The SCW Trust Agent can be configured with a code commit policy that matches your organization's specific requirements and risk appetite. By defining the minimum baseline levels of training required for your developers, you are able to monitor the commit health of your repositories and identify gaps in your training program, developer coverage, or language coverage.
The Trust Agent assigns one of three categories to code commits to provide visibility into whether developers' security competency matches the required levels and whether the required training has been completed in the correct language. The three categories are:
- High trust commit - a commit that has been made by a developer with sufficient security competency in all languages used in the commit at the time of the commit
- Moderate trust commit - a commit that has been made by a developer with sufficient security competency at the time of the commit, but without full coverage of all languages used in the commit
- Low trust commit - a commit that has been made by a developer without sufficient security competency
The first step to configuring your Trust Agent policy is to decide on the baseline requirements for what you consider to be a Trained commit. In a typical application security program there will be a set of mandatory content in the form or courses or assessments that must be completed. You may also wish to set a skill-based requirement as measured by a developer's SCW skill level.
The second step is to configure these learning requirements in the Trust Agent and you can do this by navigating to Administration > Trust Agent Configuration > Manage Policy.
To add a minimum skill level requirement, enable the Require Skill Level setting, click Edit Skill Level, and adjust the minimum skill level using the slider, before clicking Apply Skill Level to save your policy.
To add a mandatory content requirement, enable the Assign Mandatory Training Content setting, click Edit Content to bring up the learning content selection screen and select the identified courses or assessments from the list. You can use the search box and select all checkbox to quickly find and select large numbers of courses or assessments. Once your selection has been made, review the list of selected learning content and then click Apply Selection.
Once your policy has been configured, you will now see a summary of the defined policy in the Policy Definitions section, which will list the criteria for high trust, moderate trust, low trust, and non-code commits based on your selections.
You can now return to the Trust Agent dashboard to see your newly configured policy applied.
Comments
0 comments
Article is closed for comments.