This next post picks up where we left off in our previous discussion around automation within developers’ toolchains. Once developers have a methodology to perform security assessments and fix identified vulnerabilities within an integrated environment, the next question is how to assess new code against specific security and compliance policies.

The sandbox is the way for individual developers or development teams to assess new code against the required security policy — without affecting compliance reporting for the version of the application currently in production. One way to think about an assessment sandbox is to consider it as a branch inside the application. Developers can scan the branch and understand whether it would pass the cur-rent policy as defined. Each team can also have a sandbox for merging multiple branches to assess the integration. Then you would want to merge branches from multiple teams into the release candidate and reassess. That is a lot of assessing within a short period of time, but automation simplifies assessments for the teams and the sandbox simplifies reporting for compliance and auditing purposes.

In my next post as we discuss the best ways to avoid replicating security vulnerabilities. In the meantime, please share any thoughts you have with regards to the sandbox approach to development.

About Pete Chestna

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers. Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs. Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface. 

Comments (2)

Chandu | March 9, 2016 8:01 am

Hello Sir, We know that by using veracodejava API we can extract data from Veracode via client supplied XML exports. Now my requirement is I wanted to have 2 instances of veracode something like prod Veracode and test veracode. Is it possible? So that I can use test veracode login for extracting data and i can do POC as well as. This is just for testing purpose. Could you please let me know if you need any more additional info on this. Thank you in advance.

Lois Garcia | August 3, 2016 8:40 pm

I was a big proponent of the sandboxes, and have begun to see adoption among the scrum teams. Now, I'm wondering how to promote a sandbox scan to be considered towards compliance. I haven't been able to find this in the Veracode doc, and it was one of my selling points to our developers.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.