version you need to fix to. Continuous monitoring is another benefit.
The reporting, audit and reporting is also valuable. In the dashboard, you will see the application risks reports, and security teams will look at and see what's happening with certain applications. In a nutshell, it enables faster releases and lower security exposure.
If we add Sonatype Lifecycle for Azure, it works for pipelines, and it allows you to run pipelines in the environment. You will have CI/CD, continuous integration, continuous development. People will have faster results. Instead of having DevOps, we have DevSecOps because of this. It improves security and allows teams to have security shift left from the beginning, instead of just leaving it at the end to find out this open-source library is insecure or having to rewrite the code in other ways or reuse a different library.
Sometimes changing those libraries or open-source requires a rewrite. I remember one time we had a vulnerability of some Java, and the solution was to use another Java. Using that another Java forced the developer to rewrite many components because there was a huge difference. This helps identify issues fast instead of waiting until the end to find out it is vulnerable and having to make changes.
What needs improvement?
The areas for improvement in Sonatype Lifecycle could be the UI. There is way to improve it as it has many tabs and nested sections. Sometimes when you look for something, if you are new to this, it might take you a little to get your head around things. This is something I feel they can simplify.
Also, the policy configuration is powerful, but at the same time, there is a steep learning curve. You need to make sure that you configure it correctly. You do not want to configure it in a way that blocks things.
If they improve the reporting, the UI, and the user experience, it would be beneficial. The design could be improved. If they add certain features and make it simple for the security analyst and to the user as well, it would help. Sometimes you have to look for many things to find a button that does something specific. They can do a good job fixing this.
Also, in the waiver management, it currently does not send notification. If some developer raises a waiver or adds a waiver to some component, we will not be notified. I have to go to the system to find out. This can be improved.
For how long have I used the solution?
I do not have specific information about how many years I have been aware of Sonatype Lifecycle. Probably since I am aware, maybe four or five years. I could be wrong, but this is as far as I remember.
What do I think about the stability of the solution?
It is very, very stable. I hardly had any issue with it going down or something.
What do I think about the scalability of the solution?
I think it is scalable, but being costly will make you revise what you want to do. If you have an expensive tool, you want it to work the bare minimum to cover the environment. It covers all our environment. I do not see any problem with the scalability.
How are customer service and support?
I would give the same support rating for Sonatype Lifecycle as previous products. They are the same people.
Which solution did I use previously and why did I switch?
I have not used or compared Sonatype Lifecycle to any similar products. Maybe there were tools in the past, but I was not here. This is the only thing I know.
How was the initial setup?
We did not run the installers ourselves for the installation and deployment process of Sonatype Lifecycle. We are two teams and we have another team who do the administration, the installation, and the patching. We are more from the security side. We are the policy administrators. Another team handles the installation and setup. I am not aware of any problems. We have the support from the vendor themselves, and sometimes if they need help, they get the help.
What about the implementation team?
Some developers did integrate Sonatype Lifecycle with CI/CD tools, but I am not aware of the details. I know they tried something. We use Azure DevOps mainly.
What was our ROI?
I really do not know how to quantify time or money savings from using Sonatype Lifecycle. For me to answer this, I need to be aware of everything. There are some savings, but I do not know how much. I cannot state it.
What's my experience with pricing, setup cost, and licensing?
It is expensive. It is one of the pricier SCA tools in the market. You license their developer application, and it can be expensive at scale. If you want to scale, you just need to pay more. For us, we have the IQ Server and we have the firewall, which is already another separate license. So to have all together, it is an expensive environment to run, honestly speaking. If they can do something about that, it would be beneficial.
What other advice do I have?
Automation of policy enforcement impacts my development process. You can build it in a way that stops the CI/CD itself if a library has a vulnerability or certain severity. You can be specific about things that stop the pipeline or if it has vulnerabilities or certain conditions. This helps a lot for creating security policies around applications.
Component health is very important. We can always see the health of the open-source component. It shows if it is vulnerable or not, what is the severity, is it banned, is it standard, is it not standard. The health is the same as when you say severity of something. Is it okay to be used or not?
