Technology powerhouse

The challenge

After a serious malware hit an industrial facility, one of the world’s largest suppliers of power generation and transmission raised its game on security. Its division builds manufacturing execution systems (MES) that are connected to plants, controllers and business applications with strategic customer information. To protect these valuable assets, all vulnerabilities and defects must be fixed before a product can be released. However, penetration tests and blackbox tools do not cover all parts of the code and miss vulnerabilities. An in-house aggregator for open source code analysis tools was developed but quickly became too expensive to maintain and lacked language support, usability and actionable results.

The solution

During an internal audit, SonarQube Server was recommended for its speed and precision. Other established SAST products were also evaluated but did not integrate well into the triaging workflow, didn’t find enough issues or were too slow. In direct comparison, SonarQube Server’s static analysis took 20 minutes instead of many hours and produced significantly better results out of the box. These were further optimized by using Quality Profiles. SonarQube Server’s comprehensive REST API enabled the teams to tailor custom steps in Microsoft TFS, custom dashboards in Azure DevOps and to send status messages via MS Teams.

The results

After four years of using SonarQube Server, a mind shift in the team is clearly visible. Security is driven by developers who know the code and understand the risks. Already 600 developers operating across three continents happily use SonarQube Server every day to review their pull requests, with more to join. In every morning’s standup meeting, teams discuss the quality and security of their code and how it can be improved. The pipeline automatically fails when the customized Quality Gate fails so that severe vulnerabilities are detected and fixed long before they end up as a potential exploit in production.