As software increasingly plays a critical role in how organizations conduct business, we are seeing two trends emerge:
1. Organizations want more software produced faster.
2. Cyberattackers are finding software a more attractive target.
For developers, all the above means that their jobs are changing. The need to get software out the door faster has led to a shift to DevSecOps – where software is produced quickly and incrementally, and where security and operational concerns are addressed early and often. The days of security being ignored, or of security and development being two siloed and distinct entities, are over. Creating secure code at DevOps speed means security needs to be baked in as it’s being created, which also means developers are now on the front lines of creating secure code. Security has become part of their job, even as the pressure to move faster has increased.
What do developers need to succeed in this new environment? They need security tools that automate and integrate. And the IDE and tool chain integrations shipped with the Veracode Application Security Platform give developers automated security testing, within the tools they already use. In addition, our flexible APIs allow you to create your own custom integrations or use community integrations, built by the open source community and other technology partners. How does this make developers’ jobs easier? Here are the top three ways:
1. Find and fix security-related defects – quickly and easily, without switching tools
Veracode’s IDE integration lets developers assess code for security and fix flaws — as they’re writing it. Veracode Static Analysis IDE Scan allows developers to test individual classes as they work on them in their IDE, getting results back in seconds and highlighting areas where they’ve successfully applied secure coding principles. Then, before checking in their code, developers can start a full application scan, review security findings and triage the results, all from within their IDE – no need to waste time switching tools. In addition, they can easily see which findings violate their security policy and view the data path and call stack information to understand how their code may be vulnerable to attack.
2. Don’t waste time managing tickets
By integrating with ticketing systems, Veracode enables security findings to automatically appear as tickets in the developer’s “to-do list.” Based on scan results, the Veracode integration will open, update and close tickets related to security flaws automatically in developers’ bug tracking systems. This saves developers time and hassle because they don’t have to go back and forth between Veracode and their ticketing system.
Development teams can import security findings on a schedule or on-demand; associate tickets with distinct projects or import all findings into the same place; map Veracode data fields into ticket fields; automatically label tickets; assign tickets to be fixed in certain releases; and more.
3. Test automatically
With Veracode’s build system integrations, application security scanning becomes an automated step in the build or release process. Security testing is then simply another automated test the build server performs, along with functionality and quality tests. If a security-related defect with a certain severity rating or prohibited open source component is found in the build process, this integration also has the ability to “break the build” and stop it automatically before code is released with these security issues. And Veracode’s build system integrations support integrating security testing both in stand-alone builds and as part of more complex pipelines. Depending on a development team’s needs, they can configure security testing with each build, within a release pipeline, or as part of a special security pipeline.
For more information
Learn more about how Veracode’s integrations work in our new guide, Veracode Integrations: Streamline Application Security for Both Security and Development Teams.