Beruflich Dokumente
Kultur Dokumente
AGILE TEAMS
2. Find it early.
Fix it early.
Too often, security
assessment is done only
as a pre-deployment
gateway or checkpoint.
When using agile methods,
development teams often
handle pre-deployment
gateways by schedul-
ing a security hardening
sprint after they have a
functionally complete
release candidate. This
means that security
assessments forces a
hybrid waterfall-agile
development process
instead of truly enabling the best practice of agile — complete appropriate combination of techniques — ideally in a single
the work in the sprint. Frequent assessments allow the platform with consistent policies, metrics and reporting —
team to identify and remediate release blockers early in the gives enterprises the broadest view of application security.
cycle — when they are easier and less expensive to fix. This
reduces the overall risk to the team for successful delivery 4. Automate to blend in.
of their payload. Equally important is that the majority Blending in with developers’ toolchains means leveraging
of Veracode service scans finish quickly — within hours the tools that they already use. This is accomplished by
or overnight (in fact, 80% of assessments for Java and automating the security assessment and results download
.NET applications are turned around in less than 4 hours). between those tools behind the scenes. This happens at
That means that security assessments can fit into a one multiple levels. The first is automation inside of the IDE to
to two week sprint that is typical in most development build, upload and scan and then download results at the
organizations. push of a button. The results are shown against the code
inside of the editor for easy remediation. Then there is
automation at the team or release candidate stage, when
3. Use multiple techniques for the build server makes use of the Veracode API to upload
security assessments. build artifacts for security scans. Automation in the bug
Using multiple assessment techniques ensures better tracking system leverages APIs to download results and
coverage and accuracy. Binary static analysis can analyze manage the vulnerability lifecycle. Tickets for vulnerabilities
the application’s data and control paths without executing are then triaged through the same process used for all bugs.
the application. Dynamic analysis (DAST) identifies When security assessments are blended in, developers do
exploitable vulnerabilities, at run time, in web applications not switch context and they work more efficiently.
5. Play in the sandbox. 7. Learn from constant feedback.
The sandbox is the way for individual developers or devel- Direct and frequent interaction between developers and
opment teams to assess new code against the required detailed vulnerability information — delivered through
security policy — without affecting compliance reporting for their development environments — enables self-reflection.
the version of the application currently in production. One In other words when people go through this process over
way to think about an assessment sandbox is to consider and over again they will start to see their own habits and
it as a branch inside the application. Developers can scan gain insight on how to develop better habits. The “aha”
the branch and understand whether it would pass the cur- moment comes when a developer says “Oh, I shouldn’t
rent policy as defined. Each team can also have a sandbox have coded it this way because as soon as I upload it I’m
for merging multiple branches to assess the integration. Then going to see the same vulnerability results.” Because they
you would want to merge branches from multiple teams are getting more timely feedback on the code they write
into the release candidate and reassess. That is a lot of or change, they are more likely to reuse secure coding
assessing within a short period of time, but automation patterns and avoid insecure ones.
simplifies assessments for the teams and the sandbox
simplifies reporting for compliance and auditing purposes. 8. Be transparent about security risk.
We use labels to identify any vulnerability as a release
6. Avoid replicating vulnerabilities. blocker if it violates our standard security policy (such as
If you think about how developers work, there is always a “No SQL Injection or Cross-Site Scripting Vulnerabilities”).
bit of copy-and-paste that goes on. Developers look at code This is one way to raise the visibility of vulnerabilities and
and say, “All right, I’m going to use that pattern.” If you do allow triage of every single application-layer threat prior
not encourage and enable developers to check-in secure to release. Triage involves answers questions such as: Do
code, and those vulnerabilities get copied and replicated we need to remediate this vulnerability? Can we mitigate
across the code base, it magnifies risk in individual projects it instead, and if so, how? Is this a risk that we’re willing to
and possibly across multiple projects. Then it becomes a big accept? The visibility enables a pragmatic discussion about
development effort to clean up those vulnerabilities. risk within the normal agile sprint management process.