Sonatype Nexus Firewall OverviewUNIXBusinessApplication

Sonatype Nexus Firewall is the #8 ranked solution in top Software Composition Analysis (SCA) tools and #16 ranked solution in application security solutions. PeerSpot users give Sonatype Nexus Firewall an average rating of 8.6 out of 10. Sonatype Nexus Firewall is most commonly compared to JFrog Xray: Sonatype Nexus Firewall vs JFrog Xray. Sonatype Nexus Firewall is popular among the large enterprise segment, accounting for 71% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a financial services firm, accounting for 24% of all views.
Buyer's Guide

Download the Application Security Tools Buyer's Guide including reviews and more. Updated: November 2022

What is Sonatype Nexus Firewall?

Nexus Firewall is a perimeter quality control for software development. Similar to a network firewall, it leverages rules you define that automatically shield you from unacceptable software components entering and another set for stopping them from exiting your application development.

Sonatype Nexus Firewall was previously known as Nexus Firewall.

Sonatype Nexus Firewall Customers
EDF, Tomitribe, Crosskey, Blackboard, Travel audience
Sonatype Nexus Firewall Video

Sonatype Nexus Firewall Pricing Advice

What users are saying about Sonatype Nexus Firewall pricing:
"The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive."

Sonatype Nexus Firewall Reviews

Filter by:
Filter Reviews
Filter Unavailable
Company Size
Filter Unavailable
Job Level
Filter Unavailable
Filter Unavailable
Filter Unavailable
Order by:
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Showingreviews based on the current filters. Reset all filters
Senior Cyber Security Architect and Engineer at a computer software company with 10,001+ employees
Real User
Top 10
Significantly decreases our time to market for secure apps by automating open source approval
Pros and Cons
  • "Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you."
  • "What I don't like is the lack of an option to pick up the phone and call someone for support. That is something they need to improve on. They need to have a professional services package, or they need to include that option with their services."

What is our primary use case?

With the security concerns around open source, the management and vulnerability scanning, it's relatively new. In today's world more and more people are going through the open source arena and downloading code like Python, GitHub, Maven, and other external repositories. There is no way for anyone to know what our users, especially our data scientists and our developers, are downloading. We deployed Sonatype to give us the ability to see if these codes are vulnerable or not. Our Python users and our developers use Sonatype to download their repositories.

Given the confidentiality of our customer, we keep everything on-prem. We have four instances of Sonatype running, two Nexus Repositories and two IQ Servers, and they're both HA. If one goes down, then all the data will be replicated automatically.

How has it helped my organization?

We have visibility into what developers are downloading now. We had an incident recently where a few of the packages from PyPI were vulnerable, and we knew. Another example is that we were working on an open source project, enterprise-wide, and we wanted to do a PoC. When the company doing the PoC started downloading the packages, even they didn't know that those packages were vulnerable. Sonatype detected that.

Nexus Firewall has also significantly improved the time it takes us to release secure apps to market. Before, we needed to manually do a security evaluation for the static and dynamic code. While Sonatype does not do static analysis, it's been fine for dynamic. We don't have the headache of worrying about what our developers are downloading. Sonatype is taking care of all that. We have a very closed environment; nothing is allowed. Everything is "deny, deny." It used to be that for a user to request a package from PyPI, for example, they would need to submit a firewall request and to go through a CRV meeting. People would need to review it and approve it or reject it. Once that was done, we would need to whitelist that URL into the proxy. To download simple packages it would take users two weeks. Now, they can do it instantly.

It has helped developer productivity because they can do things right away now. For the majority of the code they're downloading, the URLs are already whitelisted through Sonatype. Our development has been pretty fast, as a result. Overall, the executives have been happy, because now we have something that is evaluating the open source code.

What is most valuable?

The Nexus Firewall itself, with its sheer ability to ensure that you're downloading safe code, is a big win for our environment. 

Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you.

When you go to the IQ Server dashboard, it will tell you, "Version 1.2 is not good. You should upgrade it to version 1.3." You have that visibility, and you can whitelist things based on your business justification, and you can add notes in there as well.

In terms of securing our software supply chain, what we're trying to do is set things up so that they're upstream from our developers' work stations. Aside from downloading the code safely through Sonatype, a second way is by pushing our developers' code into a repository and Sonatype will do the security evaluation. You can use it as a hosted repository, versus using ADO which does not provide security evaluation and scanning. It helps bring open source intelligence and policy enforcement across our SDLC.

