2022-11-07T08:48:00Z
NC
Content Manager at PeerSpot (formerly IT Central Station)
  • 0
  • 17

What SCA solution do you recommend?

Why?

1
PeerSpot user
1 Answer
Beth Safire - PeerSpot reviewer
Tech Blogger
Real User
Top 5
2022-11-27T09:34:50Z
Nov 27, 2022

We are using Sonatype Nexus Lifecycle as an SCA solution. It helps us in identifying open-source vulnerabilities. We use it extensively to scan software builds for components with existing vulnerabilities and malicious components. The solution helps us manage and secure the component part of our software supply chain. It is a very easy tool to work with. The engine is designed to calculate and decide whether a security vulnerability exists or not.


I would say that some of the main advantages of using Nexus Lifecycle are:




  • Easy setup: The initial deployment was run from a cloud template; it was very fast and straightforward.



  • Reports and insights: The data that is generated around the vulnerabilities and the way it is distributed across different severities is very helpful. It guides us on what decisions to take in terms of what should be ignored and what should be worked on.



  • Helpful IDE: The Nexus Lifecycle editor has some very useful plugins. While developers are writing code, Sonatype can prevent them from writing something that might cause a security vulnerability.



  • Scalability: The solution scales well. We have gone from limited usage to very extensive usage, with no negative effect on the performance.



  • Stability: We haven't encountered any stability challenges, either from the software end or from the infrastructure. If there is an issue of any type, we get a direct alert.



  • Compliance: We have excellent visibility into both legal and security policies. The product allows us to maintain compliance for third-party libraries as well.



One disadvantage is that the price of the solution is a bit high.

Learn what your peers think about GitLab. Get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
687,947 professionals have used our research since 2012.
Search for a product comparison in Software Composition Analysis (SCA)
Related Questions
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Feb 24, 2023
Hi community,  Please let us know your thoughts in the comments below. Thank you!
See 1 answer
VG
Chief Architect at Peristent Systems
Feb 24, 2023
When you say centralized view, do you mean different testing categories which should be looked at for matured software development? If yes, sharing my views on important ones.  1. Functional Testing (either using open source frameworks like playwright, cypress, and selenium or using a platform approach like Katalon, Tricentis, SmartBear).  2) Performance and Load Testing  3) Chaos Engineering  4) Security Testing which includes SCA, SAST, DAST, checking IaaC scripts, checking K8 clusters, docker images  5) Accessibility Testing to comply with WCAG guidelines  6) API testing
Avigayil Henderson - PeerSpot reviewer
Content Development Manager at PeerSpot
Feb 16, 2023
Hi community,  Please let us know your thoughts in the comments below. Thank you!
See 1 answer
LW
Content Editor at PeerSpot
Feb 16, 2023
The duration of SCA scanning is going to vary depending on things like the size and complexity of the application being scanned, the depth of the analysis required, and the capabilities and performance of the SCA tool being used. That last piece can be crucial and is a good reason to do a PoC or at least some trial runs of any solution you are considering. In general, an SCA scan can take anywhere from a few seconds to several hours or even days, depending on the size of the codebase and the scope of the analysis. However, many SCA tools are designed to optimize their performance and reduce scanning times by focusing on critical vulnerabilities first, performing incremental scans, and providing parallelization capabilities. Speed can also depend on the stage at which you're scanning. IDE scanning is generally going to be the fastest. Shared pipeline scans will take longer and full production scans are going to take the longest. Obviously, speed is important, but fast without accuracy isn't going to do the job, so that's another aspect to keep in mind. Over time, the number of false positives should decrease as your devs learn better coding practices and you learn to configure your scanner for your particular environment.
Related Articles
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 19, 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features they like most and why. You can read user reviews for the Top 5 Software Composition Analysis (SCA...
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 11, 2022
The world of technology is constantly undergoing both evolutions and revolutions. It is always difficult to know just what kinds of changes and innovations each year is going to bring. The fields of Development and Operations (DevOps) and Development, Security, and Operations (DevSecOps) are two examples where the best people can do is offer their predictions of what might be in store. PeerSp...
Related Articles
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 19, 2022
Top 5 Software Composition Analysis (SCA) Solutions 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to...
NC
Content Manager at PeerSpot (formerly IT Central Station)
Apr 11, 2022
PeerSpot Users' DevOps and DevSecOps predictions 2022
The world of technology is constantly undergoing both evolutions and revolutions. It is always di...
Download Free Report
Download our free GitLab Report and get advice and tips from experienced pros sharing their opinions. Updated: March 2023.
DOWNLOAD NOW
687,947 professionals have used our research since 2012.