Developers Just Want to Know if They Have a Problem
Developers just want to know if their code has a vulnerability before putting it into production. But often, the answer back from the security group — “more analysis is needed” — is not what the developer wants to hear.
“I’ve been saying that loud and clear: just tell [the developers] what’s wrong, rather than saying, ‘we found this from SAS, we found this from penetration tests, we found this from a manual review,'” said Meera Rao, senior director of product management at Synopsys, in this latest episode of The New Stack Makers podcast, hosted by Alex Williams, founder and publisher of The New Stack. “They shouldn’t care about that — they need to know that what we found is critical and this is how you need to fix it. That’s all they need to know.”
Rao is the creator of a new intelligent orchestration technology that helps developers get their issues resolved without a long wait. That long wait is remedied by relying on Synopsys’ system to let developers know what’s wrong and whether specific security holes require immediate fixing or not.
As part of a more recent “shift left” security trend, the onerous of finding and fixing security issues in code in some cases wrongly fell on the developer team. In addition to adding more duties to their often overstretched workloads, developers had, consequently, less time to devote to their main work consisting of developing and updating applications. In many cases, they had to become de facto security experts.
“Everyone realized that you cannot expect your developers to learn every tool, every technology, every dashboard,” said Rao. “Now things have started to change slowly.”
More recently, as operations teams in well-functioning DevOps began to lend more support to continuous integration/continuous delivery (CI/CD) to help add speed to the development-to-deploy cycle, teams tasked with security-only duties began to emerge. Unfortunately, in many cases, this structure created a dynamic in which the security teams were seen as the “bad guys,” by slowing down the development cycle when security issues emerged.
“But we — as in the security industry — were the ones creating all the friction,” said Rao.
It soon became apparent that security teams and tools needed to do better.
“Can you always keep spending, reinventing the same pipelines without providing the abstraction that the developers need? Developers don’t care what tool you ran, what analysis you ran, how deep did you run the analysis,” said Rao. “They just want to know: do I have a critical or a high vulnerability that I need to fix right now? Yes or no?”
In practical terms, this means allowing developers to use Synopsys’ intelligent orchestration technology to determine whether a security vulnerability is critical or not, and if it is, how to fix it and then how to merge the fix with the main branch. This is accomplished with the use of a “simple API” that might just result in a “one-line change” to the release pipeline without any disruption.
The tool helps to determine “what activities to run, what activities to skip and what should be the depth of the activity that needs to happen,” said Rao. “So, we have a balance of automated activities versus manual activities in the pipeline.”