How Green Flag (Direct Line Group) uses Codacy for PCI DSS compliance

Kader Kawsar

Kader Kawsar

Heading up Software and Data Engineering

"The API integration was very good, and the documentation is excellent. We got help from your team; that was very much appreciated. We got that very, very quickly; it was done in days."

About Green Flag (Direct Line Group)

Green Flag (originally National Breakdown Service) helps motorists in the UK when their vehicles have a breakdown or need assistance. Green Flag is part of the Direct Line Group, which provides insurance policies.

The main programming languages used by the Green Flag development team include Python and AngularJS. In addition, they use Bitbucket as their version control system.

Challenge

Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to make sure that companies who accept, process, store, or transmit credit card infrastructure maintain a secure environment.

Green Flag's main goal was to comply with PCI SSD, particularly with requirement 6.3.2, which states: "review custom code prior to release to production or customers in order to identify any potential coding vulnerability." Every time the source code goes into production, it must be reviewed. Green Flag's developers were already using Bandit for Python on their IDE, but they needed a solution that covered static code analysis.

Another requirement for the PCI is that the security team can see if there are any issues or vulnerabilities related to security. This team needs to check the static code, dynamic activity, and what's happening in the infrastructure. That's where custom security dashboards based on Codacy API come to play.

With Codacy

The Codacy API allows you to programmatically retrieve and analyze data from Codacy. It can be used in various scenarios, like adding many people to Codacy, adding multiple repositories, or obtaining code quality metrics for specific files. In the Green Flag's case, they needed a solution that only showed them the security issues per repository. This way, the security team could review those issues without requiring additional licenses. Using the API was the perfect way to filter the dashboards.

As Kader explained, "Codacy gives us a lot of detail, which is very good for developers and their managers to make sure that they maintain good code quality and are following a coding standard. But it's too detailed for the security personnel because they're not interested in details other than security."

About three years ago, Green Flag completely overhauled the code and the infrastructure. They had been working with a legacy system for a while, but it had become too slow. Going for a whole new platform and knowing the need to be PCI DSS compliant allowed them to build the new system with code quality in mind from day one.

Green Flag was looking for a solution to work as a second gatekeeper that was centralized and not only dependent on developers. Codacy serves as a second check that is easily integrated into GreenFlag's Bitbucket. Developers can correct the issues presented in their IDE, but there is no guarantee they'll act based on that information or even if they'll keep Bandit on. As Kader pointed out, "If developers accidentally turned it [Bandit] off, or they've ignored something in their development environment, Codacy will pick it up and say, 'Look, you forgot to do this.'."

Future

The next step for Green Flag is to expand their usage of Codacy and aim at bolder goals, to unlock the full potential of a tool like Codacy.

We look forward to seeing what Green Flag accomplishes in its mission of helping motorists all over the UK.