I gave this product a review rating of 8 out of 10. Although Sonatype Lifecycle is one of the most expensive solutions at a rating of 10 for cost, it is worth the investment in certain areas. The time savings is significant because it allows the CI/CD to be more productive. Security adds complexity to development. If you develop alone, that would be different than developing with security in mind. This will ease the part of security because not everyone is aware of all security. Sometimes developers may know how to code, but they do not know how to code securely. This will save them time and provide hints and alarms. It speeds the process of adopting to security and adopting to DevSecOps. It also protects the environment because you sometimes pay for something that is valuable to secure it. In these areas, it is worth the buying, although it is costly.
Integrated DevSecOps has enabled earlier risk detection and reduced remediation effort
What is our primary use case?
I have used Sonatype Lifecycle for one year, primarily as a part of DevSecOps and software composition analysis initiatives focused on my application security project, which involves identifying and managing open-source dependencies risks within application environments.
For Sonatype Lifecycle, I actually use it for two purposes in application security: security composition analysis (SCA) and Static Application Security Testing (SAST), with the intention to identify code-level vulnerabilities when developers write any code, allowing me to scan the code, prioritize vulnerabilities, and fix those areas to reduce overall application risks.
Before using Sonatype Lifecycle, I used to get vulnerabilities in the deployment phase, also known as Dynamic Application Security Testing (DAST), but after implementing Sonatype Lifecycle, it adds an additional security layer by allowing me to conduct SAST and SCA scans early in the coding phase, enabling me to prioritize and remediate vulnerabilities as soon as possible, which reduces time and effort.
What is most valuable?
In my opinion, the strongest feature of Sonatype Lifecycle is its ability to provide continuous visibility and governance over open-source dependencies throughout the software development lifecycle, with the most standout aspect being its effective integration of security directly into DevSecOps workflows instead of treating security as a separate, post-development activity.
The policy-based governance and vulnerable component rejection capabilities are tremendously valuable for my team because they shifted security enforcement earlier in the lifecycle. For example, I configured policies to flag or block builds with open-source components with critical vulnerabilities, and that was impactful when Sonatype Lifecycle detected a high-severity vulnerability during a build process.
Overall, Sonatype Lifecycle has a very positive impact on the organization, particularly in improving software supply chain security and DevSecOps practices, with measurable improvements including earlier detection of vulnerabilities and faster remediation cycles.
I have definitely observed measurable operational improvements after integrating Sonatype Lifecycle into my workflows, highlighted by a noticeable reduction in vulnerable open-source components progressing to production stages, allowing me to remediate them before deployment.
What needs improvement?
While Sonatype Lifecycle provides strong value for software composition analysis and software supply chain security, one area for improvement is alert prioritization and noise reduction, especially in larger development environments.
The primary area for improvement I mentioned is alert prioritization and noise reduction, in addition to improving dashboard and reporting customization.
For how long have I used the solution?
I have used Sonatype Lifecycle for one year.
What do I think about the stability of the solution?
Sonatype Lifecycle is pretty stable and works fine.
What do I think about the scalability of the solution?
In my experience, Sonatype Lifecycle scales well for enterprise DevSecOps and software supply chain security use cases, particularly in environments with multiple development teams and a large number of applications and dependencies.
How are customer service and support?
The customer support for Sonatype Lifecycle is very helpful, and they are technically sound, providing positive feedback.
Which solution did I use previously and why did I switch?
Before Sonatype Lifecycle, I used a DAST solution called Qualys for application security, and this is my first tool for SAST and SCA scans.
What was our ROI?
From my point of view, once I introduce Sonatype Lifecycle with the DevSecOps pipeline, it offers automated vulnerability scanning, prioritization, and allows me to focus on risk assessment and remediation, saving me about 40% in time and effort.
What other advice do I have?
If you are working in a DevSecOps or application security project and want to prioritize vulnerabilities early, implementing Sonatype Lifecycle in your project will be helpful in addressing risks before they escalate. I provided this review with a rating of 8.
Compliance used to slow us down. Sonatype Lifecycle turned it into an automated, streamlined step that accelerates delivery instead of blocking it.
What is our primary use case?
