Application Security - Automated Code Scans

Brad Hickey
Dec 3, 2021 4:16:55 PM

Recently TEAM has been fielding a lot of questions regarding application security and automated code scans.

As the market continues to trend towards cloud-based hosting solutions, delivery to the client is no longer part of most code pipelines. Outside of some government and Fortune 500, most clients don’t have the dedicated engineering teams required to test and maintain many custom applications. These types of clients rely heavily on their partners, such as TEAM, to share the responsibility of security and finding code vulnerabilities.

As testing is an expensive and tedious process, it is best to automate as much as possible. Since modern applications are deployed using CI/CQ (continuous integration/continuous quality) pipelines, it makes the most sense to start there. TEAM uses Jenkins, an industry leader for the past decade. Most cloud providers now provide their own pipelines, although none are as mature and flexible as Jenkins.

A standard application at TEAM consists of four pipelines:

jenkins-code-pipelines

  • DEV – Includes no security scans, as we do not want to slow development down in any way.
  • QA – This is a special pipeline that developers can use prior to the TEST deployment, which allows them to remediate issues at any time during the development lifecycle.
  • TEST – The test pipelines include both 1st-party code analysis via SonarQube and 3rd-party dependency analysis via OWASP, and deployment to the server will not occur until all scans are validated.
  • PROD – Includes no security scans, as all code must be remediated before making it this far.

While automated tools are good for ensuring code quality and finding known vulnerabilities, nothing beats manual unit and regression testing. Creating a test plan and holding yourself accountable will go a long way to stay ahead of the never-ending curve.

TEAM IM strives to ensure the quality, security, and performance of our code-based deliverables.  We have been using code pipelines for years to automate deployment and ensure continuous integration and continuous quality assurance of our code.  We put all our code both on client projects (see Implementation services) and in the development process of our own products like M-ConnectModern UIField ServicesAutoRedaction, and AutoRecords through our CQ/CI process.  Also, see TEAM Insight on Performance, Stress and Scalability testing.

About TEAM IM

TEAM IM is a global enterprise solutions and technology company. Utilizing best-in-class technologies to put unstructured data to work, TEAM has successfully implemented thousands of business solutions across a diverse spectrum of organizations of varying sizes and industry focus. TEAM’s offerings include expert professional services, managed support services, custom development, and solutions in many areas, including Content Management, Records Management, Workflow, Analytics, and Collaboration. TEAM has offices across the globe, with resources in every discipline and service offering available to support you, wherever you’re located. More information at teamim.com.

No Comments Yet

Let us know what you think