Speed and security are the name of the game in software development today. Why? Because software is now key to innovation and competitive advantage for every enterprise in every industry. This means that not only is the pace of software development rapidly increasing, but also that attacks against the application layer are proliferating. In turn, software development speed and security are now inexorably linked – it’s unacceptable to have secure software that doesn’t ship on time, or to ship insecure software. Application security solutions need to adapt to this reality, and a critical part of that adaptation is the ability to integrate with developer tools and processes. Ultimately, security-conducted testing that takes place after development cycles will meet the need for security, but not the need for speed.
Development owns the testing
To keep pace, application security testing today needs to “shift left,” and be owned and conducted by developers. But if developers are conducting the testing, it has to be integrated into their systems and processes. Developers are focused on their deadlines, and will be slowed by – or even find workarounds for – application security testing that requires tacking additional steps onto the development process or forcing teams to interrupt their workflows to switch tools. For this reason, it is highly desirable to find security solutions that embed into devops processes.
Veracode satisfies the need for both speed and security by integrating with:
IDEs
This integration speeds the secure development process because developers are finding and fixing security issues in code as they’re writing it, without switching gears or tools. Veracode Static Analysis IDE Scan allows developers to test individual classes as they work on them in their IDE, getting results back in seconds and highlighting areas where they’ve successfully applied secure coding principles. Then, before checking in their code, developers can start a full application scan, review security findings and triage the results, all from within their IDE. When developers work this way, they learn to code securely – meaning they’ll introduce less vulnerabilities going forward, making the process even faster and more streamlined as time goes on.
Ticketing systems
This integration enables Veracode’s security findings to automatically appear as tickets in the developer’s “to-do list.” Based on scan results, the Veracode integration will open, update and close tickets related to security flaws automatically in developers’ bug tracking systems. In this way, Veracode scan results are embedded into the way developers currently organize and prioritize their work. When security flaws automatically pop up in their system as tickets, and then automatically close once they’re fixed, developers save time and hassle because they don’t have to go back and forth between Veracode and their ticketing system.
Build systems
With this integration, application security scanning is an automated step in the build or release process. Security testing simply becomes another automated test the build server performs, along with functionality and quality tests. In this way, security testing is part of the process rather than a blocker to the process.
For more details
Find out more about how Veracode integrates with developers’ existing tools and processes in our new guide, Veracode Integrations Streamline Application Security for Both Security and Development Teams.
[nid-embed:27891]