Reducing number of security bugs per 1000 lines of code
By Glib Paharenko on Tue Aug 04 2020
Have you ever tried to reduce the number of bug per 1000 of code lines? It is a challenging task and its complexity grows proportionally to the number of coders in the development team. Just copy pasting from the Medium or OWASP simply does not work. Here you find our tricks to achieve this ambitious goal.
First order in IT, then order in Security
In any case when the team does not execute the strict coding discipline and internal quality measures then security will not find its place. So try to work with project managers, team lead, architects to put coding guidelines and quality assurance rules. This will raise the quality of the product and developers will get used to the policies and standards. Then slightly you can introduce the security bullet points in those internal regulations.
Focus on the most critical bugs
We have many catalogs of bugs: OWASP TOP-10, SANS 25, Application Security Verification Standard (ASVS) with about a hundred of vulns and finally CWE with hundreds of bugs. Noone can fight with all of these security issues simultaneously. Management is all about measuring and putting right priorities. So choose the kernel of the bugs with the aid of penetration testing, security code review and expert knowledge. Work to eliminate the bugs from this kernel. Get improvements and then enlarge the set of vulnerabilities which should not appear in your systems.
Facilitate the work of developers
The policy at a big scale always should be supported with the technology. Enforce your coding guidelines with a powerful static and dynamic analysis tools:
- code analyzers
- application fuzzers
- dependency trackers
- chaos monkeys
Integrate the tools into IDE, commit hooks and CI/CD pipelines. But be careful not to overwhelm the developers with tons of false-positives. Otherwise you fail. We will write a separate blog post on how to provide the proper static analysis and tooling to your developers.
As always - contact our professional team to launch a secure development lifecycle in your organization. And you will see how the number of bugs will lower very quickly!