My main use case for Sonatype Lifecycle is open-source scanning for SCA. We pair it with Fortify (our SAST/DAST platform), and together they give us a more complete security picture within the CI/CD pipeline.
A recent example: we integrated Sonatype Lifecycle with its Nexus SCA Manager into our Jenkins workflow. Our code already went through SAST/DAST, but some smaller open-source packages and sub-libraries were not primary focus —especially those with licensing or legal considerations. Lifecycle fills that gap by checking every component for vulnerabilities, version risks, and license obligations, so we’re confident the entire codebase is covered.
We also use Lifecycle’s JSON mapping to share vulnerability and application data across Jenkins, Fortify, and other tools. What used to be a bit scattered is now clean, automated, and easy to maintain. This brings better visibility on all components across applications and versions.
How has it helped my organization?
sonatype lifecycle has helps us get clearer visibility into open-source risk, improve compliance, and catch issues earlier in the development process. By automating checks in our CI/CD pipeline, it has reduced manual effort needed by teams to deliver secure, reliable software with more confidence.
What is most valuable?
One of the best things about Sonatype Lifecycle, in my experience, is how easy it is to set up and start using. You don’t need to be a core developer to get started with it. Anyone with basic technical knowledge can create an application, assign it to an org, connect the code, and within just a few clicks generate a CycloneDX(SBOM report) or a PDF. Even integrating it with Jenkins was straightforward, and with clear and simple instruction, we had everything up and running in just a couple of days.
Sonatype Lifecycle has also made a clear positive impact on our organization. It helps us stay streamlined with open-source risks (security, license, quality). Customer in the financial, manufactoring, government and technology sectors appreciate and do value. The tool is easy to integrate, well-documented, and lightweight, which made adoption simple and required minimal resource overhead. Overall, it strengthened our software supply chain and gave management confidence in our open-source security process.
What needs improvement?
Sonatype Lifecycle already does a nice job, but as you use it, you can’t help but notice a few spots where it could feel even smoother. Imagine opening it and immediately seeing a clearer, friendlier dashboard that tells you exactly what deserves your attention without digging around. As you move through your workflow, it would be great if the tool connected more naturally with what you’re already using, so everything just flows. And when an issue pops up, instead of leaving you guessing, it could guide you through what to do next in a way that feels simple and supportive.
Even having a bit more visibility into anything happening behind the scenes would make the experience feel more complete. It’s already strong, but with touches like these, it could feel even more helpful and intuitive in everyday use.
For how long have I used the solution?
I've been using Sonatype Lifecycle for a little over two years.
What do I think about the stability of the solution?
Solution is fairly stable in terms of core functionality, and with minimal technical issues. Aside for minor resolves all goes well.
What do I think about the scalability of the solution?
Sonatype Lifecycle scales really well. Whether you are using it on-prem or the SaaS version, it is pretty easy to add more resources and handle bigger workloads as you grow. It adjusts smoothly without much hassle, so you don’t really feel limited as your team or projects get larger.
How are customer service and support?
Customer support has been quite responsive, usually getting back to us within a couple of hours. Teams are flexible to connect on criticality of issue and the assistance needed.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously tried using an open-source scanner from Fortify, but eventually shifted to Sonatype Lifecycle because it offered a more complete and dependable approach for our SCA needs. There are other options in the market like Snyk and JFrog, but Lifecycle aligned better with what we were looking for in terms of accuracy, ease of use, and overall coverage.
How was the initial setup?
The initial setup was straightforward overall, and with the technical know-how and a clear understanding of the environment, the whole process moves smoothly and rather quickly.
What about the implementation team?
We have specialized consultants who are fully trained on Sonatype products and available for consultation, architecture design, and integration or deployment support. They take the time to understand each customer’s environment, which allows them to deliver solutions that truly fit the need rather than just dropping in technology.
What was our ROI?
Customer have seen a clear return on investment with Sonatype Lifecycle. Compliance scores improved, vulnerabilities dropped, and the overall workload became much lighter because we now get clear visibility into everything being built. Need for fewer people to manage the process, developers get quicker feedback, and testing team has far less manual work. Cost of running infra for the same needs went down since we’re able to run things efficiently on a single VM. All of this has saved us both time and effort in a noticeable way.
