Iris ID

Iris ID Implements DevSecOps with CodeSonar

Highlighting the importance of the technology, Jun Hong, Chief Technology Officer at Iris ID, states, “Failure of our products is unacceptable, and we strive to deliver five nines (99.999%) of reliability.” A device failure due to a vulnerability or issue in the software code could lead to people not being properly identified causing significant delays or even complete access shutdowns. To ensure highly reliable and secure products, Iris ID designs and architects its products with security in mind from the very beginning.

“Developing secure code is fundamental to ensuring our products function as expected,” explained Hong. With a background in mobile commerce, Hong knew the importance of static application security testing (SAST) and the requirements by banks and payment networks to use SAST products to develop secure code. With Hong leading an initiative to move its development methodology from waterfall to agile, he sought out a SAST product that could help the Iris ID team become more efficient in testing software and ensuring the security, quality, and reliability of the Iris ID products.

After evaluating SAST offerings from Veracode and Micro Focus (Fortify), Hong chose CodeSonar from GrammaTech to meet two objectives. First, Iris ID required an on-premises SAST solution to keep the company’s intellectual property protected. “We didn’t want to continually upload our code to a SaaS product and expose our proprietary intellectual property to increased risk. The CodeSonar on-premises deployment was a perfect fit,” added Hong.

Second, he wanted to introduce a SAST product that was easy to use, could be integrated into its DevSecOps process, and was powerful enough to find vulnerabilities and issues that could impact the Iris ID products. “Our development team found CodeSonar extremely easy to use. Not only does it find vulnerabilities and issues, but it also provides explanations about why these are problems so our developers can avoid making the same mistakes again,” said Hong

The initial use of CodeSonar was a complete scan of the existing Iris ID code base. The development team was both shocked and impressed that CodeSonar found thousands of vulnerabilities and issues that had been missed in past manual code reviews. Now, CodeSonar is part of a dynamically changing software development life cycle (SDLC) supporting four teams of developers located in the United States, Korea, Ukraine, and India. The development teams, working on different parts of the Iris ID software stack, all work within a centralized instance of CodeSonar to pinpoint and share issues as they are identified. “With CodeSonar, our developers can look at the code together, discuss the issues, and understand why they were found so they can be quickly fixed,” added Hong. With CodeSonar and a new DevSecOps mindset, Iris ID is continually improving the security and reliability of its leading iris recognition products.

For its customer, providing secure products is not only essential for granting the right access to the right people by reducing vulnerabilities but also for safeguarding personally identifiable information (PII) and ensuring privacy. “When capturing an image of a person’s iris and matching it to an individual in a database, that image is considered PII. We need to deliver vulnerability-free code to keep the privacy of these individuals protected from cyber attackers,” said Hong. Introducing CodeSonar into its DevSecOps process has enabled the Iris ID development team to truly make secure coding fundamental to the delivery of its leading products. This is important for many of its customers, especially government agencies and military organizations, that need assurance its products are secure.