In their book Agile Testing: A Practical Guide for Testers and Agile Teams (2008), Lisa Crispin and Janet Gregory wrote that one of the most important factors for success in software development is feedback. “Feedback is a core agile value. The short iterations of agile are designed to provide constant feedback to keep the team on track.” The message still rings true: constant feedback is critical to successful deployments. The faster the better.
[aj-uhl] adjective - quick and well-coordinated in movement; lithe: an agile leap.
The word ‘agile’ has been a part of software development for years, and today it’s more important than ever. Contemporary programming is all about speed and security – can you deploy your software faster than the competition, and will it be secure enough to protect valuable customer data in the face of modern threats? It comes down to how agile you are as a team and just how efficient those feedback loops can be.
Why is it critical for feedback to be fast and efficient? Today’s developers must often work so quickly to provide code that slowing down for even a day can have a delaying domino effect. In a software-soaked world that relies on websites and their companion applications for many everyday activities, release delays can quickly add up to monetary losses for organizations as finding the same flaws after each build is like watching money (and time) circle the drain. That’s a problem for the whole company, not just your team of developers.
The power of instant feedback
Instant feedback with clear results shows developers what’s working and what’s not so that they can pivot quickly, fix flaws, squash bugs, and reduce overall risk earlier in the software development lifecycle (SDLC). And psychologically, instant feedback is gratifying. There’s less room for impatience and more room for action when feedback rolls in as developers are working hard to write successful code. Learning what common flaws look like and how to avoid introducing them while working away is the epitome of efficient and agile for developers.
In previous years, ‘pair programming’ solved some of these feedback issues, but not all. With pair programming, one programmer (the driver) writes code while another programmer (the observer/navigator) reviews the code line by line as it is typed. Even though the two switch roles from time to time, this process is dated and resource-heavy.
Tools like Veracode Static Analysis come equipped with automated security feedback right in the IDE and the Pipeline, taking on the role of observer/navigator so that the driver can do what he or she does best. And it’s quick; the IDE scan returns feedback instantly, while the Pipeline scan takes about 90 seconds on average, and the Policy scan about 8 minutes at the production stage.
This quick feedback helps developers improve their code while they work by providing guidance that prevents the introduction of new flaws down the road and conducting a full policy scan before deployment to help developers understand which flaws and vulnerabilities they should be focusing on most.
Less time researching, more time writing secure code
Packed schedules leave little room for patience. Of the respondents to Stack Overflow’s 2020 Developer Survey, 54.5 percent said they simply walk away when they hit a wall with coding problems and work on something else for the time being. Developers are just too busy to wait for feedback. Veracode Static Analysis, which integrates with existing tooling, takes out the middleman and provides that fast, guiding feedback so that developers don’t need to shift gears to another project or scramble if a vulnerability is discovered closer to deployment.
When paired with training tools like Veracode Security Labs, which uses real-world applications to teach developers about exploiting and patching code, scanning platforms with automated security feedback are even more impactful. Solutions that are built to accommodate busy developer schedules go a long way for helping the entire team succeed, especially if they integrate seamlessly as SaaS-based cloud services that do not disrupt workflow.
It isn’t enough to practice pair programming or wait to see what went wrong at different points in the build process. In order to get to market quickly with secure applications, fast feedback is just as critical as good feedback. Good feedback that shows developers what the issue is and how to remediate it is a training tool itself that removes risk from your software development processes – and thus removes unnecessary risk from your customers’ shoulders.
Ready to learn more? Check out our eBook on securing your software development pipeline with Veracode Static Analysis.