What's my experience with pricing, setup cost, and licensing?
From my experience, the licensing side is pretty straightforward to handle. Most of the cost and pricing considerations really come down to how the solution is deployed. Since we work with partners and other OEMs who help run Sonatype Lifecycle through their services, the final pricing details are usually best explained by the sales teams who manage pricing and licensing more directly.
Which other solutions did I evaluate?
I was not the deciding person on evaluating options before selecting Sonatype Lifecycle; however, the ease of adoption with sonatype to connect with existing SAST and DAST solutions was a key factor in the decision to choose Sonatype Lifecycle.
What other advice do I have?
I would rate Sonatype Lifecycle a 9/10. It’s a great product, and my main advice for anyone considering it is to take the time to understand your organisation needs get most out of this offering. Once you match the features to your goals, it really strengthens and simplifies your security process.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Consistently manages artifacts with clear UI and effective cleanup
What is our primary use case?
What is most valuable?
What needs improvement?
For how long have I used the solution?
What do I think about the stability of the solution?
How are customer service and support?
Which solution did I use previously and why did I switch?
How was the initial setup?
What's my experience with pricing, setup cost, and licensing?
What other advice do I have?
Utilize a reliable BRM tool to manage software artifacts efficiently with outstanding vulnerability identification capabilities
What is our primary use case?
What is most valuable?
What needs improvement?
For how long have I used the solution?
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
How are customer service and support?
What's my experience with pricing, setup cost, and licensing?
Which other solutions did I evaluate?
What other advice do I have?
Provides comprehensive dependency oversight with room for expanded security capabilities
What is our primary use case?
We use Sonatype Lifecycle for scanning our SCA product, software composition analysis. It is a category of product we use to scan third-party packages imported into the source code like Java, Node.js, or Python.
It reports back as an enterprise product with UI reports and is very useful. We integrate it into our pipelines, generate reports, and our developers engage with it to fix issues and ensure the software supply chain is secure.
What is most valuable?
The solution provides a comprehensive overview of dependencies and their security status. The onboarding process is straightforward, and the UI is very clear. The integration into our CICD pipeline enables us to continuously monitor code changes and identify new vulnerabilities. This ensures we can address issues proactively. Lifecycle effectively manages dependencies and highlights unsecure packages. It does what it does better, with integration into other Sonatype products. This integrated ecosystem is advantageous for us.
What needs improvement?
It is a bit narrow, and we are expecting more features, especially with respect to SBOM and other detections. It is specific to only one category, and we would like them to add more diverse application security features. We expect products to do multiple things. It only does one thing, and we want it to expand its capabilities.
For how long have I used the solution?
We have been working with Sonatype Lifecycle for four years.
What do I think about the stability of the solution?
The product is stable and works as expected. There are no performance or reliability issues.
What do I think about the scalability of the solution?
I find the solution scalable.
How are customer service and support?
The technical support is good. I would rate them as eight out of ten. They are helpful when we raise any tickets.
Which solution did I use previously and why did I switch?
We did not use another solution before this one.
How was the initial setup?
The initial setup is not straightforward as it includes databases, yet the documentation is good, and we did not face any issues. The support is good, and the setup went smoothly.
What about the implementation team?
It is a security product, so we installed it in our automation environment without tweaking anything. We brought users in, provided an overview of how developers should use it, and integrated it into a few applications before rolling it out to all.
What was our ROI?
We have seen cost savings and efficiency improvements as we now know what happens in what was previously a black box. The ROI is around two years, however, security improvements are hard to quantify.
Which other solutions did I evaluate?
We didn't evaluate other options since the product aligns with our ecosystem, enabling it to work well with other solutions we use.
What other advice do I have?
I recommend it because it integrates well with other Sonatype products and does its job effectively.
Overall, I would rate Sonatype Lifecycle as seven out of ten.
Easily identifies problematic versions and ensures adherence to regulatory standards like HIPAA, critical for industries dealing with sensitive information
What is our primary use case?
I work for a service-based company where we develop solutions based on customer requirements. That server was currently put up.
I've also worked with product-based companies, developing software products for end-user requirements. That's my background, working broadly in telecom and healthcare.
