How clean code can bridge the developer and security divide
Industry-agnostic software is now an organization’s most critical business asset, as its competitive edge often depends on it. Since companies become more technologically savvy and dependent upon their software to meet revenue goals and deliver products or services to customers, it cannot be afforded to underestimate the importance that secure and high-quality code plays.
The more this becomes evident, the greater the pressure on developers to deliver. Leaders expect their developer teams to work faster, ship more features, and write “better” code, but the technical debt accrued as a result of these escalating demands creates a slowdown effect as developers try to keep up. This technical debt can take a third of developers’ time to address, with refactoring later costing twice, or even three times as much as a proactive fix. While AI code generation tools can help manage the responsibility of creating large amounts of code and handling mundane tasks so developers can focus on collaborative or creative work, AI-generated code shouldn’t be trusted at face value. When code is not properly reviewed for maintainability, security, and reliability (i.e. Clean Code attributes), poor-quality code problems creep in.
How can companies accelerate their software development and coding capabilities while ensuring code stays secure, clean, reliable, and consistent enough to avoid bugs before delivery? How can developers, security teams, and leadership align on this? Shifting left has become the standard answer, emphasizing security and automation during the development and build phases. But, a blind “shift left” mentality isn’t practical or strategic. Companies instead have to do so while prioritizing Clean Code to ensure security and quality are both prioritized.
The pitfalls of shifting left
The problem that can happen with shifting left is in the way it’s executed -- too often companies force everything to shift left as is, rather than understanding the different nuances of the processes and the teams it impacts. Blindly changing the strategy for these teams’ collaboration can deplete resources and cause breakdowns in workflows.
Developers and Application Security teams have different goals, tools, processes, and incentives; these have distinct feedback loops, integration, and education. Finding an existing security issue and preventing it on a larger scale isn’t the same thing. The best course of action is to ensure tools and processes fit seamlessly into a developer’s workflow rather than disturbing it. A security team’s goal is to support the developers -- not to interfere with their work.
Because we still haven’t found a way to secure software by default between all languages, ecosystems, and tools, security’s role is a critical one that has to be integrated the right way. Developers can’t fix all findings from the security tool deployed by their security team, which can typically result in alert and remediation fatigue rather than truly creating a solution. Testing early and often is a necessary aspect of building good code, but it’s not enough. That’s where prioritizing Clean Code can put developers in the best place to succeed.
Empowering developers and SecOps with Clean Code
What approach can teams take to further move prevention of security issues, more than shifting left? The developer spotting critical issues directly in the IDE and applying changes and fixes as they code. By scanning and testing as they code, developers plus their security teams can ensure code quality and security are intrinsically linked. Clean Code -- code that is consistent, intentional, adaptable, and responsible -- paves the way for high-quality software businesses in today’s competitive landscape. This secure-by-design code can be easily repeated and more cost-effectively maintained rather than letting bad code get put through into development.
Adopting a “Clean as You Code” methodology ensures that, by performing checks and continuous monitoring during the delivery process, developers can spend more time on new tasks rather than remediating bugs from old code -- no matter if it is human created code or AI-generated code. This methodology allows companies and their developers to own the quality of their code, which is especially critical considering how much a codebase changes each year.
The benefits of this approach extend to SecOps teams, too. Rather than trying to find smaller bugs that compound into larger issues later on, security teams can focus on high-level, strategic concerns. These teams can also expand their availability for developers during the development process to help with any problems that arise and can prioritize building tailored tools and security rules that create a better software development environment on the whole. The more security teams can provide developers with analysis, recommendations, and other information on how to develop more secure code, the better position developers are in -- meaning better patches and fewer repeated errors in the future.
Cleaning -- or scanning -- as you code gives developers and SecOps alike the ability to create high-quality code that’s fit for both development and production and doesn’t waste time or resources on remediation after the fact. It allows each of these teams to play to their strengths while solving for weaknesses in the software that’s become so important to business. Combining Clean Code with a “shift left” mentality creates the best combination for companies to create safe, high-quality code that results in best-in-class software.
Paving the way for top-quality, secure software
Despite differences in work and tools, developers and SecOps must find a better way to collaborate to reach their overarching, common goal: better, more secure software. This becomes even more significant as businesses embrace national policy efforts around ‘Secure by Design’ in the US and the ‘EU Cyber Resilience Act’. Security can't be dissociated from quality. We must shift left in a way that empowers developers, and Clean Code should be the common goal of all teams.
By marrying a “shift left” mentality with a “Clean as You Code” methodology, we can better satisfy demands on developers and SecOps alike to both work faster and ship more features, while also addressing security issues and instilling confidence from the start.
Image credit: cherezoff / Shutterstock
Stefan Schiller is a Vulnerability Researcher in the Sonar R&D team. He has been passionate about software and programming since his early childhood. With a background in red teaming, he has been working in the field of offensive IT security for quite a while now. At Sonar, he finds and responsibly discloses vulnerabilities in popular open-source software.