Key Results
- Over 100 applications developed in C# .NET, JavaScript and C++
- 600 developers using SonarQube for Clean Code daily
- Fully customized Azure DevOps dashboards using SonarQube’s REST API
- Integrated into developer workflow with Microsoft TFS and Microsoft Teams
- 18 times faster with better results in direct SAST vendor comparison
the challenge
After a serious malware hit an industrial facility, one of the world’s largest suppliers of power generation and transmission raised its game on security. Its division builds manufacturing execution systems (MES) that are connected to plants, controllers and business applications with strategic customer information. To protect these valuable assets, all vulnerabilities and defects must be fixed before a product can be released. However, penetration tests and blackbox tools do not cover all parts of the code and miss vulnerabilities. An in-house aggregator for open source code analysis tools was developed but quickly became too expensive to maintain and lacked language support, usability and actionable results.
the solution
During an internal audit, SonarQube was recommended for its speed and precision. Other established SAST products were also evaluated but did not integrate well into the triaging workflow, didn’t find enough issues or were too slow. In direct comparison, SonarQube’s static analysis took 20 minutes instead of many hours and produced significantly better results out of the box. These were further optimized by using Quality Profiles. SonarQube’s comprehensive REST API enabled the teams to tailor custom steps in Microsoft TFS, custom dashboards in Azure DevOps and to send status messages via MS Teams.
the results
After four years of using SonarQube, a mind shift in the team is clearly visible. Security is driven by developers who know the code and understand the risks. Already 600 developers operating across three continents happily use SonarQube every day to review their pull requests, with more to join. In every morning’s standup meeting, teams discuss the quality and security of their code and how it can be improved. The pipeline automatically fails when the customized Quality Gate fails so that severe vulnerabilities are detected and fixed long before they end up as a potential exploit in production.