Before selecting Veracode, Advantasure, a leader in the healthcare technology industry, was on the hunt for an AppSec program that would not only protect them against cyberattacks, but also prove compliance with laws and regulations in several states. After integrating Veracode’s solutions and methodologies into their software development process, Advantasure reduced its time to remediation for high-severity flaws, sped up deployment, alleviated training burdens with Veracode eLearning, and enabled compliance with state and federal regulations.
To dig into some of these successes, we recently sat down with members of the Advantasure development team to discuss how our AppSec solutions and methodologies have helped them improve their development processes, reduce risk, and foster a more collaborative environment. Those team members included Sue McTaggart, Senior Application Security Architect; Bindiya Pradhan, DevOps/Release Engineer II; Vladimir Shuklin, Senior Software Engineer; Yuri Shcherbakov, Senior Software Developer/Software Engineer III; and Clay Corrello, Lead Software Engineer. Read on to read about the current state of AppSec from developers who face it every day.
What does your role look like at Advantasure?
Sue: I’m a Senior Application Security Architect at Advantasure and the product owner of Veracode. We use Static Analysis (including IDE Scan), Dynamic Analysis, Software Composition Analysis, and eLearning as well in our day-to-day work. When it comes to the several hundred developers I work with, it’s important for me to empower them through training while coaching them to be successful. I’m passionate every day about making sure my program is successful while empowering the “doer.”
Bindiya: I’m a DevOps/Release Engineer II working as a Lead Configuration Engineer and Admin for the Veracode platform at Advantasure. I’ve been with this company for 12 years now, and I have been in software development and engineering for 20 years. I’ve had all sorts of experience in this company from design to development, and I worked on the initial development of all the software. I was first involved with Client Implementation before I moved to Client Operations, then I shifted to a DevOps team for all of our automations and CI/CD pipeline implementation.
I’m currently leading the Veracode configuration where I’m integrating Veracode with our CI/CD pipeline from development to integration of the scans. I can see how important security is. It used to be that developers thought security wasn’t their problem and the security team would say the developers are coding so it should fall on them, but now with this shift to DevSecOps I can see both sides, so it’s a great opportunity for me.
“It used to be that developers thought security wasn’t their problem and the security team would say the developers are coding so it should fall on them, but now with this shift to DevSecOps I can see both sides, so it’s a great opportunity for me.”
Clay: I’ve been with Advantasure for a year, and the current role I have is Lead Software Engineer. I’ve been in the field for about 27 years. As a developer and as an architect, I spent a lot of time designing cloud-based microservices the past several years. Security is a big part of that, especially in the healthcare field given the sensitive nature. As a developer, we feel a lot of pressure to get things done, especially with the SAFe Agile model, and I’ve had experiences where security runs the risk of being overlooked – which it shouldn’t be. So, I try to bring the focus on security to the work I do for Enrollment, and previously Billing, here at Advantasure.
Yuriy: I’ve been with Advantasure for about two years as a Senior Software Developer/Software Engineer III on one of the teams focused on the portal and our API project and began using Veracode about a year ago.
Vladimir: I’m a Senior Software Engineer at Advantasure. I have almost reached one year here, and two years in software development on a product that was purchased by Advantasure; we worked on medical software and Advantasure bought our company. When we joined the Advantasure team, security was a big part of the acquisition. Now we use Veracode for these certification and security needs.
What are some AppSec trends you’ve noticed in recent years?
Clay: The Internet of Things (IoT) is still the biggest vulnerability out there. We get a lot of devices that simply aren’t secure, and we’re more and more connected with our devices – I’ve lost track of how many in my house are connected. I know the security is lax on some of these things. I think we have to look at security holistically. I have developer friends who put up personal firewalls and they have a Raspberry Pi to filter out the world. You can take it to that degree, but the big thing is to have awareness of just how much is connected out there and what the security risks are.
Yuriy: In addition to Clay’s comments, you need to consider high-speed internet. Now, stealing a few gigabytes of data in a matter of seconds is possible.
Vladimir: Also, the speed of development and the frequency of releases is increasing, and because of this, security issues can happen more often.
What are some of the ways Veracode solutions have benefited you?
Clay: The challenge is, how do we use these tools in the most effective way? I think the biggest thing we’ve taken away from the Veracode toolset is both the Dynamic and Static scans expose issues we wouldn’t normally find, so we have a solid codebase. Through those scan efforts we’ve found that a lot of the third party libraries we assumed to be safe and relied on for years are just not secure, especially when you get into dangerous issues like cross-site scripting. It’s all about trust at the end of the day, given the sensitive data in our system.
“That’s part of the issue: people are focused on code and not so much the third-party libraries that do a lot of the work.”
