Data-Driven Improvement of Static Application Security Testing Service: An Experience Report in Visma

Abstract

Security is increasingly recognized as an important aspect of software development processes. Improving processes for security in agile teams is very important to streamline the focus on security and keep the agility of the software development process. In Visma we use data to drive improvement of security services provided to the software teams. The improvement process involves changing the services or their structures after some period of usage and experience with it, driven by data collected during operations. We systematically identify the areas that need changes in order to become more valuable for the development teams and for the security program. In this paper we have described the improvement process used on the security static analysis service in Visma, the data we have used for that, how we extracted this data from the Static Application Security Testing (SAST) tool, the lessons learned and also provide some guidelines to other organizations that would like to use this method in their own services.