It has been decades since application development evolved to include the creation of software for local installation as well as hosted, cloud-based delivery and software as a service (SaaS). This evolution was the first shift in development workflows—and it established a new potential attack vector for software assets in production. Next came the proliferation of open source, accelerating software development and innovation, and engendering the realization that security risks can scale as quickly as the community can adopt popular—and vulnerable—open source components.
Now we find ourselves in a new phase of evolution for the software development life cycle, characterized by rapid DevOps workflows, CI/CD pipelines, and myriad application security testing tools with disparate control points and fragmented results. Simultaneously, security responsibilities are falling on developers without a corresponding shift in the scope of their role. Tight shipping deadlines and accelerating sprints means there is less time for software developers and engineers to create more-secure software.
Secure coding is essential to avoid putting the organization, and the sensitive data it accesses, transmits, and stores, at risk. Late-stage security testing complicates secure development practices, forces software artifacts that are noncompliant with security policies back to earlier stages of development, and steals focus from developers who have moved on to the next sprint. To address this challenge, in early 2022, Synopsys launched a standalone version of its Code Sight™ IDE security plugin for VS Code. It allows developers to scan software artifacts and identify quality and security risks in code they wrote, and known vulnerabilities in open source components and dependencies.
Now, the standalone Code Sight security plugin is available for IntelliJ, making IDE-based application security testing attainable without breaking established development workflows.