/jul 29, 2015

Play in the sandbox

By Pete Chestna

This next post picks up where we left off in our previous discussion around automation within developers’ toolchains. Once developers have a methodology to perform security assessments and fix identified vulnerabilities within an integrated environment, the next question is how to assess new code against specific security and compliance policies.

The sandbox is the way for individual developers or development teams to assess new code against the required security policy — without affecting compliance reporting for the version of the application currently in production. One way to think about an assessment sandbox is to consider it as a branch inside the application. Developers can scan the branch and understand whether it would pass the current policy as defined. Each team can also have a sandbox for merging multiple branches to assess the integration. Then you would want to merge branches from multiple teams into the release candidate and reassess. That is a lot of assessing within a short period of time, but automation simplifies assessments for the teams and the sandbox simplifies reporting for compliance and auditing purposes.

In my next post as we discuss the best ways to avoid replicating security vulnerabilities. In the meantime, please share any thoughts you have with regards to the sandbox approach to development.

Related Posts

By Pete Chestna

As Director of Developer Engagement, Pete provides customers with practical advice on how to successfully roll out developer-centric application security programs. Relying on more than 10 years of direct AppSec experience as both a developer and development leader, Pete provides information on best practices amassed from working with Veracode’s 1,000+ customers.

Pete joined Veracode in 2006 as a platform developer and was instrumental in delivering the first version of Veracode’s service to customers. Later, as Director of Platform Engineering, Pete managed the Agile teams responsible for delivering Veracode’s SaaS platform and built the first DevOps team.  Pete also spearheaded Veracode’s initiative to automate the use of Veracode products into the company’s development processes. Using this experience, he has spoken with hundreds of Veracode customers to help them set up similar programs.

Pete has more than 25 years’ experience developing software and has been developing web applications since 1996, including one of the first applications to be delivered through a web interface.