monsitj - stock.adobe.com
Innovations to power secure-by-design development
Secure Code Warrior unveils technology designed to help CISOs and AppSec teams ensure their projects remain safe and free of coding errors and vulnerabilities – a big issue following the CrowdStrike incident
Security leaders and software developers will benefit from deeper visibility into their organisations’ software development security posture as they work, bolstering moves towards the nirvana of so-called secure-by-design code, with the introduction of an industry-first solution from sector specialist Secure Code Warrior (SCW).
SCW Trust Agent comes hot on the heels of the introduction of SCW Trust Score, an industry benchmark that quantifies – for the first time – the security competence of software developers within organisations.
It uses the same dataset of millions of learning points collected from hundreds of thousands of developers to help users understand whether code being committed to public open source Git-based repositories is hot to go, or if it could be a risk down the line. It hopes the solution will become an integral part of the secure software development lifecycle.
“At Secure Code Warrior, we are unlocking new value for CISOs by giving them an easy-to-deploy solution to measure the health of code commits and visibility into the hundreds of source code repositories in their organisation,” said Pieter Danhieux, the firm’s co-founder and CEO.
“Our innovations are putting organisations in a better position to bridge the visibility gap between a developer’s skillsets and quality of code produced without sacrificing development velocity.”
Trust Agent will work with any Git-based repo, including GitHub, GitLab, Atlassian Bitbucket and others. It works by examining committed code to see if the uploader is flagged as having the prescribed secure code skillset in that commit’s programming language, and uses that information to rate the health of the commit. These proprietary ratings can then be aggregated across other repos.
SCW believes Trust Agent will offer greater control and flexibility when it comes to developer gatekeeping. For example, it will allow administrators to set up policies and criteria to make sure developers meet a baseline set of expectations before work begins, while for any skills gaps identified through its use, the firm’s agile learning platform can be pushed into play.
Overall, it said, the solution will deliver improved security controls, with policy configurations customisable based on the sensitivity of the project’s needs; comprehensive visibility, including actionable insight into the security posture of code commits; and developer-led security at scale, enabling projects to be delivered quicker and safer, with application security teams freed to focus on the most sensitive reviews.
CrowdStrike chaos
While SCW has made no claims as to whether or not its solutions could collectively have averted the chaos caused by a dodgy CrowdStrike update that temporarily bricked millions of Windows machines last week, the launch comes at a time when the integrity of software development is very high on the agenda.
However, with more information on the source of the issue beginning to trickle out of CrowdStrike Danhieux reiterated recent calls from security authorities – such as CISA in the US – urging developers to move away from memory-unsafe languages such as C++ to better avoid such vulnerabilities.
Writing on social media platform LinkedIn, he said that would have been a tough ask for CrowdStrike. This is because most kernel-level code is written in C++ so things that are loaded into kernel memory, or that need to access it, such as endpoint detection and response (EDR) in CrowdStrike’s case, will need to continue to use it for the foreseeable future.
Danhieux said such errors could happen in multiple circumstances and were “fairly innocent and easy mistakes to make”.
However, he added, organisations should still take steps to avoid them in their projects. “Once an attacker discovers them, they may be used in a denial-of-service attack or simply crash the application or the whole operating system,” he explained.
“SCW has language-specific coding guidelines, micro-learning videos and multiple practical coding challenges in C/C++,” added Danhieux.
This story was edited at 18:39 BST on Wednesday 24 July to remove references to potentially incorrect information about the source of the CrowdStrike outage.
Read more about secure-by-design principles
- Security by design has become a hot-button regulatory issue. ISC2 has decided now is the time to upskill cyber pros around these vital software and hardware development principles.
- At an RSAC 2024 event, more than 50 enterprise software vendors signed CISA’s voluntary secure-by-design pledge, aimed at improving the security of software products and services.
- Every company wants a piece of the GenAI pie, but rushing to develop a product without incorporating secure-by-design principles could harm their business and customers.
