CUSTOMER CHALLENGE
One of the largest international telecommunication companies was developing a wide variety of software enablers, for both internal and customer use. As application security became more of a concern and a priority, it was necessary to begin the process of adapting the organization's Software Development Lifecycle (SDLC) to accommodate additional security measures and testing, while minimizing any impact on already strained resources and tight schedules.
SOLUTION & RESULTS
The solution would require both simplicity of operation and applicability for the automation of the nightly and weekly build process. These two factors necessitated that the result be sufficiently reliable so as to be a credible trigger on driving build cycle failures and defect tracking systems, and that analysis of the results would accrue to the reputation of the assessment team as providers of value.
The customer began the implementation process with a detailed analysis of their own internal expectations for the security of their applications. As those expectations matured into enforcement criteria, the Ounce suite was configured to more specifically identify violations of the criteria. A well-organized and centralized team of security analysts created the view of the data that matched the organization's need for consistency.
Having defined the criteria, the team then configured automation servers which were collocated with the organizations build servers. Through the use of scripted execution, the build process would automatically execute a security scan while the application was being created. The results of the scan were then automatically analyzed, and if the output contained information identifying vulnerabilities, the build process reported a failure, emails were sent to the appropriate project owners, and defects were automatically created to add the security flaws to the defect tracking system.
Code review is a well-regarded practice for improving quality and security, but it has historically been a seldom-applied technique because of its cost in time and resources. Through the tailored use of the Ounce tools and their output, it is now practical to perform security analysis as an automated check within the traditional build phase of the software development lifecycle. With a small number of trained resources to configure the appropriate context for analyzing the results, new applications can be reviewed every time that the application is built, providing more regular and predictable security as release time approaches.
