Success Stories DevSecOps and Fortify Integration for TV Broadcast Company
The Project
When one the largest providers of direct-broadcast and IPTV services needed to integrate application scanning into the development lifecycle of an increasingly complex application portfolio, they called Winmill. With our deep roots in continuous integration and deployment and our vast experience with numerous application development technology stacks, Winmill was the perfect fit for an organization seeking successful adoption of the Micro Focus Fortify SCA (Static Code Analyzer) platform to be utilized across AppSec professionals, security teams, and developers.
The organization was using several different products to identify, prevent, and remediate application security risks such as database injection vulnerabilities, sensitive data exposure, XML external entities, insecure deserialization, cross-site scripting, and the use of components with known vulnerabilities. The IT Security group sought to maximize the effectiveness of Fortify SCA within the overall Application Security Program and to further evaluate platform capabilities and benefits. The desired outcome was to utilize its full potential and fully integrate Static Application Security testing into the SDLC, enabling maximum efficiency. Enter Winmill.
Challenges
- Integrate Fortify SCA within Continuous Integration tools, including the ability to view results from within CI pipeline.
- Decrease scan times.
- Shorten feedback loops.
- Integrate vulnerability assessments into the merge-approval process, and based on vulnerabilities found, determine if a security review/approval is required for the code base changes.
- Enable developers to run scans without engaging the Security Team.
- Integrate the results with an issue tracker, such as Rally, Gitlab or Jira.
Solution
Winmill initially integrated Fortify SCA with Jenkins, and implemented a Jenkins job that executed a scan, fed results into an enterprise-wide reporting dashboard, submitted a ticket to JIRA, and emailed an auto-generated PDF report to the AppSec team.
In Phase II, Winmill built a customized JavaEE-based portal that enables developers to upload code to be scanned by Fortify SCA on an ad-hoc basis, whenever the developer chose to initiate the process. This allows developers to run scans without the need to set up integrations on each workstation, or force a full application build to trigger the scan.
The logged-in user (authenticated and authorized via SSO) submits a source code package and a text-based configuration file to accompany the scan job as it moves through the system. The user is notified immediately that the scan job is queued and will run as soon as possible. Once the scan completes, the user receives an email with a link that initiates download of the full scan report for review and remediation. The portal processes all tasks asynchronously and logs all activity in order to monitor usage.
The Results
By integrating application scanning into the DevOps architecture, Winmill enabling a “shift left” that reduced development costs by identifying vulnerabilities early in the Software Development Life Cycle. Simultaneous scans can be executed efficiently for more timely remediation within the portfolio of over 300 separate application pipelines. Seamless integration of application scanning into the build process has freed up developer time, enabled consistency within the DevOps process, and helped to triage and prioritize vulnerabilities. The new scanning architecture also provides usage data, helping the organization to identify “security champions” – individuals and teams using the system most effectively, who can then be publicly recognized and made eligible for additional leadership roles.
By integrating application scanning into the DevOps architecture, Winmill enabling a “shift left” that reduced development costs by identifying vulnerabilities early in the Software Development Life Cycle.
