Postman announced the Postman AI Agent Builder, a suite empowering developers to quickly design, test, and deploy intelligent agents by combining LLMs, APIs, and workflows into a unified solution.
Application Security Lessons from Star Trek: How Kirk & Spock Can Inspire Secure Code - Part 2
August 24, 2016
At its emotional core, Star Trek explores the bond between two very different species – Kirk and Spock – who team up to seek out new worlds and defend the Enterprise. In many ways, the same can be said for developers and security teams. How so? In Part 1 of this blog, we covered Clear Visualization and Teamwork. Here are 2 more ways.
3. Gamification
Resistance is futile when it comes to adopting gamification. Gamification is considered the buzz in today's enterprises and startups alike. Wikipedia has a good description: "Gamification is the use of game thinking and game mechanics in non-game contexts to engage users in solving problems. Gamification is used in applications and processes to improve user engagement, return on investment, data quality, timeliness, and learning."
Gamification takes the teamwork enhancements described earlier to another level.
Gamification can be implemented as an exchange platform between developers, integrated into the developer's environments. In such a setup, each developer would be able to view the security solutions of others.
Developers could then flag particular solutions, similar to a Facebook "like", and even contribute to the general understanding of the nature of the particular vulnerability. Taking it further, it's even possible to reward the user who has been most beneficial to the team. For example, presenting rewards to developers who find the hidden risk, ways to break the code or written an impenetrable function. You can even call it your own in-house bug-bounty program.
A global social network is ideal for implementing such a security exchange platform. However, even simple existing forums, such as GitHub or StackExchange, can be used as they too reward developers for their contribution.
4. Immediate Feedback
"Kirk relied on Spock unfailingly for his advice, knowing it would never be encumbered by any thoughts of personal gain or tempered by emotional constraints," as stated by Time magazine.
The type of immediate feedback Spock is known for also has big benefit in a SAST scenario. We all draw lessons from our mistakes. Previously, a Quality Assessment (QA) was not performed until several months after the development cycle ends. Nowadays, in today's development environments, unit testing is de riguer and developers receive feedback on their code while it's still "fresh off the press".
Taking a look at SAST, we see that many companies employ the tools after the end of the development cycle, several months after the development of the code. Similar to QA processes, SAST should be integrated into the development and testing environments. While first-generation SAST tools provided an analysis too slow to fit into a Continuous Integration and Continuous Deployment environment, important functionality such as incremental analysis, seamless IDE integration and most importantly ease of use, solve this problem.
Live Long and Prosper
Application Security is built around the concept of ensuring that the code written for an application does what it was built to do, and keeps the contained data secure. Notwithstanding the high general interest in security, time and time again developers fail to integrate secure coding best practices. With these four tips, security teams can transfer that security spark to developers when it comes to writing code. In order for any security program to be properly implemented, it needs effective teamwork between developers and security teams.
Amit Ashbel is Director of Product Marketing & Cyber Security Evangelist at Checkmarx.
Industry News
January 22, 2025
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of CubeFS.
January 21, 2025
BrowserStack and Bitrise announced a strategic partnership to revolutionize mobile app quality assurance.
January 16, 2025
Mendix, a Siemens business, announced the general availability of Mendix 10.18.
January 16, 2025
Red Hat announced the general availability of Red Hat OpenShift Virtualization Engine, a new edition of Red Hat OpenShift that provides a dedicated way for organizations to access the proven virtualization functionality already available within Red Hat OpenShift.
January 16, 2025
Contrast Security announced the release of Application Vulnerability Monitoring (AVM), a new capability of Application Detection and Response (ADR).
January 15, 2025
Red Hat announced the general availability of Red Hat Connectivity Link, a hybrid multicloud application connectivity solution that provides a modern approach to connecting disparate applications and infrastructure.
January 15, 2025
Appfire announced 7pace Timetracker for Jira is live in the Atlassian Marketplace.
January 14, 2025
SmartBear announced the availability of SmartBear API Hub featuring HaloAI, an advanced AI-driven capability being introduced across SmartBear's product portfolio, and SmartBear Insight Hub.
January 14, 2025
Azul announced that the integrated risk management practices for its OpenJDK solutions fully support the stability, resilience and integrity requirements in meeting the European Union’s Digital Operational Resilience Act (DORA) provisions.
January 14, 2025
OpsVerse announced a significantly enhanced DevOps copilot, Aiden 2.0.
January 13, 2025
Progress received multiple awards from prestigious organizations for its inclusive workplace, culture and focus on corporate social responsibility (CSR).
January 13, 2025
Red Hat has completed its acquisition of Neural Magic, a provider of software and algorithms that accelerate generative AI (gen AI) inference workloads.
January 13, 2025
Code Intelligence announced the launch of Spark, an AI test agent that autonomously identifies bugs in unknown code without human interaction.
