Enterprises are rapidly adopting Continuous Integration and Continuous Delivery (CI/CD) processes for app development, but are often unclear as to when and how to do security testing. Security testing often occurs just prior to or sometimes even after app deployment. However, at this late stage it’s typically much more expensive and takes longer to remediate vulnerabilities, and also exposes organizations to unnecessary risk and potential breaches.
Instead, organizations should think about security early in the app design and development phases, starting with training on secure coding and security vulnerabilities. As organizations start their app development they should use a SAST solution that supports popular developer tools (e.g., IDEs, SCMs, build servers, and bug trackers) as well as widely used programming languages and frameworks. An example is WhiteHat Sentinel Source, which provides requisite plug-ins and integrations to these developer tools, including the Jenkins CI build tool for support of automated project builds as well as Sentinel scans of source code. Sentinel Source combines best-in-class automated scanning technology with vulnerability pre-verification by WhiteHat’s Threat Research Center security experts to provide actionable results with near-zero false positives.
One obstacle that many organizations encounter is lack of AppSec expertise in their development teams.
This makes it difficult for organizations to remediate security vulnerabilities or resolve false positives without turning to external security support. However, this support process is typically adhoc and not integrated into app development environments or processes, and may expose arbitrary amounts of code IP to external parties without traceability. This is commonly the case with alternative do-it-yourself SAST developer tools, which typically provide only standard CVE descriptions and generate lots of false positives.
Sentinel Source changes all this by providing a single pane of glass view of vulnerabilities and corresponding source code, custom vulnerability descriptions and remediation advice, bug trackers and direct Q & A access to WhiteHat’s TRC security experts, all within a developer’s IDE. And, each vulnerability can be remediated based on its prioritized threat severity rating and impact level and individually tracked using bug trackers such as Jira. Customers’ source code IP stays on premises (a cloud option is also available), and only a small percentage of code snippets containing actual vulnerabilities (~5% – 10%) are automatically and securely sent to the TRC for review.
Ease of use, fast and accurate scans with near-zero false positives, integration with build tools for CI/CD, unlimited Q & A access to security experts, a single view within an IDE; these are some of the ways that Sentinel Source can help you scale and accelerate your web app development.
WhiteHat customer Wiredrive, a secure media-sharing and collaboration solution provider, experienced up to a 24% drop in the time to remediate vulnerabilities since using WhiteHat Sentinel Source for static application security testing. Learn more about Wiredrive’s case study in today’s announcement.
WhiteHat Security is a sponsor of Jenkins World 2016, the largest gathering of Jenkins users in the world. WhiteHat engineers will be giving a demo of the Jenkins integration with WhiteHat’s Sentinel Source SAST service in booth K-13 next to the Partner Theater in the Expo Hall Sept. 14 -15 at the Santa Clara Convention Center. Come join us to see how to integrate security into your SDLC, in a way that allows you to scale your Agile DevOps app development.