For how long have I used the solution?

I've been using Sonatype Nexus Firewall for two years.

Buyer's Guide
Application Security Tools
November 2022
Find out what your peers are saying about Sonatype, Snyk, Checkmarx and others in Application Security Tools. Updated: November 2022.
654,218 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability has been okay. I can't complain. It hasn't broken down on us.

What do I think about the scalability of the solution?

It hasn't been hard to scale it. We're in the process of integrating with ADO and our CI/CD pipeline.

At the moment, any developer who needs to download anything from the open source world must do so through Sonatype. All other access is blocked on the servers themselves. The servers cannot directly go through to PyPI, for example. Everything has to go through Sonatype. I can confidently say that we are using it enterprise-wide and everything is coming through Sonatype.

How are customer service and support?

I love the product and the team, and their support is phenomenal. You send them an email and they reply back to you within minutes. In general, they're responsive and helpful.

The guys from Sonatype who helped me build our dev environment for the PoC were on the ground with us, helping, running around the room, talking to people, and implementing it. But for the production, we had to do everything on our own.

If I have any questions in terms of implementation, or any high-level ideas, the guys from the customer success team that I'm good friends with, throughout this process, always schedule a time to meet or call. It does take them time, but they always make themselves available.

What I don't like is the lack of an option to pick up the phone and call someone for support. That is something they need to improve on. They need to have a professional services package, or they need to include that option with their services. If something breaks at the customer that we work with, I should be able to call someone at Sonatype, get them on the line, share a screen, and fix it right away. They don't have that at the moment.

Which solution did I use previously and why did I switch?

We did not have a previous solution. This was the first solution we were introduced to. Open source security is new to everyone, and recently were finding a lot more security vulnerabilities in the open source stack. We saw what Sonatype was capable of, we saw that it was blocking stuff. We saw that we had a log of user XYZ downloading this package and, when it was blocked, we were able to whitelist it or blacklist it, and provide a justification for why it was blocked. So far, everything has been pretty good.

How was the initial setup?

For people who don't have a lot of Linux knowledge—including myself, I'm purely a Windows guy—it can be very tricky. It did take us a long time to stand up the environment.

The fact they don't have professional services to implement it for you is a big gap. I have a good relationship with everyone on the Sonatype team. I sent them an email and they made time to jump on a call and help us build it. That is what is expected from a large, enterprise-level company. We have Azure Sentinel and F5 and these companies have professional services. They help you from end-to-end, starting with the implementation. Sonatype does not have been at the moment. It does become challenging when you're not a Linux guy and you need to learn and implement it and to make sure that you're deploying it securely.

To be fully ready, it took us two months. I was involved, along with one of my engineers, and we had the help from Sonatype team.

In terms of an implementation strategy, we had the whole high-level architecture set up, which was not very hard. But to engineer it and do it was a little challenging for me, but it could be different for people who have Linux knowledge.

There are about 200 people using it across our organization. Most of them are developers and data scientists. I take care of the day-to-day maintenance. The upgrades are easy, the directions are easy. If you do need help, you can reach out to the support.

What was our ROI?

From a security perspective, it has made a significant difference.

What's my experience with pricing, setup cost, and licensing?

The pricing is reasonable if you're a large enterprise developing code. It's not super-expensive. There are no costs in addition to the standard fees.

Which other solutions did I evaluate?

I know there are others in the market, like JFrog, but it was quite an easy setup and then we just rolled with it. We didn't really bother looking at other products.

What other advice do I have?

You should have some knowledge of Linux before implementing it, because to set up the rsync and to make sure your data is being replicated and that it's HA, you need to know Linux.

We took a look at the demo of Nexus Container and, although I haven't used it hands-on so I cannot say too much about it, it looks like a freaking awesome product. We are in the process of evaluating it and may do a PoC. It looks like it's easy to use, easy to integrate, and does not require a lot of RAM or storage. You can install it on existing Kubernetes clusters, so there's not a lot of infrastructure needed. Using it, I expect we'll find out if the images that we're downloading for the containers are secure or not. It's definitely worth taking a look at it.

