The following post is a guest contribution by Matthew Luedke of On-Line Strategies. Matt has been involved with secure application development since 2007, designing and developing numerous projects, most recently, OLS’ Secure Gateway product suite. On-Line Strategies was recently chosen as a recipient of Veracode's Secure Development Award, the winners were selected based on the security quality of their applications submitted to the Veracode Platform.
At On-Line Strategies [OLS], many of the tools we use in our Software Development Lifecycle (SDLC) have helpful APIs, including Veracode. We leverage them to automate tasks that were once performed manually by developers or technical managers, such as running a Veracode static scan on a pending release. Today, our Veracode static scans run alongside automated regression tests for every public release, to ensure we catch security flaws that may have slipped by our developers.
Computers excel at performing easy, repetitive tasks quickly and efficiently. People do not. We would much rather spend time using our skills and talent to create value. Automation frees us to do that. A couple of hours spent automating a repetitive process can mean countless cumulative hours saved in the future. Consider it an investment with guaranteed, exponential returns.
To automate static scans, we added a build configuration in our Continuous Integration (CI) server that uses the command line to call a custom Python script. Our script uploads a build using the Veracode API, and subsequently launches a static scan. You may download the script on Github. Note: At OLS we use TeamCity as our CI server, but concepts similar to a "build configuration" exist in other CI servers, as well. If you're not using a CI server, the Python script will work equally well from anywhere your project is being built (as long as Python is installed).
To further automate manual processes, we envisioned opening tickets in our issue tracking system with the static scan reports attached. We used a second build configuration and script to accomplish this. Using the Veracode API, the script pulls the detail and summary PDF reports from the latest static scan and attaches them to a new YouTrack ticket opened using the YouTrack API. Then the ticket is reviewed by a project manager and assigned to a developer. You can download this second script here, which may be modified to work with your own issue tracking system. Other popular issue tracking systems have APIs that allow similar functions.
By automating these two simple processes, we've given our staff needed time to devote to other, more complex tasks. We also continue to look for opportunities for further automation, such as in build deployment and distribution, and internal notifications. Integrating Veracode scans into our automated build process has contributed to a safer and faster development lifecycle. How can you use automation in your development process?