Some 60% of developers said in a recent survey that they are releasing code faster than ever before. For application security executives, this means the race is on to keep up by using seamless, cost-effective ways to secure that code. According to the GitLab 2022 Global DevSecOps Survey, 53% of developers said they are now “fully responsible” for security in their organizations — a 14-point increase from 2021! The benefits of “shifting left” and testing earlier in the process are undeniable. Static Application Security Testing (SAST), where code is examined for security flaws before it is released, is one of the most powerful tools an organization can use to spot and fix vulnerabilities in the early stages of the SDLC, saving manpower and money while also boosting security posture.
“Us vs. Them”: Addressing Developer Resistance Towards SAST Adoption
he biggest benefit of using SAST tools is the ability to make code fixes more quickly, accurately, and simply before it is deployed. Automation is often key to this task. . Of course, all good developers care about security, but their priority is delivering brilliant code and features that meet the company’s high expectations — fast.
Traditionally, developers and the security or AppSec team have worked in different silos on opposite ends of the production flow, fostering an “us vs. them” culture. The developer mindset is to make things work and get it to production as soon as possible. The security team, however, tends to circle the gate at the end of the pipeline, locking the door until certain security issues are met. Add regulator and compliance frameworks into the layers of security checks and balances, and that slow clog becomes a full-blown blockage.
On the flip side, many developers are not cybersecurity experts and are unfamiliar with common vulnerabilities, threats, and attack vectors. Scan reports can be long and confusing. One of the biggest developer pet peeves is the high amount of noise — false positives. Developers waste time manually sifting through hundreds or even thousands of findings that may turn out to be false alarms. When they do discover a real security problem, they have to spend even more time locating the one line among a sea of code that requires a fix. Often these suggested tweaks come without any step-by-step guidance or feedback.
It’s no surprise that the GitLab survey reports that “security requirements” are one of the Top 8 challenges of all developers today.
Changing the Culture
Today, a DevSecOps (development, security, and operations) organizational shift aims to bring both the thinking and actions of development and security teams together. The idea is that security is a shared responsibility, and is built into every stage of the process from beginning to end. By taking a few incremental steps, AppSec executives can lead the way to a healthier relationship between the two teams, improving communication, transparency, and collaboration between all teams.
The logical next step is onboarding an effective SAST tool that works with developers, not against them. This technology will sync up with the tools, systems, and workflows that developers are already using. It will automate many of the processes in code testing to the vulnerabilities that matter to a specific application and company. SAST tools have a reputation for creating excess “noise,” leading to “cry wolf” alerts or flagging vulnerabilities that present very little danger to a company. Today, advanced features help to drastically filter out these time-wasters so AppSec and development teams can focus on the vulnerabilities that matter. this video to learn more about how SAST tools can help to build trust
Finding the Right SAST Solution
Today, advanced automation has helped SAST software integrate effortlessly with existing development and application release orchestration tools. This spares developers an intense learning curve and saves them time. Most of all, they come to trust that the technology works the way it is supposed to.
Since not all SAST tools are created equal, application security executives should consider these advanced features when shopping for their ideal solution:
- Easy-to-use dashboards. Innovative SAST graphical interfaces give visibility to the unique stories that teams need to help them understand their company’s security issues better. Beyond just identifying vulnerabilities, a good dashboard can filter and sort scan results in many different ways, such as by severity or vulnerability type, to reveal patterns and other insights.
- These features allow users to predefine sets of queries, acting as filters to customize scans for each application. This cuts down on alert “noise” and false positives. Watch this video to get tips on fine-tuning your SAST solution to boost alert accuracy.
- Look for SAST tools that can fit into your organization’s existing workflows. Everything the development team needs is within the environment they already use. Simple!
- Built-in remediation guidance. Special features allow developers to fix multiple vulnerabilities at a single point in the code. For example, Checkmarx SAST has a feature called BFL or “Best Fix Location” guidance that takes developers to the exact piece of referenced code. Fixing the one line of code helps remediate multiple vulnerabilities.
- Scan efficiency. Using incremental scanning capability analyzes only modified or newly introduced lines of code, reducing scan times by up to 80%. Another huge time saver!
- Consistent support. Choose a SAST provider that offers consistent, easy access to customer support and tec
Educating and Empowering Developers
SAST tools are a great way to empower development teams to take ownership of code security. But don’t stop there. Software security touchpoints should be present along every step of the SDLC. Developer security training is especially critical.
Invite members from both teams to training sessions to help members become more empathetic to one another’s challenges and objectives. For instance, don’t assume that all developers are familiar with common cybersecurity concepts and terms, such as XSS and SQL injection. Similarly, security analysts and systems administrators may not have any experience writing code themselves. They may fail to understand how to seamlessly fit remediation activities into the developer’s workflow.
Put all learnings and best practices down in writing and provide an open forum for dealing with security-related issues. Finding ways to provide two-way feedback throughout the entire SDLC will build trust and create a better developer experience — the key to unlocking this culture change.
Demonstrating the Value of SAST
Research has shown that 90% of all vulnerabilities are located in the application layer. Some of the most common risks linked to insecure code include SQL injection, cross-site scripting, buffer overflows, cross-site request forgery, and insecure cryptography storage. It also directly addresses one of developers’ biggest gripes — an overwhelming number of false positives. Onboarding an enterprise AppSec tool properly can reduce the number of these inaccurate findings to 5%, while focusing and finding high-priority vulnerabilities, as seen in one case
SAST is most effective when it works together with an enterprise-level suite of AppSec tools, allowing organizations to literally “shift everywhere” to improve their security posture. For instance, developers rely on open-source code and third-party libraries every day. Since bad actors will often target these repositories to inject malicious code and malware, adding source code and supply chain security analysis is an essential part of every AppSec While SAST targets code security at its source (i.e. – the developers’ brains) Dynamic Application Security Testing (DAST) scans running applications to best simulate how secure an application is in a real-world situation.
“Shifting Everywhere” in a Positive Direction
Like most things in life, acceptance of anything new starts with understanding and empathy. Creating an open and dynamic relationship between developers, security teams, CISOs, and every member of the organization should be the ultimate goal of leaders in the application security space.
Technology can be a catalyst for this newfound trust. Using SAST along with a robust suite of enterprise AppSec solutions like Checkmarx One can improve accuracy, efficiency, and trust in the people, the process, and the technology. It will empower developers to become valuable partners in building