You don't need to be a CISO to know the importance of scanning code as you go, even if that code is being produced by third parties. It's the how and when third-party code should be scanned that make things get complicated. The answers vary depending on the project, the organization producing it, its third-party suppliers, etc. Yet in spite of the differences, there is a clear-cut best practice that can be followed in any situation: automated code testing.
When you look at some of the improved figures (financial and otherwise) the company profiled in this Forrester case study saw when switching to constant, automated scanning, the value really comes into view. Here are a few benefits, and some notes on how automated code testing helped:
This one sorta says it all, doesn't it? Nearly 2 million dollars of finding and fixing third-party errors saved by letting computers do the work.
Errors only get more expensive the longer they go unchecked. Even if it's not prudent to fix them as soon as they're located, simply knowing one exists earlier in the software development lifecycle can make mitigating it later down the line way less expensive. The savings, as the study notes, come from multiple directions. Cutting down on the overhead associated with fixing bugs is one obvious financial benefit, but removing the complexity from the bug-fixing process is another.
Automating the code-checking process removes variance from the bug-fixing process, in other words, and holds third-party developers to standards their own internal tools may not be able to enforce. Considering how much the cost of each bug increases the longer it goes undiscovered, that alone makes automated code testing worth a look.
From a financial standpoint, improved third-party code quality is one of the best forms of preventative maintenance available to first-party developers. Brake pads are cheaper to replace than pads and drums and rotors, after all.
As implied above, much of this improvement comes via enhanced consistency: Because automated code testing is, well, automated, every line of code can be given the same level of scrutiny. And because third-party code from around the world is subject to the same rules, with no room for the variance or inconsistency introduced by in-house testing tools.
The cleaner code is up front, the less money you have to spend fixing it later. Automating code scanning for your third parties allows you to do just that. Whether you're craving more consistency or just like the idea of more money, that's another tally in the win column for automated platforms.
The header says "internally developed," but if you look a little deeper you'll see where the third-party savings come into play. Third parties are often (and rightfully) skittish about letting their employers directly view source code, even in the name of preventing security vulnerabilities; binary static analysis, a Veracode service that automatically scans for errors without needing access to the source code, allows first parties to sidestep the issue by removing the need for that code altogether.
This point's huge if you use internally developed tools to check third-party submissions. Doubly so if those tools require source code to work at their best. It's also massively helpful in scanning third-party-developed legacy apps, for which the source couldn't be found even if the vendor was willing to share it.
When you look at the cost and comparative efficacy of traditional tools used to scan third-party contributions (most notably the costly penetration testing), automated code testing makes for a better, more thorough tool in an area where results are crucial: third-party security. As with the previous two entries here, that makes it a clear-cut winner.
Automated scanning can provide better products that come faster and cheaper, a series of benefits that can more or less be considered the "big four" in software development. If you're still relying on traditional tools and old-school approaches, give it a look before it becomes the standard — because, with the perks it provides over the old way of doing things, it most certainly will soon. Whatever your reason for considering the switch, contacting Veracode is a good first step towards delivering better, safer products and projects.
Read Forrester's full case study on the benefits of automated testing here.
Photo Source: Flickr