AppScan Source – Continuous Integration Model Improves Efficiencies and Adoption
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  ibm appscan application security
0 Comments | 3,797 Visits
Today's post is from Tom Mulvehill, Security Product Manager.
One of the most informative Innovate 2012 sessions I attended was “Security Scanning within Continuous Integration” presented jointly by USDA and SAIC. The session highlighted the benefits of addressing security vulnerabilities early in the Software Development Lifecycle (SDLC) – a pretty well understood development best practice. USDA took it a step further by integrating Static Application Security Testing (SAST) into the SDLC utilizing a Continuous Integration (CI) model. Their commitment to CI generated measurable results, greater scanning coverage, and wider adoption by their development community.
Early on, USDA recognized that security knowledge and expertise in development had a direct bearing on how much vulnerability information a team could remediate. They knew that the development teams must be presented with an actionable set of security findings. To address this challenge the security team used the AppScan Source filter feature to first focus only on high severity vulnerabilities limited to: SQL Injection, Cross-site Scripting, and Authentication risk. This approach produced a finite set of actionable results that could be actioned by developers. Their key message was “focus on what your team can fix”.
Once the security analysis was refined they introduced it to the development teams through a CI process. They made application security analysis part of the build process. USDA took advantage of the AppScan Source support of Maven to streamline the CI integration. Admittedly, this required some experimentation in terms of frequency of security analysis tied to a build. Ultimately their CI framework enabled them continuously scan 135 projects once a week; some are scanned more than once a week. In total, over 1.8 million lines of code are scanned. The actionable results are provided to hundreds of developers in an automated fashion.
One of the ancillary benefits of the CI investment is the data provided to management. AppScan Source generates important security metrics that have been integrated into a Code Quality dash board. In fact, the existing dashboard has been extended to include security reporting. Ultimately, USDA was able to integrate SAST into their existing CI environment enabling them to report on security risk across a portfolio of applications. The entire process is automated and extensible.
USDA also highlighted some areas of product improvement based on their experiences. Their feedback is being reviewed by the development teams this week for future releases. USDA concluded their session with the following key points on the benefits of integrating AppScan Source into their CI environment:
• Reduced the cost of performing scans
• Reduced the cost to fix vulnerabilities
• Increased visibility to Management
Deploying SAST using a Continuous Integration model is beneficial to both security savvy organizations and those just starting to focus on application security. It’s a practical model that benefits security teams, developers, and management.
For more information you can visit us on the web here.