Security auditors - the Cinderella story of SAST

by g. ann campbell|

Security Auditors are the Cinderella of developer-led SAST, moving from the drudgery of triaging issues to higher-level concerns.

At SonarSource, we believe that developer-led Code Security will inevitably come to dominate the SAST market just like developer-led Code Quality did a decade ago. Finding Vulnerabilities immediately after they're introduced instead of weeks later just makes more sense. But what does that mean for the risk and compliance teams that lead those efforts today? Those jobs don't go away. Actually, they get more interesting and possibly even more important.

Today, security auditors really aren't in an enviable spot. First they're working with tools that take a no-news-is-good-news approach; tools that raise issues for anything even remotely suspicious. So Security auditors spend a significant chunk of their time on the drudge work of identifying the few things that really need action in a sea of false positives. 

Once they've done that, they can't actually fix the code themselves. Instead, they have to deliver the stale bad news to the folks who actually can - the developers - and convince them to switch focus from delivering business value to correcting code they haven't thought about in weeks.

It doesn't sound like a dream job, does it?

But with developer-led Code Security, things get better. First, if we raise a Vulnerability, you know there's something to fix. We put those Vulnerabilities front-and-center for developers, so they're handled while the code is still fresh in mind. And because it's integrated into their workflow, developers will fix most Vulnerabilities and review Security Hotspots as a matter of course. That lets security auditors move out of the enforcer role. Instead of "You must fix this old code!", they can shift into collaboration and oversight.

The first opportunity here is around Security Hotspots. We provide a specialized interface and background data for developer review of Security Hotspots. But even so, some Security Hotspots won't be straightforward. This is where security auditors can step in and guide developers through the tricky cases to reach a good resolution. 

And that leads to the oversight role auditors can now assume in the process. They can begin to look at things like: what rules are in the Quality Profiles and which conditions are in the Quality Gates? And then they can go deeper: are there patterns in the types of issues being raised that additional training can help with? That pattern-spotting can be done manually on the issues page, but SonarQube's Enterprise Edition offers reports that can help identify patterns, and more importantly help translate them to the development team in language coders are familiar with. Either way, under the new paradigm, security auditors spend less time identifying the real issues and more time making sure they get properly addressed.

With the shift to developer-led Code Security, risk and compliance folks move out of the middle-man position. They're no longer the bearers of bad news. Instead, they become collaborators with development teams. Together, they can ensure that software is more secure. And that's good for all of us.


This is the final installment in a 4-part series on Developer-led SAST.:

Something to add? Join us in the community.