Regardless of where your development team is in the DevOps journey, you’re likely aware that detecting and fixing quality issues as early in the software development lifecycle (SDLC) as possible increases efficiency and reduces costs.
Today, development teams are running static assessments during the integration and even code stages, giving developers more time to fix policy-violating flaws. However, once development teams start iterating on a newer version of the application and scanning as part of the development lifecycle, it may be marked as having failed policy in security and executive dashboards well before the application is launched or the developer has a chance to make changes.
Developer Sandbox, a patented technology of Veracode’s proprietary binary analysis offered through our cloud-based platform, was developed to solve this problem. Developer Sandbox is a way for individual developers or development teams to assess new code against the required security policy – without affecting compliance reporting for the version of the application currently in production.
By allowing developers to scan early in the lifecycle, without affecting the policy compliance of the overall application in production and lighting up security and management dashboards, this capability puts developers in the driver’s seat when it comes to creating secure software.
We’ve seen teams adopt Developer Sandbox to meet various needs:
- Development teams automate scanning of a complete application using a Developer Sandbox as part of a CI/CD workflow.
- Developers are able to measure the security posture of a new feature on a Developer Sandbox even before committing code to the master branch.
- Organizations transitioning to DevOps test components in individual Developer Sandboxes get faster feedback during the coding stage.
Applications or components can be scanned as part of coding on a development branch in a Developer Sandbox. Code committed by developers and development teams is integrated on the master branch as part of CI/CD pipeline. Once the application is built, and unit/integration tests run, a Developer Sandbox scan is automatically initiated and test environments built and deployed. Then, the Veracode assurance scan can be automated to run off the release branch based on the deployment schedule.
Development teams that make use of the Developer Sandbox can scan applications more frequently and sooner in the lifecycle than teams that only perform an assurance scan. The result is development teams embracing application security and fixing more issues, reducing risk to the organization.
Veracode Developer Sandbox uses the full Veracode static scanning engine, which has been tuned and improved through the experience of scanning nearly 2 trillion lines of code. This gives developers who may not have deep security skills a powerful aid in creating more secure code, as well as a place to practice and learn to code securely.
We’ve helped more than 1,500 organizations – from small software companies to Fortune 100 enterprises – secure the software that powers innovation and efficiencies. Developer Sandbox gives your developers the tools to find and fix vulnerabilities early, speeding your time to market. Contact us today to learn more.