According to Consultant Solution Architect at Veracode, Colin Domoney, application security company secures the software that \u201cpowers your world\u201d\u00a0\u2013 no matter if you are a developer software testing, writing a new application, a business owner with a portfolio of apps, or a CISO responsible for a major enterprise \u2013 \u201cVeracode has a solution to help you produce, build and operate securely\u201d.<\/p>\n
\u201cWe inspect the source code, how it\u2019s built, then what goes through applications through white-box testing;\u00a0a method of\u00a0testing\u00a0software that tests\u00a0internal structures or workings, instead of functionality (black-box testing),” says Domoney.<\/p>\n
\u201cWhite-box testing is an inside-out view of looking into the internals of an application. We also offer software composition analysis which creates an inventory of open source and 3rd<\/sup> party components used in applications. Whilst the use of such components increases the speed of software delivery the problem with these components is that they may contain flaws.\u201d<\/p>\n As well as white-box testing, Veracode uses dynamic analysis (a type of black-box testing), which can be applied virtually to every level of software testing (unit, integration, system and acceptance); a method that examines the functionality of an application without peering into its internal structures or workings.<\/p>\n \u201cDynamic analysis is black-box testing, but instead operates an application the way an attacker would \u2013 the complete opposite of white-box testing,\u201d continues Domoney.<\/p>\n Veracode\u2019s primary product is static analysis, both at an application level and individual file level with its new Greenlight products.<\/p>\n \u201cGreenlight testing is useful. If you are testing an application it can take a long time to test. We want to encourage testers to test quickly. It gives you instant testing directly, with instant results,” advises Domoney.<\/p>\n Different developers, of course, have different approaches towards testing. Since the 1950s, programmers knew it was better to start testing earlier, which is when \u2018shift-left\u2019 testing began, according to smart bear<\/em>. Despite this, application security was a \u201clatecomer\u201d to this way of testing.<\/p>\n Traditionally, security testing has been a manually driven process such as ‘pen tests’. The remediation cycles associated with such tests would be measured in weeks or months due to the review\u00a0and triage processes required.<\/p>\n \u201cSecurity testing is normally a manual process. You create a statement of work and then sign a contract. It can take days, weeks or months to test software. People have expectations that it is going to be a long-running process (usually around three weeks). It doesn\u2019t fit well in the \u201cleft-shift\u201d development side. We try to reposition the way people think, and what is capable, but it doesn\u2019t always work like that,\u201d reveals Domoney.<\/p>\n Veracode has to address three perceptions around the way they do testing: that security testing is difficult to use (they do this by integrating and automating with ease), that security tests are full of false positives\u00a0 (they have a demonstrably low false positive rate) and that security testing takes a long time (their scan times have reduced dramatically).<\/p>\n \u201cThree of the main problem switching to the \u2018DevOps way of doing things\u2019 was security testing \u2013 testing tools are difficult to use; tests take longer, run slowly, and are full of false positives,” admits Domoney<\/p>\n \u201cAt Veracode, the changes we had to make to adapt was to create easy products user-friendly. We had to make sure we integrated well with environment developers. The false-positive problem means that testing a piece of code can create extra pieces of work; although our scan times have reduced dramatically to 15 minutes or less since the DevOps transition \u2013a massive turnaround from three years ago.\u201d<\/p>\n Domoney unveils a couple of trends to note: the change in the way developers are building applications is changing dramatically. Domoney clarified: \u201cWe\u2019re seeing the breakdown of the monolith and a tremendous adoption of microservices, container technology and of course a move to the cloud.\u201d<\/p>\n This has meant that developers want to test ever increasingly smaller chunks of code, as well as test more and more frequently. The large-scale adoption of automation (driven largely by the adoption of DevOps).<\/p>\n Domoney adds” \u201cTraditionally, people used to use a self-contained single-tiered software\u00a0application,\u00a0which combined user interface and data access code in a single programme from a single platform.<\/p>\n \u201cThe way people build applications is changing. At first, testers would use the monolith application, which is hard to change without the whole thing crashing down. Organisations need to be more adaptive and responsive, which is challenging from a security point-of-view, because of the changes. The adoption of Docker is also getting used a lot, so developers are testing smaller and smaller pieces of code.<\/p>\n \u201cMost of the times problems aren\u2019t around technology, but around changing the status-quo and the way people think they should face a problem. I want people to build more secure code. It\u2019s a people problem, not a technology problem.\u201d<\/p>\n Veracode will continue to address the demands of the industry, to ensure that the balance between security and speed is balanced and addressed adequately. Growth will be driven by the overwhelming groundswell in the industry, as it is no longer acceptable to produce software that hasn\u2019t been tested particularly for security, according to Domoney.<\/p>\n Domoney also notes Veracode\u2019s challenge is to ensure that solutions are constantly evolving and improving – specifically through better integrations and\u00a0quicker scans. Veracode believes its huge user base will start to become pivotal to success and growth \u2013 “driving adoption and embedding in more and more places”!<\/p>\n Written by Leah Alger<\/p>\n","protected":false},"excerpt":{"rendered":" Colin Domoney, Consultant Solution Architect at Veracode, discusses different products and tools used to enhance and improve software testing<\/p>\n","protected":false},"author":12,"featured_media":13879,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","pmpro_default_level":"","footnotes":""},"categories":[2,1158],"tags":[3152,3149,67,520,3150,3151,112,674,216,252,3148],"yoast_head":"\nGreenlight<\/h2>\n
Shift-left<\/h2>\n
DevOps<\/h2>\n
Docker<\/h2>\n
‘People problem’<\/h2>\n