Project Better Code addresses the need to fix today’s vulnerable code while developing better coders for tomorrow. Here’s how it works.

by | May 6, 2021 | Blog

Share This Story, Choose Your Platform

Every new Code Dx release is exciting but release 5.4 takes the excitement level up a notch. This release is built around Project Better Code, which features a native integration with Secure Code Warrior to address a major root source of insecure code – the lack of consistent, relevant security training.  This integration allows developers & security teams to access contextual, language specific, just-in-time microlearning for their Code Dx findings & vulnerabilities within their desired DevOps tools. This training is natively integrated at different levels within the product to help support the various personas: 

  1. Software Developers: Code Dx’s native integration with Secure Code Warrior is now available within the Code Dx IDE plugins. Code Dx offers comprehensive, native support for a variety of IDEs like IntelliJ, Eclipse & Visual Studio.  
Graphical user interface, application, Teams

Description automatically generated

Image 1 – Code Dx Eclipse plugin with native integration for Secure Code Warrior.  

Using Code Dx, developers can access micro lessons to understand the root cause of issues identified in their own code, learn about the nature of the vulnerability,  how it can be potentially exploited, and how it can be fixed – all from within the comfort of their preferred IDE tool. The native integration helps boost developer knowledge and helps avoid undue context switching & distractions. This is really important if you account for human factors and how they directly influence the quality of your code. In a recent study by various federal agencies like the FAA, NTSB & corporations like Microsoft & ATT – human factors were found to heavily impact security and quality of your code.1 

  1. Development ManagersCode Dx’s native integration with Secure Code Warrior can also be exported into popular bug tracking systems like JIRA, Azure DevOps, GitLab & ServiceNow to provide development managers with the context for the issue at hand and help prioritize it with their developers. Developers can view this information in their issue tracker and seamlessly move it to their IDE when they begin remediation. This allows developers to work on the changes without introducing any disruptive, out-of-band activities as with some legacy security tools. Quality code results in less rework and improved productivity, ultimately saving time and effort for the team. This helps build a better security posture for the development team & reduce the recurrence of similar issues moving forward. Code Dx’s market-leading bi-directional issue tracker integrations allow development and security to stay in-sync with the changes automatically without incurring any overhead. 
Graphical user interface, application

Description automatically generated

Image 2 – Code Dx-JIRA integration with contextual link to Secure Code Warrior.  

  1. Security Teams:  The Secure Code Warrior integration expands the value of the Code Dx solution by providing security teams with contextual, just-in-time micro courses within the findings/vulnerability view; allowing them to get the full-rounded context for the vulnerability during issue triage and remediation planning. Capabilities like Code Dx’s Triage Assistant, make it possible to automate these time & labor-intensive triaging processes and streamline security review workflows to operate at the speed of DevOps. Code Dx can help you prioritize, fix & report on findings to achieve compliance across PCI-DSS, HIPAA, DISA-STIG, OWASP Top 10 etc. A lot of these standards also have requirements around developer training for secure code development. Secure Code Warrior can help satisfy that requirement by empowering developers to use dynamic training content that appeals to their creative, problem-solving traits to: 
  1. Reduce gaps in developer skills & knowledge 
  1. Ensure teams can code securely in their chosen language and framework 
  1. Ensure ongoing compliance and compliance training as security frameworks evolve 
  1. Gamify the security training problem with real-world immersive secure coding tournaments and missions to motivate learning.   

Image 3 – A Static Analysis Finding involving a XML injection as evidenced by Checkmarx, Fortify & HCL AppScan now has a contextual micro course linked to it from Secure Code Warrior.  

       SUMMARY 

Code Dx automates the arduous workflows needed to centralize analyzing, prioritizing, and fixing security vulnerabilities across disparate security tools—at DevOps speed. Code Dx orchestrates scan automation, automates triage, and prioritizes tracking and remediation of vulnerabilities. It does this while continuously assessing the security risks across the entire software lifecycle. The Code Dx connectors allow customers to pull in security vulnerabilities programmatically into Code Dx to allow it to de-duplicate, normalize, and correlate all the findings and offer a single, coherent thread of prioritized issues. 

Secure Code Warrior is a global security company that makes software development better and more secure. Our vision is to empower developers to be the first line of defense in their organization by making security highly visible and providing them with the skills and tools to write secure code from the beginning. 

Our customers include financial institutions, telecommunications providers and global technology companies in Europe, North America and the Asia Pacific 

Learn more about Project Better Code.

1 C. Bird, N. Nagappan, B. Murphy, H. Gall, and P. Devanbu, “Don’t Touch My Code!: Examining the Effects of Ownership on Software Quality,” in Proceedings of the 19th ACM SIGSOFT Symposium and the 13th Euro Conf on Found of Soft Eng, New York, NY, USA, 2011, pp. 4–14.​ 


Share This Story, Choose Your Platform