How Green Flag (Direct Line Group) uses Codacy for PCI DSS compliance
We spoke with Kader Kawsar, Heading up Software and Data Engineering at Green Flag (Direct Line Group), about how Codacy helps them comply with PCI DSS (Payment Card Industry Data Security Standard) and prevent security issues.
About Green Flag and Direct Line Group
Founded in 1971, Green Flag (originally National Breakdown Service) helps motorists in the UK when their vehicles have a breakdown or need assistance. Green Flag is part of the Direct Line Group, which provides insurance policies.
The main programming languages used by the Green Flag development team include Python and AngularJS. In addition, they use Bitbucket as their version control system.
Main goal: PCI DSS compliance
Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to make sure that companies who accept, process, store, or transmit credit card infrastructure maintain a secure environment.
Green Flag’s main goal was to comply with PCI DSS, particularly with requirement 6.3.2, which states: “review custom code prior to release to production or customers in order to identify any potential coding vulnerability.” Every time the source code goes into production, it must be reviewed. Green Flag’s developers were already using Bandit for Python on their IDE, but they needed a solution that covered static code analysis.
As Kader stated, “In every pull request, a peer would review it just to make sure that the code has good quality, not just from the security point of view, but also the standards. Putting Bandit in the local machine is good, but we need something that’s on the server so that when they do the review, code quality is automatically checked. So Codacy helps us with the static code analysis of the review. There are loads of different reviews that need to be done, but static code analysis is one of the main ones PCI requires.”
Another requirement for the PCI is that the security team can see if there are any issues or vulnerabilities related to security. This team needs to check the static code, dynamic activity, and what’s happening in the infrastructure. That’s where custom security dashboards based on Codacy API come to play.
Custom security dashboards based on Codacy API
The Codacy API allows you to programmatically retrieve and analyze data from Codacy. It can be used in various scenarios, like adding many people to Codacy, adding multiple repositories, or obtaining code quality metrics for specific files.
In the Green Flag’s case, they needed a solution that only showed them the security issues per repository. This way, the security team could review those issues without requiring additional licenses. Using the API was the perfect way to filter the dashboards.
As Kader explained, “Codacy gives us a lot of detail, which is very good for developers and their managers to make sure that they maintain good code quality and are following a coding standard. But it’s too detailed for the security personnel because they’re not interested in details other than security.”
Access control was also an important reason for using the API instead of giving the security team access to Codacy and Bitbucket. Like Kader added, “We don’t necessarily need to give them access to the code because they’re not interested in it. They just want a final report. So this is where the API came in.”
So, how was the process of using the API? According to Kader, it was fairly simple: “I did a very quick script, which every day just looks into the API, gets all the issues, filters only the security ones, creates a Parquet format, and puts it into an S3 bucket. One of our data scientists created a side dashboard that goes and checks that Parquet bucket and presents it in a nice way to what the security people need (…). The API integration was very good, and the documentation is excellent.”
Our team here at Codacy was happy to help Green Flag in this process. As Kader noted, “We got help from your team; that was very much appreciated. We got that very, very quickly; it was done in days.” We’re here for you!
Codacy as part of the Green Flag’s development lifecycle
About three years ago, Green Flag completely overhauled the code and the infrastructure. They had been working with a legacy system for a while, but it had become too slow. Going for a whole new platform and knowing the need to be PCI DSS compliant allowed them to build the new system with code quality in mind from day one.
As Kader said, “Right from the beginning, we were going through the full thing. We had a complete shift left pattern, which means we do all our testing, code quality, and everything earlier on. So when we go to production, it is very clean.”
This means there is an initial code verification when the code is still in the developers’ IDE. Green Flag was looking for a solution to work as a second gatekeeper that was centralized and not only dependent on developers. As Kader explained, “We use Codacy during the merging process, not necessarily for every time they commit. The reason is that Bandit, for example, is already built into the IDE. So the developers already know about what’s gone wrong (…) because we shift left. But we enforce that check during the merge time, and that’s where Codacy comes in.”
As such, Codacy serves as a second check that is easily integrated into GreenFlag’s Bitbucket. Developers can correct the issues presented in their IDE, but there is no guarantee they’ll act based on that information or even if they’ll keep Bandit on. As Kader pointed out, “If developers accidentally turned it [Bandit] off, or they’ve ignored something in their development environment, Codacy will pick it up and say, ‘Look, you forgot to do this.’.”
Finally, Codacy also helps Green Flag with coding standards, which are essential to creating a consistent codebase. Coding standards ensure all developers follow specified guidelines, helping guarantee code quality and making the code easier to read, analyze, and work through.
As Kader told us, “It’s important to have standardization across teams and developers (…) The way the code is structured, patterns… Maintaining a good standard that is consistent throughout the code. And Codacy helps there as well.”
Future directions for Green Flag and Codacy
The next step for Green Flag is to expand their usage of Codacy and aim at bolder goals, to unlock the full potential of a tool like Codacy.
We look forward to seeing what Green Flag accomplishes in its mission of helping motorists all over the UK.