Security at the Speed of Development

Building a seamless DevEx involves three pillars: (1) Prioritizing for the greatest impact — ensuring developers’ limited time for security tasks is focused on the vulnerabilities that are the most critical and impactful to fix. This requires minimal false positives and the ability to prioritize vulnerabilities based on factors such as vulnerability severity, exploitability, and application criticality. (2) Meeting developers where they live — integrating the ability to perform application security tasks into developers’ existing tooling and workflows. This can include integrating security findings into the IDE, automatically creating bug tickets for vulnerabilities, and decorating the pull request with vulnerability information. (3) Equipping developers with tools and knowledge — when given a vulnerability, developers may need immediate assistance with actionable remediation guidance to make the fix. Over the longer term, security training such as secure code training can improve developers’ security skills to help reduce the number of vulnerabilities from the first line of code.

A good DevEx is one that minimizes the impact on developers’ productivity. This includes: minimum false positives that waste developers’ time investigating and fixing vulnerabilities that are not real; IDE, SCM, and bug ticketing system integrations that bring security into developers’ existing tooling and workflow instead of requiring them to learn and use new tools; scanning code at code check-in to minimize the time between a developer writing code and receiving notice of a vulnerability; remediation guidance to help developers with little security knowledge fix a discovered vulnerability; and secure code training to help developers learn more about application security best practices over time.

DevEx can be indirectly measured through a variety of program metrics such as mean time to remediate (MTTR), adoption rate of security tools, security training completion rate, and the amount of time required to perform security tasks.

Checkmarx includes a number of capabilities that help create a seamless DevEx, including: IDE integrations; SCM integrations; bug ticketing system integrations; high accuracy with minimum false positives; correlation across security tools to prioritize critical and exploitable vulnerabilities; actionable remediation guidance; auto-remediation for vulnerabilities; and secure code training.