This solution is for the client, and we do have internal customers who have been using this solution too.
Sonatype Lifecycle primarily has two main products:
- Sonatype Nexus and
- Sonatype Lifecycle.
Lifecycle is mainly used for firewall management. If any issues are detected during the build process, they will be flagged, and each port can be addressed based on firewall and code scanning reports.
Essentially, it streamlines the process, allowing us to easily identify code snippets that need attention and then act upon those findings.
How has it helped my organization?
It's heavily integrated within our organization due to our adherence to HIPAA regulations, which are critical for protecting health information. We ensure regulatory compliance is incorporated into both our code and the applications we develop.
- Detailed Violation Reports: The violation reports provided by Lifecycle are key, giving specific details on the types of violations and identifying the component within the application. Even with multiple components like web, app, and database tiers, each is evaluated separately through individual pipelines, and reports are provided for each.
- Version Tracking: Another important aspect is the version details, showing which version is causing issues. We follow a standard release naming convention (major, minor, patch), so we can easily see which version is problematic.
- Dependency Management: Additionally, we can address dependency-related information at a granular level, identifying component versions causing build blockages. This is a very helpful feature.
What is most valuable?
With Sonatype, I primarily work with the Nexus Repository. I like it the most because it can store many artifacts generated after applications are built. These artifacts can be retrieved at any time.
Another valuable aspect of Sonatype is that it combines Lifecycle with the repository. The Lifecycle component integrates into every stage of the release, starting from code checkout and throughout the build process. This integration gives us insights into the code's quality and overall health.
Additionally, Sonatype seamlessly integrates with other tools like GitLab, providing continuous integration, delivery, and deployment capabilities.
It offers comprehensive reports on each stage, facilitating static code analysis and improving our understanding of code quality. All these integrations help provide valuable feedback to developers and stakeholders.
Mitigates security vulnerabilities:
It primarily analyzes code and provides vulnerability check results through the IQ Server. This server takes the application configuration and details, then provides a dashboard showing the vulnerabilities as critical, low, or high.
This is based on the policies defined in Lifecycle. Besides the default policies, we have custom policies that can be defined. These features evaluate the code and present those reports in the dashboard.
What needs improvement?
While Sonatype Lifecycle effectively manages artifacts in Nexus Repository and performs code firewall checks based on rules, it has the potential to expand further.
I am looking forward to additional features similar to SonarQube, especially since licenses are often split per component. SonarType could integrate cloud-based capabilities, addressing the increasing shift towards cloud workloads. While there have been demos and discussions around this, significant progress on scanning and analyzing cloud images remains to be seen.
I am looking forward to Sonatype incorporating these enhancements, particularly in regard to cloud-based features. On-prem workloads are getting to the cloud workloads.
- I would like to see more cloud-related insights, such as logging capabilities for the images we use and image scanning information.
- Additionally, it would be beneficial to have insights into the stages of dependencies and ensure they comply with standards. If there are any violations in respect to CVSS reports,
- Integrating CVSS (Common Vulnerability Scoring System) report rules into the Lifecycle module to detect and report violations would be valuable. I am hoping to see these enhancements from Sonatype in the future.
On the security side, I think there's a lot of development needed. There are many security tools on the market, like open-source ones, that Sonatype doesn't integrate with.
For how long have I used the solution?
I have experience with this product.
What do I think about the stability of the solution?
The stability of the product is very normal. If we don't bump it up with minor releases, and instead use the stable releases, there are no major issues. So far, the stability is perfectly fine.
What do I think about the scalability of the solution?
I would rate the scalability an eight out of ten.
Earlier, licenses were specific to on-premise servers, but now, Sonatype is also available in the cloud, offering more flexibility. Now, we can bump it up if required. We can increase the number of user licenses as needed by contacting the Sonatype team.
We regularly evaluate our license usage and adjust based on our needs. For example, we initially had 100 licenses, but after analyzing usage patterns and integrating another team, we increased it to 200.
So, scalability is not an issue.
How are customer service and support?
The support was good. However, getting the right resources for specific activities is a problem.
