As a Security program manager here at Veracode, I frequently get asked questions about the need to integrate security into the SDLC. The Security Program Manager position at Veracode is a consulting role to ensure the adoption of Veracode’s solutions throughout our client’s IT delivery and Security organization. I am often asked about the effort required in integrating build systems with Veracode. I thought this would make a good blog post and decided to outline my answers to these questions. Q: Why Integrate Security in the SDLC? A: Security is an aspect of business operations that affects every member in the organization. With that said, it doesn’t have to be a costly or time consuming process. When it comes to software development, the need for security is in parity with the need for functional and efficient code. Fortunately, Veracode’s position as a SaaS-based provider of application security allows us to efficiently and easily integrate with the SDLC without burdening the developer with ramping up and understanding the complexities of tool-based security testing. Through the use of Veracode APIs, the ability to test early and often is achieved through each build generated by the release management cycle. Not only are you able comprehensively evaluate the application through this model, but you free up developer time to focus on the findings and fix plan.
Q: What is the effort and resources required to integrate my build system with Veracode? A: The effort to integrate with Veracode is less than you may imagine. Veracode provides sample integration scripts and libraries across several languages for release engineers to customize to their own environment. In fact, we have had customers integrate with Veracode in just a few days – establishing a process for scanning early and often after each build. Most build systems allow for commands to be executed after the binary has been constructed, creating an ideal opportunity for the upload and scan initiation process to begin. Q: What is the benefit of integrating with a cloud-based static binary analysis service? A: Integrating with a cloud-based application security service like Veracode provides you with peace-of-mind each and every scan. You’re able to offload the testing efforts to Veracode, allow developers to focus on remediation, and ensure that each test performed is comprehensive, consistent, and occurring after each build generated by the release engineering process. Veracode can easily be used as a gate in the QA or production release process to ensure code being loaded to production is secure and compliant with your internal or industry-defined policies.