Numerous organizations made a concerted efforts to move to Agile Development and DevOps. This effort has led to a number of positive steps that the IT security community can leverage to address the software security risks facing them. These steps significantly improve the security, availability, integrity, and reliability of the application portfolio.
Effective configuration management is predicated on a stable computing environment designed specifically to manage the construction, testing, and deployment of enterprise software applications.
Establishing a build server on remote hosted platforms makes continuity of operations (COOP) and disaster recovery (DR), effective. COOP and DR are executive management priorities for funding. These safeguards are not practical with desktop build environments.
The building of the application and the execution of Fortify static code analysis are both quite resource intensive. Performing these on the developer’s desktop is slow and significantly reduces ability of the developer to perform other duties while these operations are underway.
Development by more than one developer is complicated and error-prone without a dedicated and reliable configuration management, integration, staging, and other testing efforts. Two or more developers cannot effectively share development on a single user desktop or laptop.
Desktop software is irrelevant – even detrimental – to application development and deployment. Desktop software (Microsoft Office, Adobe PDF, and web browsers) are potential attack vectors and threats to the application. With only the minimum essential programs and services, a build server presents a greatly reduced attack surface. Constant updates of the developers’ laptops perturb the assembly of the application and jeopardize its consistent deployment.
Backups of desktops are typically not performed. For example, a developer wrote applications, created scan artifacts, and remediated critical issues on his laptop. All of these were apparently lost when he left his organization, and his laptop was erased as per standard operating procedure for departing personnel.
We have found that a consistent build process is a key prerequisite for integration of static analysis into an application’s software development life cycle. Such a build process is an industry best practice. According to software development guru Jeff Atwood, “… the build server is critical– it’s the heart monitor of your software project. It can tell you when your project is healthy, and it can give you advance warning when your project is about to flatline.” https://blog.codinghorror.com/the-build-server-your-projects-heart-monitor/
Walt Houser 