Software Integrity Blog


The 4 most important secure development disciplines

The 4 most important secure development disciplines
Being the most innovative and successful cloud monitoring company on the market, developing new features to production every day, it’s not only crucial to deliver the best user experience, performance and high reliability, but also guarantee the highest SECURITY for our customers.

To not let security measures slow down our agile and innovative value creation cycle and not introduce any roadblocks to our “60 minute from code to production” pipeline, we had to build security into the heart of the Dynatrace DevOps culture.

Making EVERYONE responsible for security, building a team of security experts with the focus on secure software and product development, fully automating and monitoring cloud deployments and choosing the right set of tools, formed the key ingredients for this change process.

The 4 most important secure development disciplines that are in place are:

1. Code reviews

Code reviews guarantee a high level of code quality but also a high level of security risk reduction, by having security experts review security critical code. By using git version control system and Atlassian’s Bitbucket Server with a pull request workflow, code reviews must be conducted for every change, before being able to merge into the main code line (master). Code reviews are great for knowledge sharing and making sure every developer obeys secure coding guidelines.

2. Penetration testing

With manual pen tests, mostly done with Burp Suite and the Kali Linux toolset, automated pen tests, yearly conducted pen tests by external security firms, and internal + external bug bounty programs we cover the full spectrum of penetration testing.

3. Static code analysis

For static code analysis SonarQube with the additional FindSecurityBugs plugin is used to discover potential security bugs in the code immediately.

4. Open source risk management

Black Duck Hub was the ideal solution for managing the list of open source components that are used in our products and get immediate alerts about new security vulnerabilities in open source software.

All these tools and disciplines are tightly integrated into our fully automated continuous delivery pipeline. If any stage of that pipeline breaks, the Dynatrace UFO, which “flies” around in the R&D labs, makes sure that everybody is aware of the situation and helps to fix the problem.

So what’s next?

We are constantly evaluating new tools and frameworks for automating manual pen test procedures, bring static code analysis right in to the pull request workflow and use Dynatrace itself to stay secure.

The original version of this post was published on the Dynatrace blog.