Success Stories State Government Needs Checkmarx Integrated into DevSecOps
The Project
This state government IT department is responsible for over 400 applications that are developed and maintained by various agencies throughout the state, and are hosted within GitLab-CI. The IT department was anxious to integrate Checkmarx into their development lifecycle to support consistent, structured static application security testing (SAST). However, the agencies manage their projects in different ways without a standardized methodology, and it would have been impossible to onboard every agency at once.
Winmill worked with the IT department to develop a Docker-based .Net Core application (“Checkmarx-GitLab”) that automates a Checkmarx static scan pipeline when developers commit code changes to specific projects in the repository. The application listens for project changes via GitLab web hooks, then initiates an automated Checkmarx scan, and upon completion logs a scan summary back into GitLab. To support a gradual introduction of applications into the new DevSecOps architecture, the application reads from a configuration file that defines which projects will trigger automated scans. The configuration also defines vulnerability count limits that, if exceeded, will automatically create a ticket in GitLab-CI.
Challenges
- The applications are developed and maintained by different agencies across the state. The IT department needed to gradually introduce agencies into the automated scanning process, in a way that did not require constant redeployment of the Checkmarx-GitLab application.
- Given the many agencies across the state, Checkmarx scan results needed to be communicated back to the developers without requiring additional tools or onerous processes that would discourage adoption.
- Given that most of the applications in the portfolio are in constant development, the Checkmarx-GitLab application had to respond as quickly as possible to incoming code changes. Even under heavy load, the system could not stop responding, even briefly, to incoming scan requests.
Solution
- Winmill developed the Checkmarx-GitLab application to perform automated scans based on rules defined in a configuration file. In this way, the department can introduce new applications into the DevSecOps architecture in a controlled manner that does not require redeployment of the code itself.
- The application communicates scan summaries back to the developers in the form of GitLab comments and tickets. GitLab is a convenient location for developers to track defects, as it is an environment they are already familiar with and can readily access.
- The application completes scan requests almost immediately by running each scan in parallel, taking advantage of Docker’s ability to spread work across multiple hosts. The application also takes advantage of recent enhancements in .Net Core to manage parallel tasks more efficiently and safely than was possible with prior methods.
- TheDevSecOps architecture can easily scale by adding more Checkmarx scanning engines. The application itself would not need to change to make use of the new engines.
The Results
With the help of Winmill Software, this state IT department can now provide clear source code assessments for all applications within their portfolio.
Developers can see scan summaries as they are posted back to GitLab, to confirm their checked-in code is secure. Management can review trends in Checkmarx or their preferred security portal, since the Checkmarx-GitLab environment posts scan summaries to configurable REST endpoints after completion.
The introduction of new applications to automated scanning is seamless and requires only a JSON configuration file change, without requiring a software recompile. The configuration file can be altered using a simple text editor.
Since each code commit is scanned by Checkmarx, comparing scans over time clearly shows correlations between when a vulnerability is found, how quickly the vulnerability is resolved, and the frequency in which the vulnerability is reintroduced within the application portfolio.
