Automating Your Veracode Security Scans

matt-luedkeThe following post is a guest contribution by Matthew Luedke of On-Line Strategies. Matt has been involved with secure application development since 2007, designing and developing numerous projects, most recently, OLS’ Secure Gateway product suite. On-Line Strategies was recently chosen as a recipient of Veracode’s Secure Development Award, the winners were selected based on the security quality of their applications submitted to the Veracode Platform.

How Can I Save Time With Veracode Security Scans?

At On-Line Strategies [OLS], many of the tools we use in our Software Development Lifecycle (SDLC) have helpful APIs, including Veracode. We leverage them to automate tasks that were once performed manually by developers or technical managers, such as running a Veracode static scan on a pending release.

Today, our Veracode static scans run alongside automated regression tests for every public release, to ensure we catch security flaws that may have slipped by our developers.

How Can I Save Time With Veracode Security Scans?

Computers excel at performing easy, repetitive tasks quickly and efficiently. People do not. We would much rather spend time using our skills and talent to create value.

13130217_sAutomation frees us to do that.

A couple of hours spent automating a repetitive process can mean countless cumulative hours saved in the future. Consider it an investment with guaranteed, exponential returns.

Automating Static Scans

To automate static scans, we added a build configuration in our Continuous Integration (CI) server that uses the command line to call a custom Python script. Our script uploads a build using the Veracode API, and subsequently launches a static scan. You may download the script on Github.

Note: At OLS we use TeamCity as our CI server, but concepts similar to a “build configuration” exist in other CI servers, as well.

If you’re not using a CI server, the Python script will work equally well from anywhere your project is being built (as long as Python is installed).

Automating Issue Tracking

To further automate manual processes, we envisioned opening tickets in our issue tracking system with the static scan reports attached. We used a second build configuration and script to accomplish this.

Using the Veracode API, the script pulls the detail and summary PDF reports from the latest static scan and attaches them to a new YouTrack ticket opened using the YouTrack API.

Then the ticket is reviewed by a project manager and assigned to a developer. You can download this second script here, which may be modified to work with your own issue tracking system.

Other popular issue tracking systems have APIs that allow similar functions.

Other Opportunities for Automation

By automating these two simple processes, we’ve given our staff needed time to devote to other, more complex tasks. We also continue to look for opportunities for further automation, such as in build deployment and distribution, and internal notifications.

Integrating Veracode scans into our automated build process has contributed to a safer and faster development lifecycle.

How can you use automation in your development process?

santosh | December 2, 2013 11:36 am

Hi,

Can you please help me in getting the powershell version of the scripts to automate the Veracode static scan process.

Th

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post