Yuriy: The Veracode product was useful right away not only to monitor security flaws, but also it triggered some refactoring in legacy products. The scan results bring a lot of issues forward that we could leverage to make our code not only more secure but also more modern and more stable for support.
In the beginning it was a one-time effort to bring the product to a safe, secure spot and address any immediate vulnerabilities. Now, we can constantly address issues because Veracode becomes more and more sophisticated as it looks deeper at the code. We’ve found issues that were there before and nobody noticed them, so we have to deal with this on a regular basis – it isn’t just one time.
How important is it for developers to embrace the shift to digital, including the shift to the cloud?
Sue: Our C-level management is very clear that we’re not going to be on-prem anymore. So, as part of operations and DevSecOps, I already have the backup from C-level that this the direction we’re going. If it’s challenging, we’ll find the right training and resources to provide them. It’s a top-down mindset that they can expect challenges, but at the same time we are ready to embrace those challenges. Our developers can see the value of cloud computing in terms of agility, scalability efficiency, and cost effectiveness. Our organization is very transparent. Everybody knows it’s happening, and we are open about why this is important.
Yuriy: We have no choice, because we’re dealing with so much data, and some of the technology we’re using is not scalable. So, the only way we can do it is to go to the cloud and develop products that are scalable. As we continue to develop our products in a scalable way, we’ll continue with our ability to better manage and protect data.
Vladimir: I believe developers should constantly learn new technologies, because these new technologies allow us to provide the best solutions to our own customers. That includes cloud solutions that allow us to deliver the developed product much more efficiently, quicker, and more securely.
Do you think it’s a challenge to switch to cloud or integrated solutions?
Vladimir: It all depends on whether the developer is ready to learn new technologies. Cloud products are a huge amount of new information and bring new solutions, which are not always easy for developers to understand. But we have seen that cloud products save time and resources when maintaining the infrastructure because they provide infrastructure as a service. These savings allow you to devote more time directly to development and improve the product itself.
Sue: We are on a multi-year journey in migrating all applications to the cloud. That in itself is a challenge. We are still in the learning and discovery stages to figure out how we can streamline the CI/CD for Dynamic scans in the cloud. Once we have that set up, everything will be seamless and integrated.
What is your opinion on the role developers should take in security, especially when it comes to training?
Bindiya: Nowadays, developers have to support security. We have trainings in place, and we have requirements so that every time they check the code the Static scan runs, and until they check all the flaws we are not going to proceed. At first, there was some pushback from developers because it was holding them back trying to decide what was important, and they didn’t want to go through it all. Now, as the flaws minimize and they see the outcome - including how it is impacting their coding standard - it’s a very good thing. We have work to do, but there’s so much progress from last year to this year that we can see the positives.
Clay: It’s absolutely critical. I started doing this professionally way back in the 1990s when security wasn’t even emphasized in a particular college curriculum, and it was kind of an afterthought because risk was lower, and exploits were easier to remediate. That’s not the case now. There’s still carryover from that time where a lot of developers came in focused on code and logic and all the rest of it, and they think of security as a side aspect or something to clean up at the end, like documentation. But that’s shifting. In order to be effective, you have to address problems right at the inception phase.
“There’s still carryover from that time where a lot of developers came in focused on code and logic and all the rest of it, and they think of security as a side aspect or something to clean up at the end, like documentation. But that’s shifting. In order to be effective you have to address problems right at the inception phase.”
I think it starts with architecture. These things have to be designed with security in mind at the beginning, and then a developer is accountable for implementing that particular plan. I don’t think it’s fair to hold developers responsible for the entire security plan; it needs to be more holistic than that. When we look at the cloud migrations, we just have to build it in, and we also have to have that automated testing and an automated deployment cycle that requires a security check. At the end of the day it allows your customers to feel more confident that their data is safe, and the system isn’t going to be compromised.
Yuriy: The Veracode training for our developers is extremely useful in this case. Not a lot of developers have security in their minds while they’re writing code. If you enforce security checks before merging the code, it’s because developers don’t yet know enough. If they do, they will enforce security at the very beginning and have that additional gate so that everything will work smoothly.
Vladimir: All team members should pay attention to the security of the code they write, but at least one person per team should see the bigger picture throughout the product lifecycle and be responsible for security overall. Personally, security training helps me learn new security attacks and stay up to speed.
Was it a struggle to work with security before, and how do you do so today?
Bindiya: Earlier, there was no connection. There was a misconception that security was out there checking hackers and monitoring everything, so it was two different silos. Now, with new DevSecOps initiatives, we are like one team. We cannot work separately. The security team knows how development should happen and developers know how to handle security. As Clay said before, everything should come from the architect in terms of security so that everyone knows what to do. If our code is not secure enough, it’s not of use, so our development and security teams are like one. Veracode became a bridge between development and security.
