Towards a Concept of Security Specification for Software Supply Chain - Part 1
April 02, 2020

Chetan Conikee
ShiftLeft

Many developers dread code reviews, and one reason for this is probably that most reviewers only offer criticism rather than encouragement. Remember as a peer reviewer, you can also reinforce things you see that are done well, which can be every bit as important and effective as nitpicking every design flaw, mistake, bug or styling issue.

There is an intrinsic value of positive reinforcement for encouraging desirable behavior.


Credit: Amatechinc

Thou Shalt Not Nag a Developer

There is a bevy of static analysis tools that scan source code for common vulnerabilities. The anticipated desired behavior of a developer using these tools is to ascertain and fix any vulnerabilities discovered. Nagging or guilting engineers into fixing stuff is miserable for both sides.

Unfortunately, the results of such tools are almost always focused on the negative, i.e. orienting it's copywriting around implementation risks that can lead to exploits (your application is vulnerable to command injection, XSS, weak authentication, weak cryptography, privilege escalation, etc). Any implementation assessment that is positive in nature (good validation criteria and checks) is muted out as these tools are optimized/tuned to remove false positives.

Consequently, such tools become an automated security nitpicker with no positive reinforcement whatsoever.

This is dangerous, for several reasons. It undercuts the effort and frustrates developers who spend hours writing code, and then rewriting it (fixing issues via pull requests), and rewriting it again. At times you can witness the stages of grief play out with a security vulnerability:

Anger → Denial → Bargaining → Disengagement/Acceptance.

Leading to this experience, developers often choose to ignore or disengage with these tools.

Rather than muting out observed good practices, can such tools, laud it?

Retooling for Positive Reinforcement

An optimal concoction of positive reinforcement with security risks would lead developers to continually engage with such security tools.

As an alum of Intuit, I was always in awe of TurboTax's delightful experience which is primarily focussed on being goal-oriented rather than task-oriented.


Nobody is motivated to do their taxes for the sake of it. TurboTax knows this and instead orients its experience around the user's true motivation: Get your maximum refund, guaranteed and accomplish it via milestones — now that's a value proposition we can get behind.

Can application security tools be designed with goals in mind?

Of course, finding and fixing all vulnerabilities is NOT a measurable goal. As Dijkstra wisely put — “Testing shows the presence, not the absence of bugs”.

Our applications evolve continually so if we knew all the vulnerabilities we were searching for, it would obviate the need to look in the first place.

The journey of a product begins with source code, followed by its metamorphosis into features targeting consumer delight/value or bugs turning into vulnerabilities. Bugs are a side effect proxy for “observed example of insecurity” which often is a downside of breakneck-speed productivity.

The consequence of a bug can be classified into the following outcomes

Exploited— The bug was not discovered or ignored leading to an attacker exploiting it to cause harm

Undiscovered— The bug still lurks in code waiting to be exploited

Found— Awareness of the bug as a consequence of discovery via code review, security tooling, security testing or ethical bounty hunting

Preventative— What is found is fixed and checks are enforced such that it does not repeat again

Just as you can't magically insert quality into a piece of software, you can't sprinkle or mandate security features onto a design and expect it to become totally secure.

Can you imagine the stress of getting a critical security bug in your code? The stress is multiplied through murky and accusatory vulnerability reports demanding swift action.

G to Towards a Concept of Security Specification for Software Supply Chain - Part 2

Chetan Conikee is Founder and CTO of ShiftLeft
Share this

Industry News

May 21, 2020

Exadel announced the Grand Prize winner of the “Appery.io COVID-19 Virtual Hackathon.”

May 21, 2020

CloudBees announced significant advances for its Software Delivery Management (SDM) platform – integrations with additional continuous integration and continuous delivery (CI/CD) engines, including Google Cloud Build and Tekton, and extension of the availability of CloudBees’ SDM Preview Program.

May 21, 2020

OutSystems is announcing over 70 development accelerators that ensure web and mobile applications created on the OutSystems low-code development platform can comply with the highest accessibility standards and regulations.

May 20, 2020

Styra announced that Styra Declarative Authorization Service (DAS) now supports microservices and extends context-based authorization to the service mesh.

May 20, 2020

Optimizely announced that its free feature flagging plan for development teams, Rollouts, now also includes A/B testing and feature configuration.

May 20, 2020

StackRox announced new runtime security features in the latest release of the StackRox Kubernetes Security Platform.

May 19, 2020

Docker has partnered with Snyk to deliver the first, native vulnerability scanning of container images in Docker.

May 19, 2020

Rancher Labs announced the launch of Rancher Academy.

May 19, 2020

Datical, a provider of database release automation solutions, has rebranded and will be conducting operations under the name Liquibase.

May 18, 2020

D2iQ introduced the D2iQ Shortcut to Success promotion. The cost-effective package of technology, training, professional services and support ensures successful Day 2 production operations for Kubernetes at a price point that makes it affordable for companies of all sizes to get started.

May 18, 2020

Altran announced the release of a new tool available on GitHub that predicts the likelihood of bugs in source code created by developers early in the software development process.

May 18, 2020

DigitalOcean closed a $50 million Series C funding round led by Access Industries, with participation from Andreessen Horowitz.

May 14, 2020

Venafi announced a definitive agreement to acquire Jetstack, a provider of open source machine identity protection software for Kubernetes and cloud native ecosystems.

May 14, 2020

SonarSource announced the acquisition of RIPS Technologies, a German startup from Bochum known for its leading code security analyzers.

May 14, 2020

IT Revolution announced The Idealcast — a new podcast series to share insights and solutions for how organizations can thrive during the age of digital disruption.