Once an issue is identified, we need to raise a user request, which might become a development request, leading to long wait times. This is where we experience delays and needs improvement.
Which solution did I use previously and why did I switch?
Another tool that is equivalent to Sonatype is JFrog, but it does not have Lifecycle kind of features.
But, we can compare the Sonatype Nexus repository with JFrog Artifactory. We also have other options like Azure Artifacts in the cloud.
How was the initial setup?
I would rate my experience with the initial setup a nine out of ten, with ten being easy.
The installation itself is quick, but the configuration takes longer, especially with custom policies. If you use the default policies, it's much faster.
The configuration needs to be tailored to the specific requirements of the team or application. Installation can be completed in three to four hours, but configuration may take a couple of days.
Deployment model: It is deployed both on the cloud and on-premises.
Deployment resources: It doesn't require many resources. One engineer and another person should be able to handle it, especially for the policies and other details. Installation and setup are not difficult.
However, ongoing maintenance is required, so an additional person might be helpful. Is the requirement solely for Sonatype, or do you have other tools to maintain as well?
What about the implementation team?
I successfully set it up from scratch for my organization, conducted training sessions for the development team and leadership, and collaborated extensively with the Sonatype team for over eight years.
Steps for the deployment process:
- First, we get the bundle. Once we receive the bundle, we will review the installation tips and identify the server for installation. The installation server is designed based on the environment, considering CPU, RAM, storage requirements, and database choice (Oracle or PostgreSQL). After all, the database is key.
- We download the package bundle from the website, which includes the installation script and a configuration file. The configuration file defines the connection details to the database. This is usually handled by the admin ID.
- The next step is to create roles for the development team and other relevant teams, assigning users to these roles. The most time-consuming part is defining the custom policies tailored to our organization's specific needs, as we have numerous applications running with different teams and product lines.
- Once the policies are defined, we integrate Sonatype with the CI/CD pipeline. This allows us to run scans, generate reports, and start using the tool effectively.
What was our ROI?
In terms of Sonatype, it's definitely worth it. The software is valuable. However, I'm expecting more additional features and frequent releases, as major releases take a long time. I think the Sonatype development team should release updates with additional features more often.
What's my experience with pricing, setup cost, and licensing?
I would rate the pricing a seven out of ten, with ten being expensive. The price is high.
It depends on the number of licenses. The price increases based on the fact bundle you are collecting. The number of licenses depends on the organization and how many we have.
What other advice do I have?
My advice:
Sonatype Lifecycle has a lot of uses based on the user base. It's licensed based on support, not per user. So, if a team has 200 developers, I would recommend starting with a smaller number of licenses, like 50 or 75, and increasing it later if needed, rather than buying 200 licenses upfront. They can always compare and adjust based on their usage.
Overall, I would rate it an eight out of ten.
A very easy to use solution with great scalability
What is our primary use case?
We use this solution for libraries in our applications that need to be updated.
What is most valuable?
The solution is very easy to use.
What needs improvement?
Improvements are needed as per customer requirements.
For how long have I used the solution?
I have been using Sonatype Lifecycle for one year.
What do I think about the scalability of the solution?
The scalability is a ten out of ten.
What other advice do I have?
Overall, I would rate the solution a ten out of ten.
Offers excellent technical support but lacks integration with deployment tools
What is our primary use case?
Our primary use cases involve monitoring and securing our software supply chain. We use it to proactively identify and block any potentially insecure components from being downloaded, ensuring our firewall remains robust. Additionally, we use the platform to analyze both deployed and developing code throughout the development lifecycle.
What is most valuable?
The most valuable function of Sonatype Lifecycle is its code analysis capability, especially within the specific sub-product focusing on static analysis. This feature, particularly tailored for Java code, has been crucial in identifying and addressing vulnerabilities in our software.
What needs improvement?
There is room for improvement in the code analysis aspect of Sonatype Lifecycle, specifically in the area of deployment security. While the product effectively scans components and provides threat intelligence, it requires additional manual effort to ensure that the configuration of the product during deployment is done securely.
When it comes to new features, I would find it incredibly beneficial if Sonatype Lifecycle could integrate with deployment tools, enabling real-time identification of any vulnerabilities as developers push code to production.
