Code quality and code security aren’t the same, but they’re closely related. And in the current cyberthreat environment, developers should care about both.
Many developers draw a distinction between code quality and code security. Traditionally, embedded development and QA teams focused on quality, as software defects in embedded devices can cause life-threatening consequences. By contrast, security was most often a concern with web and commercial applications that handle sensitive customer data.
However, because customers now rely heavily on interconnected web and embedded applications, all development teams should be addressing both code quality and code security.
Every developer cares about software quality to an extent. Those who can’t write reliable code that consistently produces the intended results will struggle to stay employed. But that doesn’t mean every developer should approach quality in the same way.
Software quality is not optional for embedded developers who write code that will drive cars and operate machinery. Web and commercial application developers have always needed to write stable code, but minor bugs used to be less consequential.
However, as organizations increasingly rely on web applications to automate business processes and process large datasets, the repercussions of production outages or malfunctioning software have become more severe. Web application developers are under increasing pressure to deliver clean software that produces intended outcomes for the customers that depend on their products.
Does this mean that web application and embedded developers should treat code quality the same way? Probably not. Regardless, web application developers cannot ignore the business risks of delivering unreliable software.
Web applications provide a portal through network firewalls, allowing attackers to access sensitive information by exploiting software vulnerabilities. For this reason, most web application developers use application security testing technologies to test their code for common security weaknesses.
Traditionally, the embedded market wasn’t as concerned with software security. Instead, embedded developers focused more on quality defects that could cause reliability or functionality issues. This focus has changed with the growth of the Internet of Things (IoT). Now that most embedded devices are connected to the internet, they are also connected to malicious actors. Embedded developers must understand and respond to the potential security implications of building software in connected devices.
Those who don’t think the security threats to embedded devices are real should look to 2015 when two security researchers hacked into a moving Jeep—leading Chrysler to recall 1.4 million vehicles.
Again, this doesn’t mean web application and embedded developers should treat software vulnerabilities the same way. Different kinds of software pose different risks. However, this does mean every developer should be checking their code for security issues.
Every developer should be concerned with software quality and software security to some degree. Embedded developers need to ensure that their code is reliable and that hackers can’t access devices through the internet. Web and commercial application developers should focus on securing customers’ sensitive data and removing any bugs that could cause production outages or other failures.
Code quality and security are similar in that both types of issues can be identified with static analysis. By looking at dataflow paths through an application, static analysis tools can identify where an application mishandles data or code produces unintended outcomes.
Coverity’s code quality and code security checkers help developers produce clean, secure, and reliable code by carefully examining potential execution paths that could lead to software defects. With a single analysis engine, developers find defects that could impact reliability and functionality, in addition to exploitable security weaknesses that could expose sensitive information.
As a Product Marketing/Business Rotational Program Associate at Synopsys, Charlie will rotate through the sales, marketing, sales operations, and finance departments four months at a time. He joined Black Duck Software in July, before Black Duck Software was acquired by Synopsys. During his time in sales and marketing, Charlie has researched and learned about the importance of open source risk management—especially pertaining to container security and secure DevOps practices. While in marketing, Charlie has been helping with the launch of OpsSight, a product designed for IT Operations and Infrastructure teams hoping to automate security practices in the production environment. He holds a B.A. in Political Economy from Bates College.