As the pace and complexity of software development increases, organizations are looking for ways to improve the performance and effectiveness of their application security testing, including “shifting left” by integrating security testing directly into developer tools and workflows. This makes sense because defects, including security flaws, can often be fixed faster and more cost-effectively if caught early. Issues found during downstream testing or in production lead to costly and disruptive reworks.
Organizations have come to understand that the cost of repairing defects increases exponentially as an application moves further into production. Prevention costs are the least expensive, while the cost of correcting something is 10x higher and the cost of an application error 100x higher.
So it is an important step to ask developers to avoid defects, but most developers are not security experts and tools optimized for the needs of the security team can be too complex and disruptive to be embraced by developers. To make matters worse, these solutions often require developers to leave their integrated development environment (IDE) to analyze problems and determine potential solutions. All this tool and context switching kills developer productivity, so while teams see the benefits of checking their code and open source dependencies for security vulnerabilities, they avoid using the security tools they’ve been given due to the downside of reduced performance. productivity .
To help developers maintain productivity without sacrificing security, they should look for a comprehensive SAST solution that identifies: security and quality deficiencies early in the software development lifecycle (SDLC), they should look for solutions that:
- allow them to quickly find problems as they code. If developers can fix these issues in real time, that means these issues don’t leave the developer’s workstation;
- provide a full scan if they need it; and
- see problems on the servers from CI/CD scans directly in their IDE without having to scan locally in the IDE.
In response to these needs, Synopsys has developed Code Sight and recently released Code Sight Standard Edition (SE). Code Sight SE is an IDE-based application security solution that helps developers find and fix security vulnerabilities as they code, without switching tools or changing their work flow.
“We spent an enormous amount of time designing Code Sight,” said Raj Kesarapalli, senior manager of product management at Synopsys. He said Code Sight’s core strength is its ability to prioritize developer relevance. It provides that advantage by identifying vulnerabilities while you are still in the development environment. It also ensures that no new issues are introduced as a result of the changes made.
It only scans the selected files in question for problems. It processes the remaining hundreds or thousands of files using the context of a previous scan. Taking advantage of that vast knowledge base eliminates the need for an immediate and lengthy comprehensive scan of the entire universe of files. This gives the developer the freedom to continue writing code while simultaneously finding and solving problems – all within the developer environment.
The process is similar to the way a spell checker works in a Microsoft Word document, Kesarapalli said: While corrections are made to specific words or phrases in the document, the author or editor can keep working and lose little or no time as it progresses. process progresses.
For a software team, that means a major productivity gain.
“This gives them what’s relevant and what they can find quickly,” he said. At the same time, fewer errors find their way into the extended cycle of central analysis. “It breaks the loop for some of the problems,” Kesarapalli said.
Code Sight increases developer productivity and early intervention means there is less for the rest of the team to do. In fact, some issues identified early in the development environment never find their way to the other stakeholders.
Developers around the world can access the software by downloading a free trial that will allow them to use the software in less than five minutes. The link to the download is:
https://marketplace.visualstudio.com/items?itemName=SynopsysCodeSight.vscode-codesight
Another way to preview Code Sight Standard is with this demo video:
https://community.synopsys.com/s/article/Getting-Started-With-Code-Sight-Standard-Edition
Content provided by SD Times and Synopsys