Automate Security Testing to Blend In

By Pete Chestna

Managing AppSec

Share this article:

In my last blog post I discussed developing a comprehensive security testing approach using multiple assessment techniques including binary static analysis, dynamic analysis, and manual penetration testing. Let’s take this approach to the next level by talking about automation and how to continue maximizing developers’ existing workflows and tools.

Blending in with developers’ toolchains means leveraging the tools that they already use – such as Jenkins and JIRA. This is accomplished by automating the security assessment and results download between those tools behind the scenes. This happens at multiple levels. The first is automation inside of the IDE to build, upload and scan and then download results at the push of a button. The results are shown against the code inside of the editor for easy remediation. Then there is automation at the team or release candidate stage, when the build server makes use of the Veracode API to upload build artifacts for security scans. Automation in the bug tracking system leverages APIs to download results, and manage the overall vulnerability lifecycle. Tickets for vulnerabilities are then triaged through the same process used for all bugs. When security assessments are blended in, developers do not switch context and they work more efficiently.

In a recent webinar I demonstrated an example of how we begin to introduce automation around bug tracking. For instance, by incorporating the JIRA plug-in to link to the Veracode platform, you can add and configure JIRA custom fields as well as configure the Flaw Import Scheduler to manage the automatic import of vulnerabilities from the platform back into JIRA. This integration example shows how you to efficiently integrate with the Veracode service regardless of how you have customized your workflows and tools – resulting in huge time savings.

Ultimately automation is key to streamlining the end-to-end development process — because manual testing alone can't keep up with agile development velocity nor does it scale. Stay tuned for my next post as we tackle the concept of the security assessment sandbox. In the meantime, I’d love to hear any thoughts you can share with regards to automating developers’ toolchains.

By Pete Chestna

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers. Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs. Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface.