Healthcare technology provider McKesson Corporation has centralised the control of its software development security review process by implementing a cloud-based solution from Veracode.
By using Veracode’s SecurityReview, John Sapp, director of product development standards – security, risk and compliance at McKesson, said that he now knows, rather than assumes, the state of the company’s development security issues.
“The number one benefit is the transparency and visibility – a complete understanding of what our risks and vulnerabilities are,” said Sapp.
McKesson operates around 50 software development groups, consisting of 6,000 developers, all over the world, including groups in London and Ireland. The company has created more than 800 applications over the past 20 years, and this year will bring around 50 new applications to market.
“We needed centralised control to give us transparent visibility into what our security issues were. I didn’t like the idea of self-certification,” said Sapp. “Veracode allowed us to centralise and give us independent verification.”
He added: “They [the security profiles] are known risk-based. Before, we were estimating based on assumptions of the manual processes and it’s more consistent now. I can be certain of the consistency.”
McKesson uses Veracode for static analysis, dynamic analysis and manual penetration testing. The solution replaced a “toolbox full of other products” that the healthcare company previously used for reviewing its application security.
“Now, I can see all the results for all the applications, and we can now focus our IT investment on higher IT priorities – anything considered a medical device, for example, the system in an anaesthesia cart.
In addition to automating and speeding up the security review process, Sapp said that Veracode’s solution has also helped to vastly reduce the training time of developers.
“The planning curve is very short,” said Sapp. “It’s gone from a week of training to just 15 minutes to teach a developer how to load an app [with the accurate security parameters].”
While Sapp insisted that McKesson was driven by value rather than cost savings to choose Veracode’s solution, he admitted that the company may make savings in terms of staff and training.
“We could make savings due to the fact that we wouldn’t have to add headcount to perform security assessment, and due to lower training in security assessments,” said Sapp.
He also admitted that there was a culture change challenge in implementing the new cloud-based security review model in the business.
“There were some concerns because it was a new model. [The challenge] was making the security professional comfortable that we were outsourcing the security,” Sapp said.
Sapp recently spoke at a panel at the RSA security conference in London, which concluded that one of the common pitfalls of outsourcing software development is not clearly defining and communicating the business’s security requirements to the supplier.