Project Better Code

Release more secure code today while training software developers to write better code tomorrow.

What is Project Better Code?

Project Better Code is a partnership between Secure Code Warrior and Code Dx to promote digital innovation through secure code practices.

We all know that software development has changed from a disparate, siloed process to a lightning-fast, integrated collaboration. DevSecOps has helped companies innovate at an incredible pace and Project Better Code wants to support that growth through high-performance software security.

DevSecOps diagram

Silo 1: Development – Work on a release for 3-6 months without any input from security

Silo 2: Security – Wait for development to send code and then run SAST or DAST tool

Silo 3: Operations – Need input

Silo 4: Training – Annual certification course done via eLearning or in-person

Defining High-Performance Software Security

Mature organizations already have world-class developers and security teams on staff, but they need to be given the proper resources to support effective collaboration that is aimed at maximizing their DevSecOps velocity.

 

There are two primary areas that many organizations lack:

Vulnerability Management Automation & Orchestration

Best practices in software security suggest that organizations use best of breed tools from multiple vendors to get sufficient vulnerability coverage. These tools are great at what they do, but they don’t integrate and are close to incompatible with each other. This leaves security teams with the challenge of using spreadsheets or manually reviewing disparate reports to manage thousands of vulnerabilities. Vulnerability Management Automation & Orchestration tools like Code Dx can programmatically aggregate these results, run it through Code Dx’s correlation & normalization engine and provide a coherent stream of prioritized issues in line with the organization’s software security management processes. Code Dx can also help security teams run on-demand, scalable, orchestrated security pipelines in tandem with their DevOps tools to reduce the burden and the high startup costs needed to get the individual tools operationalized in true DevSecOps fashion. Lastly, the Code Dx platform also offers a way to leverage machine learning to triage new incoming vulnerabilities based on an organization’s rules & past triage decisions to automate the recurring time and resource intensive tasks.

Contextual training

Legacy training processes were not designed for DevSecOps. Historically, training was viewed as a “check-the-box” type activity. Developers and security teams would do an annual in-person or e-Learning seminar to stay up to date with trends. But trends change so often now, and memory retention is so limited, training needs to be part of everyday life for these teams.

Secure Code Warrior has partnered with Code Dx to bring contextual, just-in-time training right into the Code Dx platform. This allows Code Dx users to train on their actual vulnerabilities with just one click.

How Does it Work?

This integration builds in capabilities for both security teams and developers.

Security teams can review their findings in Code Dx and access training for a selected vulnerability right in the findings view.

From the findings screen a user can drill down into a specific finding. Where available, a Train Now button will be displayed that takes the user to SCW contextual microlearning.

The training video is also embedded into the finding where available and can be viewed by expanding the section under the Description.

Developers can access training right from their ecosystem (IDE & Bug Tracking).

SCW is also integrated in the Code Dx IDE plugins. You can select a finding from the list and click the magnifying glass to view finding details. This includes a Train Now button and drop down with training video where available.

Code Dx also supports a JIRA integration where the links to the contextual training material can be automatically added to the remediation ticket during ticket creation.

Check out this short video to see the integration in action: