Skip to main content
February 13, 2012

The Benefits of Closed Loop Development

Feedback"On January 31, Veracode released our first platform update of 2012, including new scans for iOS, improved eLearning progress tracking and reporting, additional API methods, and better communication of expected turnaround times for applications." That was the headline of the release announcement that went out to our opted-in Veracode users about two weeks ago, and it does a pretty good job of summing up what was in the release. But I thought it might be interesting to lift the lid a little bit and talk about some of the processes we have at Veracode that lead to improvements in our service, and how they're facilitated by our service's SaaS culture. Veracode has several development teams making improvements on our service, but for the purposes of today's discussion I want to focus on the team that builds our static engine. The team is maniacally devoted to continuous improvement, and is continually monitoring incoming data about the speed and accuracy of our static scans to look for opportunities to lower the noise level and turn results around more quickly.

The process is pretty simple: when we introduce a new language or platform, we have a team of reviewers that checks the results of each and every static scan of an application on that platform. If they find that we have incorrectly reported a finding (a "false positive"), they mark the finding as an FP, which suppresses it from the final report. The FPs are then viewed in aggregate and we use the data from them to identify scans that need fine tuning. Once our engineers make the changes, we test the fixes across a library of tens of thousands of applications, where our automation verifies that we improved the scan quality. We then roll out updates to the scan engines so the next customer gets the benefits. The whole process takes, at most, four weeks, including testing. If we find a critical issue that is blocking customer applications from completing, we roll out the fix immediately. We apply a similar process to applications that take a long time to get through the engine. And the fun part of this is that the process works. We used to guarantee turnaround of small applications in three business days. As of January 31, we're now telling our customers that most of their applications will be published within two hours of submission. And we'll beat that estimate a good percentage of the time. It's no wonder that increasingly customers are making us part of their agile development strategy.

Related Content

Tim Jarrett is Senior Director of Product Marketing at Veracode. A Grammy-award winning product professional, he joined Veracode in 2008 and has a Bacon number of 3. He can be found on Twitter as @tojarrett.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.