LivePerson is first and foremost a technology company. As such, it relies on its strong R&D team to continue to innovate and enhance its technology. LivePerson has multiple products as well as some legacy products it supports. In total the code base includes over 1 Million Lines of Code mostly in Java, C# and some in ASP. The development environment also includes diverse OS.
LivePerson is committed to maintaining the highest possible coding standards. This includes application security best practices and methodologies. Due to the size of the code written and its complexity, a lot of thought and effort have gone into designing LivePerson's continuous integration environment.
A few important source code analysis requirements for LivePerson were:
• The ability to analyze incomplete code samples with missing dependencies in order to significantly reduce the time & resources required to audit a code sample for vulnerabilities.
• Accuracy – to avoid precious developer time lost, the solution must be highly accurate.
• A way of managing the delta – The developer should be able to compare between the current scan and their last scan, to see what the delta is and handle that. (To ensure that the security vulnerability was fixed).
• Performance – by definition, due to the continuous integration environment, the performance was critical to avoid creating a bottleneck at the security scan stage. The requirement was to scan 30-40K LOC within a few minutes.
• Multiple concurrent scans – the source code analysis solution must support many concurrent scans of developers.
• Strong & dedicated support – to assist with the configuration and implementation of the source code analysis solution into the continuous integration environment, LivePerson realized it requires a solution provider that can be flexible enough to help with any adaptations that may be required to suit its exact requirements. The solution must be open and flexible to support specific customization to LivePerson.
The Alternatives
LivePerson conducted an extensive research and checked various Static Code Analysis security solutions in the market including some open source applications. In addition, LivePerson spoke to companies that are using source code analysis solutions to get their feedback.
The selection of Checkmarx
After determining that Checkmarx best meets LivePerson's requirements, LivePerson decided to run a proof of concept (POC) internally on their real source code with Checkmarx's technology, to do some additional qualification of the solution.
Checkmarx was highly responsive throughout the POC process – for any deployment assistance, fine tuning related matters, etc. It was important for LivePerson to find a solution that is coupled with strong & dedicated support, to assist with the implementation & configuration process into the continuous integration environment.
Eventually due to the technological edge of Checkmarx and the commercial aspects (the ROI for Checkmarx was superior to alternative solutions for LivePerson’s needs), Checkmarx was selected to be LivePerson's source code analysis technology.
The Implementation
LivePerson works in an agile / continuous integration mode and has 150+ developers. Therefore a secure code review was critical. The only way to do so was to implement an automatic process as part of the build creation.
LivePerson's secure SDLC works as follows:
1. Engineers write their code locally.
2. The code is then checked into the SVN.
3. That triggers an automatic system test. The code has to pass a few milestones.
4. Before compilation begins, Checkmarx source code analysis is executed to identify security vulnerabilities. If there are medium / high issues, there won't be a build.
5. Developer is notified that the build didn't complete and receives a report specifying the reasons and how those vulnerabilities can be remedied.
6. The developer then has to fix the security issues and have their code re-scanned by Checkmarx.
LivePerson created a dashboard within TeamCity which displays Checkmarx's outputs using raw XML data reports exported by Checkmarx's engine. The integration with TeamCity was developed in-house.
The Bottom Line
“Checkmarx's technology is highly accurate and easy to use. It offers great performance and the ability to scan incomplete code samples. Checkmarx was agile enough to support specific requests we had for our secure SDLC and was the most sensible decision commercially.”
By Yair Rovek, Security Specialist, LivePerson