Crank Software Achieves DevSecOps Success With CodeSonar by GrammaTech

To improve the integrity and security of their code, Crank Software, Inc. partnered with GrammaTech, a leading developer of software-assurance tools and advanced cyber-security solutions. Crank Software successfully implemented GrammaTech CodeSonar, an advanced static application security testing tool (SAST) that quickly finds and fixes quality issues while also easily integrating into the workflow.

The Challenge

Crank Software wanted a high-performance static application security testing (SAST) tool to advance the integrity of its code. It was critical that they found a solution that was not just technically sophisticated, but one that could be easily integrated into their cultural, technical ecosystem, and DevSecOps workflow. This includes a vigilant team of around 40 developers, including junior coders who employ a “test early and often” mentality and operate with a mindset of delivering strong, reliable, and secure code. 

DevSecOps is an integrated culture in organizations between Development, Security, and Operations teams who work together to respond to threats as early and as quickly as possible. DevSecOps breaks down silos between departments, leading to better-quality code. It’s currently in the early stages of mainstream adoption, with a 20-50% market penetration according to Gartner, with a projection that it will reach mainstream adoption in the next 2 to 5 years. 

DevSecOps at Crank Software is driven by the same tenets that make this collaborative process succeed: quality, security, and safety. The Crank team has a zero-tolerance policy for errors and strives to protect every aspect of their work from cascading failures. Integrating SAST into their DevSecOps workflow helps enable Crank Software to accomplish this goal.

The Solution

Advanced SAST tools like GrammaTech CodeSonar protect against code quality errors and security vulnerabilities while advancing DevSecOps. CodeSonar is designed to support large development teams and can easily be “dropped” in and integrated into the software development life cycle process. Purpose-built for developers, it’s a deep, detailed tool that puts an organization on the path to DevSecOps adoption, while finding critical vulnerabilities and quality issues — building in security at every stage of the process.

The Crank Software team implemented the CodeSonar advanced static analysis capabilities into their process to efficiently find and fix quality and security issues within their code. CodeSonar seamlessly integrated into their already established security practice and DevSecOps workflow. 

“We wanted to have a static analysis tool that was easy to integrate, that dropped into our continuous integration system, that ran quickly and had a low false positive count,” says Thomas Fletcher, Vice President of Research & Development at Crank Software. “After we evaluated other SAST solutions, choosing GrammaTech was a good choice and it was the way to go – it was just so easy to drop CodeSonar into our process.” 

Crank Software also noted the ability to use CodeSonar as a teaching tool, integrating developers into the DevSecOps culture with ease.

“It really supplements the coding standard with that set of best practices, and helps guide junior developers write higher quality code – they’re not the kinds of things that you’d pick up in school, they’re industry experience,” says Fletcher. As a result, issues are being caught early in the development process, saving time, but also allowing the team to employ and encourage DevSecOps culture organically. Crank has ensured quality, security, and safety with CodeSonar and conversely, these same benefits can be achieved by Crank’s customers.