In my last blog post I discussed developing a comprehensive security testing approach using multiple assessment techniques including binary static analysis, dynamic analysis, and manual penetration testing. Let’s take this approach to the next level by talking about automation and how to continue maximizing developers’ existing workflows and tools.
Blending in with developers’ toolchains means leveraging the tools that they already use – such as Jenkins and JIRA. This is accomplished by automating the security assessment and results download between those tools behind the scenes. This happens at multiple levels. The first is automation inside of the IDE to build, upload and scan and then download results at the push of a button. The results are shown against the code inside of the editor for easy remediation. Then there is automation at the team or release candidate stage, when the build server makes use of the Veracode API to upload build artifacts for security scans. Automation in the bug tracking system leverages APIs to download results, and manage the overall vulnerability lifecycle. Tickets for vulnerabilities are then triaged through the same process used for all bugs. When security assessments are blended in, developers do not switch context and they work more efficiently.
In a recent webinar I demonstrated an example of how we begin to introduce automation around bug tracking. For instance, by incorporating the JIRA plug-in to link to the Veracode platform, you can add and configure JIRA custom fields as well as configure the Flaw Import Scheduler to manage the automatic import of vulnerabilities from the platform back into JIRA. This integration example shows how you to efficiently integrate with the Veracode service regardless of how you have customized your workflows and tools – resulting in huge time savings.
Ultimately automation is key to streamlining the end-to-end development process — because manual testing alone can't keep up with agile development velocity nor does it scale. Stay tuned for my next post as we tackle the concept of the security assessment sandbox. In the meantime, I’d love to hear any thoughts you can share with regards to automating developers’ toolchains.