Code review and source code analysis are two of the most important components of meeting security needs during the programming process, but successfully integrating these approaches into a secure development lifecycle can be challenging, particularly in an agile shop. Developers may be resistant to slowing down their process to include code review, automated tools like static analysis software can bog down the processing power of a desktop machine if implemented incorrectly and fixing errors can become increasingly complex as code bases expand. How, then, do vendors meet their software security needs while continuing to build more advanced programs and stick to agile methodologies?
In a recent column for TechTarget, software security expert Gary McGraw and Aetna CISO Jim Routh outlined the evolution of code review practices over the past decade. In many ways, developer buy-in has improved, with the basic attitude of most programmers toward having someone else look at their code shifting dramatically. One realization is that developers are actually more open to review if it comes early in the process rather than at the end of development. As a result, code review tools have become integrated earlier on when building software, and a robust set of source code analysis software offerings designed to incorporate review as early as possible has emerged.
The goal for automated code review has remained more or less the same since the idea was first introduced more than a decade ago, the authors noted. Developers need tools that let them check their code without having a security specialist scrutinize each action they make. At the same time, one of the biggest issues in organizations is that there is no accountability – either positive or negative – for software security, McGraw noted in a previous column for InformIT. If developers don't have some incentive encouraging them to check their code, it can become an easy step to skip in the agile methodology.
How can code review be implemented successfully?
To balance the competing pressures surrounding code review practices, companies can look to implement lightweight solutions balanced with human elements of oversight and policy management. In Routh's practical applications of code review efforts, a simple policy statement that encouraged static analysis software use proved ineffective in encouraging developers to use tools, while an approach that incorporated a central code review process did not meet the flexibility needs of agile teams.
The ideal solution, according to Routh's current theory, is for companies to deploy an easy-to-use code review tool that places an emphasis on teaching developers how to eliminate errors, works seamlessly across departments and integrates smoothly so developers can scan their code as they are building it. Additionally, companies can flesh out the program with approaches like static analysis for open source tools and enforcement of code review practices. By incorporating automated reviews as early as possible, companies can increase the likelihood that developers will actually take the time to scan their code and improve accountability.
"Now that (almost) everyone understands the necessity of applying static analysis code review in a software security initiative, we are all busy optimizing performance and scalability tradeoffs," McGraw and Routh wrote. "There is no doubt that code review tools will continue to evolve, resulting in simpler deployment models for developers. It is even likely that the industrial-strength tools will evolve to be more 'agile friendly' and computationally less intensive."
Ensuring code review actually happens in the organization can be a challenge, but lightweight tools that help automate key peer code review processes can be a significant help, as can static analysis software. As companies move toward increasingly agile methodologies, such tools will be an essential component of scaling up their secure development lifecycles.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.