Take the pressure off coding for your developers

By : Steven Zimmerman | Thursday, March 09 2023 - 21:30 IWST

Steven Zimmerman, Product Marketing Manager, Synopsys Software Integrity Group
Steven Zimmerman, Product Marketing Manager, Synopsys Software Integrity Group

INDUSTRY.co.id - In 2022, Synopsys commissioned the SANS Institute to examine how organisations achieved improvements in their security posture and operational effectiveness by aligning development, security, and operations teams around the cultural ideals, practices, and tools that make up the secure DevOps, or DevSecOps, methodology.

Respondents to the survey were drawn from a geographically diverse group from organisations of all sizes, including many in security roles. The subsequent report showcases the progress made by the community, and ongoing challenges on the path to DevSecOps excellence.

In this series of blog posts, we’re going to examine what the “SANS 2022: DevSecOps Survey: Creating a Culture to Significantly Improve Your Organisation’s Security Posture” report can tell us about how instituting good DevSecOps practices can help your organisation achieve secure coding without sacrificing development velocity, automate security, and help those involved with triage and remediation work more efficiently.

DevSecOps survey findings

Let’s begin by examining what we can learn from the SANS report. The good news is that the survey found that shifting left is being instituted across the DevSecOps community. Security testing increased at the architecture and design stage, the requirements and use case stage, the code commit and pull request stage, and the QA and acceptance stage.

The bad news for secure coding is that the only stage where security testing fell was at the interactive development environment (IDE) security plug-ins stage. While 44% of respondents surveyed in 2021 were using IDE security plug-ins, by 2022 that number had fallen to 30%. Reducing risk awareness and testing in the IDE increases the likelihood that issues will go undetected and persist downstream into the main product.

However, 82.3% of respondents reported that they found secure coding training for developers useful, and ranked it higher than penetration testing, software composition analysis (SCA), automated static application security testing (SAST), threat modeling, container/image security scanning, dynamic application security testing (DAST), third-party compliance reviews or audits, interactive application security testing (IAST), fuzz testing, and bug bounties.

Clearly, secure coding training is crucial, but coding is complicated and tight development timelines and extensive technology landscapes mean that even the most well-trained developers can overlook best practices when they are working at speed. This is where tools come in. Good tools, available right from the IDE, allow developers to incorporate secure coding practices at the speed businesses need to remain competitive.

It is a positive development that in the 2022 survey, more than half of respondents reported that they consider shared security ownership a key success factor to instituting DevSecOps. When asked about improving communications across development, operations, and security, 56% responded that this was a priority — up from 51% in 2021.

To truly move from a DevOps to a DevSecOps model though, automation is crucial. Even the most well-trained developers cannot produce secure code at the rate businesses demand without tooling help. So it’s encouraging that 55% of respondents (up from 43% in 2021) agree that automating build, test, deployment, and provisioning workflows is essential to this endeavour. Integrating automated security testing into developer tools and workflows also increased in importance to 53% from 45%.

Automation can also help organisations ensure secure coding. Although organisations can’t automate coding, they can automate testing at the point where developers are coding. Providing real-time alerts to developers enables them to identify and fix weaknesses in proprietary code or vulnerable open source components directly from the IDE, without requiring extraneous workflows.

Finally, 52% of respondents reported that securing developer buy-in is key to building a solid DevSecOps environment, up from 46% in 2021. The only element where we saw a downward trend was in training developers in secure coding, which fell to 48% from 52%.

Developers still struggle with security

These numbers indicate that there are still issues with shifting from DevOps to DevSecOps. Specifically, we see issues with training developers in secure coding practices and in getting them to adopt security tools in the IDE. Across the industry, we see that developers resist shifting security left when they feel that an extra burden is being added to their workflows.

Most developers aren’t security experts, and tools that are optimised for the needs of the security team can be too complex and disruptive to be embraced by developers. To make matters worse, these solutions often require developers to leave their IDE to analyse issues and determine potential fixes.

All this tool and context-switching kills developer productivity, so even though teams recognise the upside of checking their code and open source dependencies for security issues, they avoid using the security tools they’ve been given due to the downside of decreased productivity.

Eliminate friction in developer pipelines with tools

Adding a simple, easy-to-use tool like Code Sight™ to the IDE can help relieve developers of what feels like an extra testing burden. Automated tools can not only scan for weaknesses in custom code and known common vulnerabilities and exposures (CVEs), but also deliver remediation advice to developers as the code is being written. That is how you begin taking pressure off developers so they don’t just write code at the speed of business — they write secure code at the speed of business.

News Comment

Today's Industry

Photo: Aris Nurjani/VOI

Rabu, 28 Februari 2024 - 12:47 WIB

Carsurin and NBRI Strengthen Strategic Alliance to Propel Indonesia’s EV Industry

PT Carsurin Tbk ("Carsurin") and the National Battery Research Institute ("NBRI") are pleased to announce the signing of a pivotal Strategic Alliance Agreement (SAA), marking a significant advancement…

Beras (Foto/Rizki Meirino)

Rabu, 21 Februari 2024 - 08:43 WIB

Gov’t to Continue Disbursing Rice Assistance

President Joko “Jokowi” Widodo has ensured that the Government will continue rolling out the rice assistance program for low-income families. The President made the statement when handing…

Ilustrasi pabrik beras. (Foto: DetikFood)

Rabu, 21 Februari 2024 - 08:40 WIB

Bapanas Head Ensures Availability of Rice Stock Ahead of Ramadan

The National Food Agency (Bapanas) has ensured the availability of rice for the fasting month of Ramadan and Eid al-Fitr 1445 Hijri/2024 CE. “We believe that there is enough rice for the fasting…

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Rabu, 21 Februari 2024 - 08:23 WIB

Receives Chairman of Jababeka (KIJA), Menpora Dito Ready to Support the Development of Sports SEZs

Chairman of PT Jababeka Tbk (KIJA), Setyono Djuandi Darmono met the Minister of Youth and Sports of the Republic of Indonesia (Menpora RI) Dito Ariotedjo at the Kemenpora RI Office, Senayan,…

The Indonesian Embassy in Cairo Receives Aid for Palestine

Senin, 19 Februari 2024 - 17:39 WIB

The Indonesian Embassy in Cairo Receives Aid for Palestine

The Indonesian Embassy in Cairo welcomes the Radjiman Wedyodiningrat Warship (RJW-992) which arrived at the Al Arish Port, North Sinai Province of Egypt at 8.00 A.M. Cairo local time (13/02).…