The ever-increasing pace of code releases can be a challenge for application security. As development speeds up, security testing can fall behind. Security issues found late in the development cycle require developers to break off from their current work and return to code they may have written weeks or even months earlier to do remediation. This can result in security risks being neglected in the rush to meet the current project’s deadlines. And that can allow insecure software to be released into the wild, where it leaves applications open to breaches.
So how to do we solve this problem? We all know that slowing down development so security can catch up doesn’t work.
Successful application development means balancing speed and security. You cannot sacrifice one for the other. How do we help developers code securely at velocity?
DevSecOps Helps Align Speed and Security
DevSecOps is the practice of rolling security directly into the development cycle. Many companies are in the process of making this shift. A recent report from Gartner uncovered several key data points that demonstrate how the transition to DevSecOps is accelerating.
- 90% of software development projects will be following a DevSecOps model by 2022, compared to just 40% in 2019.
- 70% of DevSecOps initiatives will incorporate automated security vulnerability and configuration scanning by 2023, as opposed to just 30% in 2019.
- 60% of rapid development teams embedded DevSecOps practices in 2021, compared to 20% in 2019.
These statistics are promising, but even when teams use a true DevSecOps approach that fully integrates security into the design and development process, they’re still faced with the challenge of asking developers to return to earlier work to perform remediation.
Shift Left into the IDE
In the past, security tools were slow and hard to use, and they often imposed a productivity tax on developers. “Shifting left” can balance speed and security in DevSecOps workflows, and the industry is responding by developing tools to make this easier. We now have tools that integrate security testing directly into the interactive development environment (IDE), where developers do most of their work. This makes a lot of sense. Catching security defects early means they can be addressed more quickly and more cost-effectively than when they’re found during downstream testing.
Most developers aren’t security experts, so tools that are optimized for the needs of the security team are not always efficient for them. A single developer doesn’t need to know every bug in the code; they just need to know the ones that affect the work they’ve been assigned to fix. Too much noise is disruptive and causes developers to avoid using security tools.
Developers also need tools that won’t disrupt their work. By the time security specialists find issues downstream, developers have moved on. Asking them to leave the IDE to analyze issues and determine potential fixes results in costly rework and kills productivity. Even teams that recognize the upside of checking their code and open source dependencies for security issues often avoid the security tools they’ve been given because it drags down their productivity rates.
What developers need are tools that provide fast, lightweight application security analysis of source code and open source dependencies right from the IDE. Tooling like this enables developers to focus on issues that are relevant to their current work without being burdened by other unrelated issues. These tools complement the complex and complete analysis by the CI/CD scans by reducing the number of issues found downstream and eliminating noise.
Scan for Defects as You Code
Static application security testing (SAST) tools can automatically scan and analyze source code and infrastructure-as-code (IaC) files as developers work. Integrated scanning tools built into the IDE can check for security bugs, API safety issues and hard-coded secrets in IaC source code templates and configuration files.
Integrated software composition analysis (SCA) tools can identify unpatched vulnerabilities in open source dependencies. The best of these tools displays the vulnerability description and the Common Vulnerabilities and Exposures (CVE) ID directly in the IDE and offer remediation guidance to help developers select the next available vulnerability-free or lower-risk version of the component.
One reason integrated scanning tools are so useful is that when they detect an issue, they can highlight it directly in the editor window. Developers can then hover over the highlighted line of code and see details including issue description and remediation guidance.
Code scanning automation tools like this work in much the same way the spelling and grammar checkers do in word processing programs. They can’t prevent all coding defects from moving downstream, but they can help keep the volume of those defects to a minimum.
Synopsys Code Sight SE
Synopsys Code Sight SE integrates SAST and SCA scanning and remediation advice right in the IDE so developers can ensure that the software they write is both secure and bug-free. It doesn’t matter whether a security vulnerability is in your code or in an open source dependency. Either way, you need to fix it. With Code Sight SE, you can truly shift left and address security early in the development cycle without hurting developer productivity.
Learn more about Code Sight SE.
Feature image via Pixabay