At SonarSource, we believe that just like developer-led Code Quality did a decade ago. Finding Vulnerabilities immediately after they're introduced instead of weeks later just makes more sense. But what does that mean for the risk and compliance teams that lead those efforts today? Those jobs don't go away. Actually, they get more interesting and possibly even more important. developer-led Code Security will inevitably come to dominate the SAST market Today, security auditors really aren't in an enviable spot. First they're working with tools that take a no-news-is-good-news approach; tools that raise issues for anything even remotely suspicious. So Security auditors spend a significant chunk of their time on the drudge work of identifying the few things that really need action in a sea of false positives. Once they've done that, they can't actually fix the code themselves. Instead, they have to deliver the bad news to the folks who actually can - the developers - and convince them to switch focus from delivering business value to correcting code they haven't thought about in weeks. stale It doesn't sound like a dream job, does it? But with developer-led Code Security, things get better. First, . We put those Vulnerabilities front-and-center for developers, so they're handled while the code is still fresh in mind. if we raise a Vulnerability, you there's something to fix know And because it's integrated into their workflow, developers will fix most Vulnerabilities and review Security Hotspots as a matter of course. That lets security auditors move out of the enforcer role. Instead of "You must fix this old code!", they can shift into collaboration and oversight. Security Hotspots The first opportunity here is around . We provide a specialized interface and background data for developer review of Security Hotspots. But even so, some Security Hotspots won't be straightforward. This is where security auditors can step in and guide developers through the tricky cases to reach a good resolution. Security Hotspots And that leads to the oversight role auditors can now assume in the process. They can begin to look at things like: what rules are in the Quality Profiles and which conditions are in the Quality Gates? And then they can go deeper: are there patterns in the types of issues being raised that additional training can help with? Pattern Spotting with SonarQube That pattern-spotting can be done manually on the issues page, but offers reports that can help identify patterns, and more importantly help translate them to the development team in language coders are familiar with. Either way, under the new paradigm, security auditors spend less time identifying the real issues and more time making sure they get properly addressed. SonarQube's Enterprise Edition With the shift to developer-led Code Security, risk and compliance folks move out of the middle-man position. They're no longer the bearers of bad news. Instead, they become collaborators with development teams. Together, they can ensure that software is more secure. And that's good for all of us. Previously published at https://blog.sonarsource.com/security-auditors-the-cinderella-story-of-sast

SonarSource

We build world-class Code Quality & Security tools: SonarQube, SonarLint and SonarCloud

Developer-Led Code Security Will Dominate the SAST Market

Too Long; Didn't Read

Company Mentioned

SonarSource

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Developer-Led Code Security Will Dominate the SAST Market

Too Long; Didn't Read

Company Mentioned

SonarSource

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES