Do you remember when source code reviews of web applications were carried out manually? Without proper understanding of the nuances and logic built into the source code, this was not always a straightforward task. But a lack of systematic examination of the flaws and vulnerabilities within your application source code could have a major security impact on your web applications and systems.
Life before automation
Your source code review team needed a full understanding of the design and standards used in developing the applications. They would then have to select a catalog of appropriate tools to scan the application code and identify vulnerabilities such as SQL injection, remote code execution, cross-site scripting, header injection, HTTP response splitting, and possible flow control.
Hundreds of thousands of lines of source code would be transferred to a secure standalone system to carry out the code review, generating multiple reports containing thousands of items in various formats, including XML, HTML, PDF, and CSV. These reports would then have to be consolidated into a single format by manually copying the required fields from the various report files into a Microsoft Excel file before analysis could begin.
In one project for a leading manufacturing sector client, we carried out a review to identify the flaws in their application source code. We scanned around 600,000 lines of source code and generated a total of 12 reports containing around 56,000 items across formats. It took four people each working for five days (a total of 20 days) to manually complete the consolidation work, remove false positives, and provide recommendations to mitigate the resultant vulnerabilities present in the code. Just thinking about it makes me sweat!
The impact of RPA
With the advent of robotic process automation (RPA), we now automate most manual and repetitive report conversion, consolidation, and analysis processes to minimize human effort, delivering increased efficiency and reduced project duration for our clients.
I recently returned to the raw and consolidated reports created for our manufacturing client’s source code review project to assess how RPA would impact the speed and efficiency of the consolidation. Through leveraging RPA, only a single resource would be needed to complete the source code review, as opposed to the four resources previously used in the manual review process. This represents a reduction in manual effort of around 75% and a significant reduction in cost, while delivering the output faster and more accurately.
To find out more about how our governance, risk management and compliance (GRC) services can automate your source code review process and help save time and money for your clients, contact: firstname.lastname@example.org
Click here to learn more about how Capgemini’s GRC portfolio can enhance your reputation and deliver real business value.