Asking developers to do security is a risk in itself

As the pace and complexity of software development increases, organizations are looking for ways to improve the performance and effectiveness of their application security testing, including “shifting left” by integrating security testing directly into developer tools and workflows. This makes a lot of sense, because defects, including security defects, can often be addressed faster and more cost-effectively if they are caught early. Issues found during downstream testing or in production result in costly and disruptive rework.

Organizations have come to understand that the cost to remediate defects grows exponentially the farther along into production an application travels. Prevention costs are the least expensive, while the cost of correcting something is 10x greater, and the cost of an application failure is 100x greater.

So asking developers to prevent defects is an important step, but most developers aren’t security experts, and tools that are optimized for the needs of the security team can be too complex and disruptive to be embraced by developers. To make matters worse, these solutions often require developers to leave their integrated development environment (IDE) to analyze issues and determine potential fixes. All this tool- and context-switching kills developer productivity, so even though teams recognize the upside of checking their code and open-source dependencies for security issues, they avoid using the security tools they’ve been given due to the downside of decreased productivity .

To help developers maintain productivity without sacrificing security, they should look for a comprehensive SAST solution that identifies security and quality defects early in the software development life cycle (SDLC), they should look for solutions that:

  • enable them to find issues quickly as they code. If developers can fix these issues in real-time, that means these issues don’t leave the developer workstation;
  • provide a full scan if they need it; and
  • see issues on the servers from CI/CD scans directly in their IDE without having to scan locally in the IDE.

In response to these needs, Synopsys developed Code Sight and recently released Code Sight Standard Edition (SE). Code Sight SE is an IDE-based application security solution that helps developers find and fix security issues as they code, without switching tools or interrupting their workflow.

“We have spent enormous amounts of time designing Code Sight,” said Raj Kesarapalli, senior manager of product management at Synopsys. He said the core strength of Code Sight is its ability to give priority to developer relevancy. It delivers that benefit by identifying vulnerabilities while still in the developer environment. It also ensures that no new issues are introduced as a result of the changes made.

It will scan only the select files in question for issues. It handles the remaining hundreds or thousands of files by leveraging context from a previous scan. Making use of that vast knowledge base eliminates the need for an immediate and lengthy comprehensive scan of the full universe of files. This frees the developer to continue writing code at the same time that issues are being found and fixed − all within the developer environment.

The process is not unlike the way a spell-checker operates in a Microsoft Word document, said Kesarapalli: While corrections are being made to specific words or phrases in the document, the author or editor is able to continue working, losing little or no time as the process goes forward.

For a software team, that means a major productivity gain.

“This gives them what is relevant and what they can find quickly,” he said. At the same time, fewer flaws make their way to the extended cycle of central analysis. “It short-circuits the loop for some of the issues,” Kesarapalli said.

Code Sight enhances developer productivity and Its early intervention means there is less for the rest of the team to do. In fact, some of the issues caught early on in the development environment never find their way to the other stakeholders at all.

Developers anywhere in the world can gain access to the software by downloading a free trial that enables them to start using it in less than five minutes. The link to the download is:

https://marketplace.visualstudio.com/items?itemName=SynopsysCodeSight.vscode-codesight

Another way to preview Code Sight Standard is with this demo video:

https://community.synopsys.com/s/article/Getting-Started-With-Code-Sight-Standard-Edition

Content provided by SD Times and Synopsys

Leave a Reply

%d bloggers like this: