The road to DevSecOps isn’t always the smoothest
Despite growing awareness of secure coding practices in software companies, developers are struggling to discover and report security issues during code reviews, according to a study by researchers at the University of Zurich, Switzerland.
Organizations are ‘shifting left’ to earlier stages of the software development cycle such as code review. But they are not doing enough to support secure coding and train their developers in security training, the researchers find.
Security ‘not a priority’
“Previous studies we conducted have provided evidence that developers often miss vulnerabilities during code review even though they might have had the knowledge to detect them,” Alberto Bacchelli, associate professor at the University of Zurich and co-author of the study, told The Daily Swig.
“These studies highlighted how developers’ mental attitude towards security could be a possible reason behind this behavior.”
The study focuses on how developers perceive security during code reviews. The researchers interviewed 10 developers and surveyed 182 others.
Their findings suggest that while most participants develop security-sensitive software systems, security was still “not a priority during review” and may be assessed “less frequently than reported”.
Moreover, “developers may disregard security aspects during reviews due to their assumptions about the security dynamic of the application they develop”, the researchers said.
“On the one hand, developers do recognize the high importance of ensuring software security during code review,” Bacchelli said. “On the other hand, they struggle to do so due to lack of proper security training and knowledge.”
Companies must play a more active role
The study also highlights the organizational shortcomings in improving security during code review.
“The vast majority of our participants think that companies should do more to support secure practices,” Bacchelli said
For example, developers are not acknowledged for performing secure code reviews. Moreover, companies do not provide security training and expect developers to acquire security skills on their own.
“In principle, organizations may consider raising security awareness and incorporating more strict software security policies into their development process to create a different attitude,” Bachelli said.
Some of the recommendations the researchers make are incorporating explicit reward systems for developers who ensure security in applications and providing security training and allowing time for learning.
The researchers also stress that responsibilities should be clearly outlined between different developers and teams.
“Developers need to be careful and spread awareness around security assumptions, such as believing that security is the responsibility of another application’s component or team,” Bachelli said.
Limits of code reviews
“Code review, on its own, is a woefully inadequate solution for detecting security vulnerabilities,” Allon Mureinik, senior software engineering manager at the Synopsys Software Integrity Group, told The Daily Swig.
While confirming the findings of the study, Mureinik also points out that code reviewers are often not chosen based on security expertise and rather on their knowledge and experience with the given programming language or domain.
“When performing code review under stressful situations (e.g., near deadlines, which are common in the tech industry), reviewers are probably more likely to revert to focusing on their comfort zone, which for the most part won’t be security,” Mureinik said.
Mureinik also warns that ultimately, human reviewers inevitably make mistakes, and that their efforts should be complemented with a level of automation.
“While automated tools will never fully replace a human reviewer, they can be used to detect the common and obvious security flaws and leave the human reviewer to focus on the more complicated issues that need their full attention to understand,” Mureinik said.