How to Analyze Your Code for Security Vulnerabilities

Shifting Left 2.0 is a two-day virtual conference taking place from 9 a.m. to 2 p.m. PDT on June 22nd-23rd that dives deep into application security in the modern tech space. Security experts share insights on topics ranging from how to measure AppSec success to what role AppSec plays in digital transformation. Software developers, security engineers, C-level business leaders and more can all benefit from the lively tech conversations at this free virtual experience. 

Vickie Li, developer evangelist at ShiftLeft, teases her session at Shifting Left 2.0 in the Q&A below. Vickie and Suchakra Sharma, staff scientist at ShiftLeft, describe how to effectively review code for vulnerabilities and present tactics for performing an effective security code review on your applications on Wednesday, June 23rd from 10:10 a.m. to 10:40 a.m. PDT.

You can find the full agenda and register for free at Shifting Left 2.0.

To start off, why don’t you tell me a little bit about your role as a developer evangelist at ShiftLeft?

My job as a developer evangelist is to help developers write more secure code. Here at ShiftLeft, we build and support ShiftLeft CORE, a security tool that helps developers find vulnerabilities in their code through SAST, SCA, and secret scanning. But a big component that goes into building secure software is to understand and remediate the vulnerabilities found by these tools. My goal is to help developers build more secure applications by learning the security fundamentals they need to write secure code and use security tools effectively.

Your session is titled, “Intro to Code Analysis,” so I am curious what are some of the most effective ways to analyze your code for security vulnerabilities?

I am probably giving away a bit of a spoiler here for my session with Suchakra. The most effective way of finding vulnerabilities in code is to use static code analysis, or to find security issues by analyzing source code. Techniques like dynamic analysis and penetration testing excel at finding exploitable vulnerabilities but often miss a large number of security issues. Static analysis, on the other hand, tends to be much better at finding as many vulnerabilities as possible.

But conducting a manual code analysis on every single line of code is inefficient and not feasible in most cases. In this case, utilizing a SAST tool to scan the application and then validating the results afterward using manual code review would be the best action plan. 

Code is really at the heart of building secure applications. With that in mind, how beneficial is it for developers to have a security mindset when writing code? 

It is extremely crucial for developers to keep security in mind when building software. Security is a team effort by everyone: application security engineers, system administrators, managers, architects, and analysts. But when dealing with application security, developers are the ones who write vulnerabilities into code, and developers are the ones who have to fix vulnerabilities when they are found. So as developers, if we can keep security in mind during the development process, we can prevent vulnerabilities from being introduced into the code base, saving ourselves and our colleagues time and headache down the line.

What type of security training or continuous learning practices should dev teams implement to help secure the code they write?

Learning about security continuously is key to building secure applications. Developer security education needs to be efficient, engaging, and easy to absorb, and we need to introduce security training in a way that is relevant to everyday development work. By identifying security issues in a developer’s code, we can provide the context of the security issue and demonstrate the real-life importance of best practices.