Default policies are never really a good idea, anywhere. You need to adjust them based on your environment's needs. When we deployed Sonatype, the policies were not automatically configured so that if a packet is malicious it would block it. You need to manually set those up. But their policy engine provided the flexibility that we need. It was really a quick, easy setup.

The biggest lesson I've learned from using Sonatype is that open source security is very important and it's getting crazy these days, because there's so much hacking and so many breaches going on, so much vulnerability. Even Microsoft codes and some of the packages in PyPI are not secure. You trust a repository like Microsoft or PyPI, but there are still some vulnerabilities out there. That is why it was so important for Sonatype to be implemented in our environment.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Ashish Shukla - PeerSpot reviewer
Global Treasurer at Genpact
Top 20
You will get clean code every time, and that's a great achievement

What is our primary use case?

We use this tool for QA automation and QA quality checking. We check the quality of the code and the calls with SonarQube. If there is any kind of memory leak, it protects against that. When we want to move the code to the next level, we use Sonar Quality Gates. This is part of a QA automation process.

We only then promote the code to UAT and then the product once it passes 80% of the threshold that we set for it.

How has it helped my organization?

I believe this tool is being used by most of the product development team in the organization. It's part of the CI/CD pipeline. You can say it's a must-have kind of tool. Some other tools are commercially available, but using this as a freeware and commercial tool, it's really a good tool to have.

What is most valuable?

For the QA team, it's a really good tool. 

For those who are not on the QA team, it is also a good tool to use for SDL in the SDLC. It plays a very critical role of doing the automatic quality check recommendation. Meaning, when using this tool, people can easily rectify the issues in the environment itself, instead of going to a higher environment and identifying them.

This tool is quite easy to use and learn. We decided that there was no need to hire anyone new who would specialize in this. We had a team of about five to ten people who learned how to use this tool. There are some other automation tools like Jenkins, for example, that require a lot of effort to configure and write out the code, but you do not need to do such for this tool. I thought outside of the box and saw that there are many options available to us when using this tool. The plugins are there, you can download and use the tool at ease and you do not need to do any kind of development. Overall, it’s quite easy to use.

What needs improvement?

I suggest that Sonatype should add support for more computer languages. The product works well with languages such as Java and C#, but in my opinion, adding support for more languages would be really good. In addition, I believe that they should add some more functionality to improve the quality of the code.

For how long have I used the solution?

I used the product for two or three projects, for about two and a half years, and the product is still a part of my company’s CI/CD pipeline. Although I am not managing it anymore, the support team and the whole development team are still using this tool.

What do I think about the scalability of the solution?

From a scalability point of view, it's good. However, we were not heavily using this product so I cannot comment further about the scalability of this product.

How are customer service and support?

I think we posted one or two queries on the development side, but the response was not that great. This may be due to the fact that we were not paying customers at the time.

Later on we bought some licenses. For license users, I think the support is good. For those who are using the open source version, it might take some time to get a proper response.

How would you rate customer service and support?


How was the initial setup?

The setup is straightforward, but it is important to understand the tool first. For example, which functionalities you need to check and which plugins need to be installed. 

Product-wise, it's quite easy, and people can deploy it. However, configuration and setting the functionalities, etc. is quite a challenge. You will have to learn more about these features, depending on how effectively you would like to use this product. 

It took some time, one or two months, to set it up. The team had to configure the project, set up the proper quality case, and choose the correct options, which are the functionalities you want to use for this product or your own product. It’s a process that continuously improves.

We constantly check for upgrades and new versions of the product. We upgraded this product once or twice in the past and it was quite easy and we did not face any issues when doing so.

What was our ROI?

It definitely adds value to the code quality. In the long run, you will definitely get a good ROI. You will get clean code every time, and that's a great achievement. You won't face any issues in the production environment related to quality and bad coding. It's really, really good and helps our organization get a good ROI. I believe that a good ROI is very important.

What's my experience with pricing, setup cost, and licensing?

The licensing is quite reasonable, I believe. I do see that it adds value. It means whatever part you want to use, you can just use that part and pay for that. I think the licensing is fair enough.

It’s good for long-term users. Using this product on a yearly basis would be great. However, if your development cycle is only two or three months long, you will likely want to go with the monthly basis only.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about Sonatype, Snyk, Checkmarx, and more!
Updated: November 2022
Buyer's Guide
Download our free Application Security Tools Report and find out what your peers are saying about Sonatype, Snyk, Checkmarx, and more!