The industry-wide shift to DevOps practices has changed more than just developer processes. It has also had a major impact on security, including application security testing techniques. Static analysis, for instance, has had to evolve along with development processes. Unlike early versions of static analysis solutions that only assessed completed code at the end of the development cycle, today’s static analysis solutions check and secure code from development to production, as the code moves from the individual developer, to the development team, to the security team and enterprise policy level.
For instance, CA Veracode’s application security solution now features CA Veracode Greenlight for developer in-line static scanning, a Developer Sandbox to check code against policy beyond the eyes of the security team and CA Veracode Static Analysis for the final policy check on the full application. CA Veracode Greenlight allows developers to test the code that they’re working on in their IDE (integrated development environment), getting results back in seconds and highlighting areas where they’ve successfully applied secure coding principles. Then the Developer Sandbox functionality enables engineers to test and fix code between releases without triggering a failed policy compliance report to the security team. Finally, CA Veracode Static Analysis lets users upload a complete packaged application to the Veracode Application Security Platform to kick off a scan for combined static analysis and software composition analysis, resulting in a single pass/fail result.
With the rapid pace of development today, security has to shift left; it can’t be a roadblock late in the development process, but rather has to be an enabler throughout the process, making it quick and painless to make code more secure as you go. Although it’s a common assertion that “developers don’t care about security,” we’ve found that most developers want to create great, secure code, and modern static analysis innovations allow them to do just that. For instance, CA Veracode Greenlight scans code snippets in seconds within the IDE, giving developers fast security feedback on small batch sizes, and insight into problems before they progress downstream. In fact, CA Veracode Greenlight Java scans take an average of 3 seconds.
Once development teams start iterating on a newer version of the application and scanning as part of the development lifecycle, it may be marked as having failed policy in security and executive dashboards well before the application is launched or the developer has a chance to make changes.
Developer Sandbox, a patented technology of Veracode’s proprietary static analysis solution, was created to solve this problem. Developer Sandbox is a way for individual developers or development teams to assess new code against the required security policy – without affecting compliance reporting for the version of the application currently in production.
For instance, you can scan applications or components as part of coding on a development branch in a Developer Sandbox. Code committed by developers and development teams is integrated on the master branch as part of CI/CD pipeline. Once the application is built, and unit/integration tests are run, a Developer Sandbox scan is automatically initiated and test environments built and deployed. Then, the Veracode assurance scan can be automated to run off the release branch based on the deployment schedule.
Development teams that make use of the Developer Sandbox can scan applications more frequently and sooner in the lifecycle than teams that only perform an assurance scan. The result is development teams embracing application security and fixing more issues, reducing risk to the organization. We have data to support this claim: Our latest State of Software Security report, which analyzed the code we scanned this past year, found that DevOps organizations that tested frequently with sandbox scanning had a 48 percent better fix rate than those doing policy-only scanning.
Regardless of how you integrate static testing into the pipeline, full application testing is still necessary; security issues may be introduced into the code that can only be found via a full program analysis. You can conduct full application tests outside the scope of the pipeline, or only on builds that make it to a certain stage of release candidate qualification.
With CA Veracode Static Analysis, you upload a single packaged application to the Veracode Application Security Platform to kick off a scan for combined static analysis and software composition analysis, resulting in a single pass/fail result. And you’ll get this result quickly: 25 percent of CA Veracode Static Analysis scans complete in less than 5 minutes; 74 percent are complete in less than one hour.
Static analysis has been around a long time, but it still has a vital role to play in software security. Before you brush aside static analysis as “old school,” keep in mind that new static analysis solutions that have adapted to modern software development processes are critical to keeping code secure in a DevOps world.