Among the various code management platforms on the market, Atlassian’s Bitbucket is one of the most popular. The tool hosts a cloud-based Git repository that integrates very well with Jira and other Atlassian products. In this post, we will guide you to get the most out of Bitbucket’s integration with the Conviso Platform, helping to increase your application’s security maturity level.
Currently, Bitbucket has over 10 million registered users. In this context, it is important to emphasize security during the Software Development Cycle (SDLC) and in the development team’s workflow, from application development to deployment.
To ensure we can implement a security-first mindset without impacting development speed, we built our platform integration with Bitbucket.
How does this integration work?
The integration of Conviso Platform with the Bitbucket tool can be done via API, allowing the creation of tasks, comments and also a webhook for comments. This Defect/Bug Tracking integration is performed following the steps as per the tutorial in this documentation. Thus, it is possible to manage vulnerabilities, integrating the stack of tools of the dev teams with the platform.
Additionally, we also integrate with Bitbucket Pipelines, a feature within Bitbucket for CI/CD service, being performed according to this other documentation. This integration allows you to integrate your development pipeline with Conviso Platform’s Secure Pipeline product without affecting the team’s business or processes.
Now, let’s talk specifically about the benefits of this integration and how the platform will contribute to security in your development cycle.
Review code versions
In a systematic software building process, the security reviews step usually happens at the end, when the application is ready.
However, through the integration with Pipelines Bitbucket, it is possible to integrate actions for Code Review into the development pipeline, building a process of continuous reviews, centralizing vulnerability information in a single place and bringing security measures right at the beginning of the flow. This causes teams to reduce the time to fix software vulnerabilities.
This integration allows that as soon as there is a change in the code, it can be reviewed as soon as possible, as its new version will trigger a demand within the Conviso Platform, triggering the test teams.
Additionally, the entire review process through a single platform means ensuring that the knowledge gained from solution actions over time is maintained and passed on to new team members.
Determine security tests and reviews
But how do you ensure your open source dependencies and third-party packages are free from vulnerabilities?
Through Conviso Platform’s Secure Pipeline, your Bitbucket code will be automatically verified by static analysis (SAST) and Software Composition Analysis (SCA) tools, and the results will be treated centrally on the platform as findings.
Thus, it is possible to integrate the Conviso Platform with the main security tools on the market or using our own bundle of open source tools to find vulnerabilities.
In other words, security testing is automated throughout the Software Development Life Cycle (SDLC) and not just in a few stages.
Application Security Testing Orchestration
The Conviso Platform can help teams maintain a series of centralized procedures, which can be followed and validated directly on the platform, without the need for other tools that increase management complexity.
Through this integration with the Conviso Platform, you implement Application Security Testing Orchestration (ASTO) and benefit from the integration of security analytics into your development or production pipeline.
The platform automatically executes the necessary security tools at the right time, based on the importance of code changes, the total risk score, and the organization’s own security policies.
Manage and control vulnerabilities
In our integration with the Defect Tracking Issues service, the Conviso Platform bi-directionally creates and updates vulnerability statuses by sending these changes into the Bitbucket resource where Issues are organized. This integration allows tickets or tasks to be automatically created when new vulnerabilities are identified in your Bitbucket code.
Vulnerabilities identified in your code will rely on the Conviso Platform for their management and production of advanced security reports. All this in a simple way, without affecting the internal processes of the teams.
With this data, you can intelligently talk about the status/trends of software security in your organization and illustrate the progress of these processes.
The complete platform in AppSec
When you have control and management of your application’s vulnerabilities, you also have important data about the main gaps in the development team’s secure coding techniques.
With Conviso Platform’s People & Culture, you can identify gaps in your development team’s knowledge of secure programming that need to be developed through technical exercises and training provided based on these metrics.
Using Conviso Platform’s Secure by Design product, development teams can perform threat modeling and identify security requirements in a consistent, scalable, and intelligent manner, even before coding and managing code in Bitbucket; detecting issues that IAST tools typically fail to identify.
Therefore, with the Conviso Platform suite, it is possible to include security in all phases of development in the daily life of the developer in a simple and automated way.