Customers: SIGMA (St. Petersburg) St. Petersburg; Information Technology Contractors: Solar (formerly Rostelecom-Solar) Product: Solar appScreener (formerly Solar inCode)Project date: 2022/04 - 2024/08
|
2024: Summary of implementation of secure development practices
On August 27, 2024, Solar announced that SIGMA had summed up the implementation of secure development practices. Since 2022, the company has been using the Solar appScreener solution of Solar Group in projects to digitalize the energy industry. SIGMA's portfolio includes about 30 specialized solutions, 20 of which are included in the Register of Domestic Software. SIGMA's developments are used by PJSC Inter RAO, PJSC Rosseti and other energy companies, therefore, the formation of DevSecOps practice based on Russian solutions has become critical for the vendor. As a result of the implementation, the company has reduced the period for updating software and developing software products.
As reported, SIGMA was faced with the task of implementing secure development processes from scratch to ensure maximum security of both its own products and custom software.
{{quote 'author
= said Alexander Evteev, Director of the Information Security Department of SIGMA' Information security has always been the focus of our attention, and we decided to move to another level by introducing a secure development process. The work began two and a half years ago. At that time, on the secure development of
we had no competencies, no regulations, no tools. We started by consulting with a third-party company, drawing development processes, developing regulations, assembling teams, testing and comparing various solutions that fit us.}}
Increased requirements for information security of solutions within the energy sector and the InterRAO group of companies have also become another factor in the implementation of DevSecOps practices. Energy companies are among the TOP-10 industries exposed to the risks of cyber attacks, while the cost of error and the impact of information security incidents on the sustainability of the economy and quality of life are critical.
{{quote 'author
= explained Alexander Evteev' First we analyzed all the development processes that exist in our
companies. SIGMA has about 30 products, and we needed to communicate with all development teams, understand the specifics of their work, and determine how to integrate secure development practices.}}
Having decided on the processes, the company moved on to the formation of tasks. It was necessary to understand which specialists, competencies and in how many are needed, which tools need to be used. At the first stage, the company formed a team of experts on secure development, conducted training for developers and, in general, formed the DevSecOps culture in the company. As a result, a separate division was created, in which 8 secure development specialists work as of August 2024. SIGMA paid special attention to the selection and implementation of tools for analyzing and monitoring code security.
At the start, a list of necessary tools was compiled, they were divided into categories, and the most suitable product was selected in each category. The first tool to be implemented was the Solar appScreener SAST module. The decisive factor in choosing a solution was the support of 36 programming languages, which was critical for the company, taking into account the wide range of software being developed. In addition, an important aspect was the ability to analyze the 1C code, since SIGMA actively uses this platform in its solutions.
We had an extensive model for comparing a product with open source and other paid solutions. Solar appScreener turned out to be suitable for our criteria. We integrated Solar appScreener with GitLab, starting with one or two projects. Then they set up integration with Jira, but eventually switched to orchestrator, and Solar appScreener became our static analysis tool. Other integrations, vulnerability management, running scans are performed through the orchestrator. The tool itself is closely integrated into all secure development processes and plays one of the key roles. supplemented by Alexander Evteev |
Alexander notes that one of the advantages of Solar appScreenwriter is a quick start. Neither engineers nor analysts had a long and difficult time understanding the product. Usability of both the technical and user parts made it possible to implement the tool and immediately start working with it.
Other tools are also used - component analysis, container analysis, DAST analysis, fuzzing testing. The system is built on the solutions of various vendors to cover all aspects of secure development.
Application security even at the development stage reduces the risks of identifying vulnerabilities in software after products enter the market, especially if IT commands use components from open source libraries. Therefore, the IT community has generated a request for platforms for comprehensive code analysis, including SAST, DAST, SCA and SCS tools available on the same interface. Such solutions also allow you to optimize the resources of the information security team and developers, thanks to the automation of code analysis and control the work of contractors who are engaged in software development. emphasized Anton Prokofiev, security control expert at Solar appScreener, Solar Group of Companies |
To reduce the risks of identifying software vulnerabilities after products enter the market and begin to use them, information security teams and developers must take care of the security of applications at the stage of their creation. A set of checks will help in this, including such types of analysis as SAST, DAST, SCA, SCS. Such tools are available in Solar appScreener, a software due diligence platform that supports thirty-six programming languages as of August 2024. This is a Russian solution that includes four types of code analysis at once in one interface, and the interface itself is convenient and understandable to all categories of users - from developers to information security service employees.
Despite the fact that additional security checks have been added, in fact, the time-to-market has been reduced because applications undergo fewer iterations of vulnerability fixes. For August 2024, the SIGMA development team uses Solar appScreenwriter to analyze 16 project groups that are being developed in more than 10 programming languages.
{{quote 'author
= told Alexander Evteev' The introduction of the process took place with us quite quickly - in about 6
months. Of course, the company continues to improve its processes, but the foundation was laid during this period. For August 2024, we are working on changes. We optimize the settings of implemented tools, constantly finalize the rules, automate the routine work of experts, expand the internal training program for developers.}}
In addition, the company is introducing additional mechanisms that will minimize the number of falsely positive positives. The plans also include the development of other practices, for example, the security of containerization environments.
For companies that are just beginning their journey to secure development, I would recommend starting by selecting leaders and experienced safe development experts who can build the process. First people, then processes, then tools. It is also important to establish interaction with development teams - this is the most difficult and painful stage for everyone, but as a result you will have a team that creates not only functional, but also safe products. advised Alexander Evteev |