Yuriy: We have a lot of support from upper management now because they see the financial and image consequences of data loss, and they know it’s important. Certification and third party tools with Veracode definitely helps.
What do you find most beneficial about developer training tools?
Bindiya: The hands-on learning is always better. When they see that what they’re doing impacts their code rather than having to read a whole page of documentation, it definitely works better. In some of the Veracode training, the examples they gave with comments were very impactful. It’s always interesting when you can relate your training to your actual work. Until you break your head for a few hours and try to find that solution, you won’t know.
“Having a two-hour lecture isn’t going to work; you’ll gain some knowledge and that’s good, but I think to really drive it home, that hands-on lab work where you can touch and feel the content has the most impact of all. Not all people are like that, but developers tend to be.”
Clay: Things like labs that are hands-on are good for people like me. I love doing this, and I do it in my spare time because it’s an enjoyable activity. An aspect of being a developer is that you face a problem and you resolve it. Over and over. That’s your job, that’s what you have to do all day long for the entirety of your career, basically. You find one problem, solve it, and move on. Having a two-hour lecture isn’t going to work; you’ll gain some knowledge and that’s good, but I think to really drive it home, that hands-on lab work where you can touch and feel the content has the most impact of all. Not all people are like that, but developers tend to be.
What are the benefits you’ve seen from your Security Champions program at Advantasure?
Sue: When I started the program, we didn’t have any formal programs implemented for AppSec. We had siloed efforts that nobody really paid attention to. I’m finding now how much we can leverage the Veracode Community to empower this team. We had issues with communication and sometimes I got a lot of pushback, but I didn’t give up. I know the value in bringing together security and development and empowering developers. There isn’t one way for me to appreciate them, because Security is so important in this day.
Security Champions are a subset of how we reward our developers. We use the Security Champions as part of our relationship between DevSecOps communities and other functional teams. More importantly, we appreciate the value of our developers’ expertise in developing secure applications. I want to work collaboratively, and I don’t want our developers to feel like they don’t want to deal with security, but instead, I want them to think of security as helpful and the same as them. I want our developers to be successful with a security mindset.
With Veracode SAST, DAST and ASC integrated into CI/CD pipeline, developers see that security is not an obstacle for them to do work but instead improvement to develop secure code. I implemented the culture that security is everyone’s responsibility, and I’m always thinking about how I can help with issues or roadblocks. If I give information to a Security Champion, they then relay that to other team members and work in harmony to implement security procedures. I don’t even need to ask if they’re scanning.
Author’s note: The Advantasure team celebrates their Security Champions with (virtual) ceremonies to spotlight their certifications and further empower their developers with the tools and continuous learning they need to keep up with the latest security trends.
Clay: I think there are two levels that I came with. One is the general understanding of what security is, because again it’s not something covered in standard curriculum. As new developers come in, I think they understand the basics, but there has to be more in-depth understanding in a generic way to comprehend general risks. As developers join the team, there’s a part of that Security Champions training that’s very specific to particular products.
If people do front-end work for example, and they’re using something like React or Angular, some security aspects are built in and some are not. So, they really do have to have an understanding of how these tools will help with remediation. I’m glad that the company is requiring a lot of that hands-on training. It’s new but I think it helps the quality of the product at the end of the day.
What advice would you give to developers just starting their careers?
Bindiya: They should know the value of why we need security. Until they know why security in software is important and how we can save code, you won’t be able to sufficiently secure your code.
Clay: One of the more interesting things I did early on is I started playing around with Linux in the 90s when it was just coming in. In the early 2000’s there were a number of packages that were designed for hacking, and so I started playing around with white hat hacking. I’m not good at it – but it is enormously fun trying to break things and it’s amazing how easy it is. I would encourage anyone who is serious about a software engineering career to play around and break this stuff.
I often encourage developers at Advantasure to try and break the code. Because once they break it, they can make it better. Go through the process a cyber-attacker would. If you wanted this data, what would you do? That’s exactly what they do at a lot of the best security schools out there. They encourage hackathons and learning around the mindset and techniques on issues like password cracking, for example.
Yuriy: The best way to learn is to put yourself into the shoes of the people who are trying to break in. The meaning of “hacking” hasn’t changed; originally it meant to use something not the way it was designed for. This is how most hackers still work today, they look at something, take it, and use it differently.
A special thank-you to the Advantasure team for talking AppSec with us! Interested in reading more about Advantasure and how they use Veracode solutions? Read their success story here, and learn how your organization can become Veracode Verified.