An old adage in testing is that you cannot test what you don't know. Out of cycle testing that requires a developer to upload code is also dependent on the developer to upload the correct code for static code scanning. Verification that all the libraries and dependent code is uploaded is a near impossible task for the security team maintaining the program. A single file could be uploaded for static scanning and the resultant product scan would show as passed for that product on a dashboard, unless someone manually verified the file uploaded. For a large IS program this is very time consuming process to verify across hundreds of security scans An effective application static and dynamic code scanning program has four key elements:
1. On premise
A scanning program that is on premise and linked to the source control system now removes the dependency for a developer to take the time to find the code, do special compiles and upload the code. Instead, the right location of the code is selected in the source control tree and regular scanning is setup for all the child files. An on premise Dynamic scanning solution also makes it easier for dynamic scanning since no firewall rule changes are required for external tools from the scan test provider to access the test website.
2. Continuous scanning
On premise systems can be setup for continuous scanning which will not require manual intervention to upload the code. On premise systems can also be configured to scan continuously or periodically and because of the on premise setup, can scan far more frequently that a manually uploaded, manually configured scan.
3. Tightly integrated with the development build cycle
A scanning program tightly integrated with the source control and build system allows for code scanning to leverage many source control and build system features. For example advanced development teams using continuous build integration from their source control, can configure the build system to pass certain test gates before a developer's build can be integrated or checked in to the main code base. Code security scanning tests can be setup to be one of these test gates much like Performance tests or unit tests.
4. Tightly integrated with the defect tracking system
Most modern source control and build systems are also tightly integrated with the defect tracking system such that a software defect can be tied to a particular version of code checked in which in turn can be tied to a particular system build. A code scanning program that can automatically create defects within the existing defect management system will allow for less out of cycle time and will seamlessly integrate and absorb security defects into the team defect backlog.
Sign up for CIO Asia eNewsletters.