Application Security - Automated Code Scans

Recently TEAM IM has been fielding a lot of questions regarding application security and automated code scans.

As the market continues to trend towards cloud-based hosting solutions, delivery to the client is no longer part of most code pipelines. Outside of some government and Fortune 500, most clients don’t have the dedicated engineering teams required to test and maintain many custom applications. These types of clients rely heavily on their partners, such as TEAM IM, to share the responsibility of security and finding code vulnerabilities.

As testing is an expensive and tedious process, it is best to automate as much as possible. Since modern applications are deployed using CI/CQ (continuous integration/continuous quality) pipelines, it makes the most sense to start there. TEAM IM uses Jenkins, an industry leader for the past decade. Most cloud providers now provide their own pipelines, although none are as mature and flexible as Jenkins.

A standard application at TEAM IM consists of four pipelines:

• DEV – Includes no security scans, as we do not want to slow development down in any way.
• QA – This is a special pipeline that developers can use prior to the TEST deployment, which allows them to remediate issues at any time during the development lifecycle.
• TEST – The test pipelines include both 1^st-party code analysis via SonarQube and 3^rd-party dependency analysis via OWASP, and deployment to the server will not occur until all scans are validated.
• PROD – Includes no security scans, as all code must be remediated before making it this far.

While automated tools are good for ensuring code quality and finding known vulnerabilities, nothing beats manual unit and regression testing. Creating a test plan and holding yourself accountable will go a long way to stay ahead of the never-ending curve.

TEAM IM strives to ensure the quality, security, and performance of our code-based deliverables.  We have been using code pipelines for years to automate deployment and ensure continuous integration and continuous quality assurance of our code.  We put all our code both on client projects (see Implementation services) and in the development process of our own products like M-Connect, Modern UI, Field Services, AutoRedaction, and AutoRecords through our CQ/CI process.  Also, see TEAM IM Insight on Performance, Stress and Scalability testing.

About TEAM IM

TEAM IM is a global enterprise solutions and technology company. Utilizing best-in-class technologies to put unstructured data to work, TEAM IM has successfully implemented thousands of business solutions across a diverse spectrum of organizations of varying sizes and industry focus. TEAM IM’s offerings include expert professional services, managed support services, custom development, and solutions in many areas, including Content Management, Records Management, Workflow, Analytics, and Collaboration. TEAM IM has offices across the globe, with resources in every discipline and service offering available to support you, wherever you’re located. More information at teamim.com.