For how long have I used the solution?
What do I think about the stability of the solution?
It is a quite stable solution. I would rate the stability as a seven out of ten.
What do I think about the scalability of the solution?
I would rate the scalability of the solution as a ten out of ten. It is suitable for any business size.
How are customer service and support?
I would rate Sonatype's technical support a solid ten out of ten. They are highly engaged, conduct weekly meetings to discuss the product roadmap and competition, and even bring in engineers to provide hands-on guidance on using the product.
How was the initial setup?
Setting up Sonatype Lifecycle can be complex, possibly influenced by deployment choices. While I haven't explored the latest architecture, there is potential for a simpler SaaS deployment. It is available both as an on-premises and cloud-based hybrid solution to suit different preferences and needs.
What's my experience with pricing, setup cost, and licensing?
I would rate the affordability of the solution as an eight out of ten.
What other advice do I have?
Overall, I would rate Sonatype Lifecycle as a six out of ten. It is a solid product with some room for improvement.
Good visibility, helps reveal vulnerabilities, and helps remediate issues
What is our primary use case?
We use the product as a SaaS analysis tool. We review static code. It allows you to find vulnerabilities.
The value that combining Fortify and Sonatype is that we use Fortify as a SaaS analysis tool. We review static code and Sonatype allows you to find vulnerabilities.
I use it as a security center. I review it for any kind of issues, whether for proof or to deny, the source code, the findings, and then the enterprise can go back and provide their recommendation for how to fix the issue. It is used to scan the code base.
What is most valuable?
As a security analyst, I like the management view. From there, you can review the code and review findings in order to approve, deny, or recommend. Their Software Security Center, which acts as a portal, is quite useful. It's a good overview. You can really see what's happening after you've developed something.
Fortify's AppSec testing is great for application portfolio inventory and project releases. It works both at a portfolio level and also at a project level.
They also give you the capability to click train of all your vulnerabilities that happened within Apache Crossroads support. You give them a history to keep track of them, how they've been developed, how they've been saved, to give you a way of tracking your issues and how they get resolved.
It's pretty easy to find vulnerabilities. Then, you go to the source. It is very good at tracking to see where the data or the issue enters into your source code so you can track it or go back to where it started.
Fortify helps remediate potential vulnerabilities by using more accurate, reliable results. They offer recommended remediation. I can go to the website tools to resolve issues and search for remediations. This helps our developers to build more secure code from the start.
It has reduced vulnerabilities. We've never had issues when we ran our scans. We're notified, and we're able to identify most of our vulnerabilities and fix them before anything goes to production. If you're running this on your CI/CD pipeline, notifications are in real-time.
The level of detail is very informative. It provides you with recommendations on how to fix items. And they provide you with other resources available for how to address the issues. You can also see the root cause.
It works well with cloud-native applications.
Fortify helped us to free up staff time since it helps us resolve issues faster.
It's helped us save costs as, if we catch a vulnerability faster, it's easier to fix than later.
Fortify and Sonatype help maintain compliance with the applicable regulations. We mostly use Sonatype for compliance and licenses. By combining both solutions together, it enables you to solve a lot of issues that may occur in the future.
What needs improvement?
It would be nice if they had a version suitable for single developers that could be more cost-effective and maybe faster to learn.
For how long have I used the solution?
I've been Fortify for two or more years.
What do I think about the stability of the solution?
I've never had an issue with the solution crashing.
What do I think about the scalability of the solution?
I've never had issues with scaling.
How are customer service and support?
I've never had to contact technical support.
How was the initial setup?
I was not involved with the initial deployment.
We only integrated the product with one other solution. It was easy to do so.
There is some general maintenance needed, such as adding or removing users and projects and things of that nature.
What's my experience with pricing, setup cost, and licensing?
Their licensing is expensive.
What other advice do I have?
I do not use the open-source components of Fortify. However, we use other tools for open-source stuff.
I'd advise people who are still using manual methods to find vulnerabilities to adopt some sort of scanner to cut the time spent by 100%.
I'd rate the solution ten out of ten.
I would advise other potential users that you need to make sure your source code can work with Fortify.