Placing code ownership in developers' hands to improve security
At the root of most malicious hacks are vulnerabilities in the underlying software. This simple fact tells us that developers have a significant impact on security. When developers are supported by the right tools, they have the power to catch security issues early -- issues such as injection vulnerabilities or storing secrets in source files.
Taking such an approach allows organizations to fix vulnerabilities at the first point of entry as well as throughout the continuous integration/continuous delivery (CI/CD) workflow, which helps prevent damaging attacks from the very start.
Code Security Ownership Is Backward
Security auditors today mostly rely on old-school static application security testing (SAST) solutions to analyze source code in order to detect potential security vulnerabilities. Such tools flood security auditors with huge volumes of false positives. More often than not, security teams that utilize traditional SAST solutions can be found sifting through endless alerts trying to determine the validity of thousands of vulnerabilities. Even for auditors, this usually leads to alert fatigue.
Moreover, when real errors are detected, security analysts can’t independently fix the code themselves. Rather, they must go back to the developer to solve the issue in the code. The result of this is developers being asked to fix errors possibly weeks or months after they have moved on from that code. This backward, mediated approach is not only slow, but can cause internal friction around code security ownership.
Taking Ownership of Code Quality & Security
While it’s in the best interest of security-conscious organizations to place ownership of code security into the developer’s hands, traditional SAST solutions aren’t the best tools. Developers need static analysis tools that not only perform basic checks but are also capable of detecting security vulnerabilities, memory leaks and more. Moreover, they need a tool suite capable of detecting such issues throughout the entire software development cycle. That means the tools suite must detect vulnerabilities in both the IDE and the CI/CD workflow.
Solving the Code Quandary
Modern SAST tools are now built with the developer’s needs and priorities in mind -- that is, maximizing quality and minimizing risk. With a new set of tools that span the entire workflow, developers can effectively take ownership of code security to change how, when and which issues are raised. Specifically, this means giving developers real-time feedback and clear remediation guidance at every stage of the development cycle. It also means shifting issue detection further left so that issues can be flagged as soon as possible, while the code is still fresh in mind and the fix is easy. This will empower developers to take precise and immediate action and prevent the leak in the first place.
Human error is a given, but with the right checks by the right tools at the right time, developers can impact the quality and security of their code, and therefore the company’s software. Getting there requires organizations to put ownership in the hands of the developer to prevent errors in the first place. As the saying goes, make time to do it right the first time, because when will you have time to do it over?
Image Credit: Pexels
Bertrand Hazard is the VP of GTM Strategy at SonarSource, a leading provider of code quality and code security solutions for developers and development teams. Prior to SonarSource, Bertrand led a global team of product marketers at SolarWinds. You can follow him on Twitter at @productmarketer.