This next post picks up where we left off in our previous discussion around automation within developers’ toolchains. Once developers have a methodology to perform security assessments and fix identified vulnerabilities within an integrated environment, the next question is how to assess new code against specific security and compliance policies.
The sandbox is the way for individual developers or development teams to assess new code against the required security policy — without affecting compliance reporting for the version of the application currently in production. One way to think about an assessment sandbox is to consider it as a branch inside the application. Developers can scan the branch and understand whether it would pass the current policy as defined. Each team can also have a sandbox for merging multiple branches to assess the integration. Then you would want to merge branches from multiple teams into the release candidate and reassess. That is a lot of assessing within a short period of time, but automation simplifies assessments for the teams and the sandbox simplifies reporting for compliance and auditing purposes.
In my next post as we discuss the best ways to avoid replicating security vulnerabilities. In the meantime, please share any thoughts you have with regards to the sandbox approach to development.