Software Company Case Study
Earlier Detection of Security Issues
Via integration of security into build pipelines
Established Security Standards
Agreed on by both security and development teams
Improved and Shared Visibility
Between security and development teams
Integrating Security Testing into CI/CD Pipelines
The security team was using multiple approaches for application security testing, but did not have a unified view of the security state of a build. This created ambiguity about the true set of security issues that needed to be addressed. In addition, there was no shared agreement of what made a build acceptable to release. For the development team, security requirements were unclear and were often dictated late in the project lifecycle. This led to a situation where security signoff became a bottleneck and created significant project risk.
Embedding Build Assessments
They used ThreadFix as the means to integrate security testing into the CI/CD build pipeline. This created a situation where security evaluation is now a part of the testing applied to a build to determine its fitness for deployment.
ThreadFix provides vulnerability consolidation and reports security issues to the development team in a structured manner using their JIRA system. This has created clear communication of security issues to development teams in the tools they are already using.
In addition, ThreadFix allows the security teams to craft different security policies for applications with different risk profiles. These policies are agreed upon between security and development, and are tuned to the risk associated with the application, making application security requirements clear to both sets of stakeholders.
The end result is that they have earlier knowledge of potential security issues via integration into build pipeline, better and shared visibility between security and development teams, and common and agreed-upon standards for what security requires of development teams for a release.