Skip to main content
If only software had built-in code checking.
October 5, 2016

Software Grammar 101

I am not a developer, I’m a writer. However, it has become clear to me that these two professions have more in common than I had originally thought. Really, we are doing the same thing - just in different languages, and to different ends. The gratification that comes from starting with a blank page, building something that didn't exist before, and achieving a purpose, is the same.

I write quickly. I get excited about an idea and take off without a second thought. The end result? Pages of content that convey a message, but also a lot of typos, misplaced commas, and dangling modifiers - an English teacher's nightmare. At this point I must sift back through my work - read it to myself, read it aloud, ask others to read it - and then finally, hours or days later, I have my finished, polished content. If my writing was checked as I went, my editing process could have been easier, more efficient, and more accurate. But to do that without interrupting my creative flow requires automation. The same is true for developers.

Developers write code quickly because they too are in a creative flow, and because deadlines loom. In today’s fast paced market, there is precious little time to devote to reviewing every line of code, despite the consensus that code review is a best practice. Security is often the last thing on a developer’s mind, after functionality and performance. However, not “proofreading” code with an eye toward security defects can lead to the proliferation of vulnerabilities within software that can have an enormously detrimental business effect should there be a breach.

Today every business builds or purchases software to streamline business operations. While many are aware that cybersecurity is important, there is an information gap when understanding how application security works. Vulnerabilities highlighted earlier in software development are easier and less expensive to fix. Fortunately, there are a variety of tools that can assist programmers in creating high-quality code quickly, without leaving security testing to the last minute. The end goal is a strong, integrated security program that allows developers to easily identify and fix threats during the production and use of their software. As with writers, there are a number of tools available and emerging to help developers deliver secure software without slowing them down:

Static Analysis, Autocorrect

This is like autocorrect – highlighting and making suggestions where you may have spelled something wrong, or meant something different. Static analysis integrates into the development team’s existing process and toolset, and scans code frequently during the development process to identify potential errors. Static analysis scans code and highlights potential vulnerabilities without actually executing the code.  

Composition Analysis, the Automated Fact Checker

This might be compared to a writer fact-checking their sources to ensure that contributors are reliable. Composition Analysis inventories elements of the code that were created by third parties and reused by the developer. The inventory is then compared to databases of known vulnerabilities to highlight potential risks in these third party libraries.

Dynamic Analysis, the Automated Editor

I wish this existed for writers (any of you developers want to take a shot?)

Dynamic Analysis probes executing code and highlights areas that might be vulnerable to a hacker that is probing in a similar way. This would be like simulating a reader to make sure they understand the context of the story and are taking away the intended meaning.

30% of companies do not scan for vulnerabilities during code development. This either leaves themselves and their clients open to attacks, or slows down software deployment by running tests late in the process. An author would not write a book, then go back and add the periods and commas later. If they did, the result would likely be poor quality, or a missed deadline. This same risk exists if you do not scan for vulnerabilities during software development. The good news is that tools today can help automate the ongoing editing process.  For software developers, there are even more tools available that enable quality, security and speed. Is your company leveraging these tools in the software development lifecycle?

Amanda is part of the content team at Veracode. In this role, Amanda creates fresh, creative content to build cybersecurity awareness. Amanda has a background in writing about technology, sales, start-ups, and popular culture.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.