A look at DevSecOps best practice and use of static application security testing (SAST) as part of the software development lifecycle at Iris ID.
The importance of security in software development is recognized in every industry, but takes on an extra measure of urgency in physical systems. Iris recognition-based solutions can be used in any application where identity authentication is required to enhance security, protect privacy and eliminate fraud. We recently set out on a project to improve the safety and security of our products against software vulnerabilities.
As a developer of iris recognition technology for security uses since 1997, our IrisAccess biometric security platform – now in its sixth generation – is currently in use at thousands of locations worldwide to authenticate the identities of millions of users daily, more than all other iris recognition products combined.
IrisAccess uses iris recognition technology to provide accurate identity authentication without PIN numbers, passwords or cards. Iris recognition works by taking a picture of the user’s iris—the colored ring around the pupil of the eye—and matches it to a database to accurately identify users to provide them secure, authorized access. The system is being used currently in a variety of institutions such as data centers, research facilities, hospitals and businesses. It is used to authorize entry at border crossings and identify prison inmates for booking and release, among other uses. Because of its key function in mission-critical tasks, Iris ID aims for near-perfect execution, a “five nines” level of reliability, operating with 99.999% accuracy.
Secure code is a basic component in the software development process. As we transitioned from a waterfall to an agile model, we decided to integrate end-to-end static application security testing (SAST) in our entire software development life cycle (SDLC).
We needed an on-premises SAST solution, because a software-as-a-service (SaaS) product would require constant uploading of code, which added too much exposure risk for our proprietary intellectual property. At the same time, we needed a product that was easy to use and could be integrated into existing development workflows and pipelines, but was powerful enough to spot vulnerabilities and other issues that could impact Iris ID products.
We chose CodeSonar from GrammaTech because it met the above criteria as we implemented a DevSecOps approach. CodeSonar could both identify code issues and also provide explanations to developers so they could fix problems. This enables our global development teams to not only avoid making mistakes, but learn from past errors so they don’t crop up again.
We started the project by using CodeSonar to scan the entire code base of the Iris ID system (more than 1,000,000 lines) which contains 80% custom code and 20% open source code. We found a significant amount of vulnerabilities and issues that our previous manual code reviews had missed in the past. Then, we implemented CodeSonar in our dynamically changing SDLC, which is used by developers in four different countries. Each team works on different parts of the Iris ID software stack, but can also collaborate in the CodeSonar SAST solution, to share issues they have identified and how to fix them. They can review code together and discuss issues found so they can be quickly fixed.
We use Jenkins and Bitbucket for our CI/CD platform, Visual Studio as our IDE, and C, C++, C# languages across Windows, Embedded Linux and Android platforms. CodeSonar’s seamless integration with our developer tools and its multi-language support was an ideal fit for our needs.
Using SAST has helped us adopt a DevSecOps mindset across the development life cycle at Iris ID, which helps developers create a continuous improvement environment. By integrating SAST to analyze code and improve its quality, we are able to address issues early and throughout the SDLC, which also helps accelerate projects. This DevSecOps focus is a critical differentiating factor for Iris ID customers, especially government agencies and the military, who demand total reliability and security from our products. It has enabled us to make secure coding fundamental to the delivery of our products.
At the same time, this process offers another reassurance in the form of privacy protection. When the system captures an image of a person’s iris and matches it to that person in a database, that image is considered personal identifiable information (PII). We need to deliver vulnerability-free code to keep the privacy of these individuals protected from cyber attackers, in the same way that other companies must protect their customers’ addresses, birthdates or social security numbers from data breaches.
This article was originally published on Embedded.
Jun Hong, chief technology officer at Iris ID, has more than 20 years of technology leadership experience in the payments, biometrics and telecommunication industries. He has served in executive technology roles for SK C&C USA, LG Electronics USA and Lucent Technologies – Bell Labs.