When static code analysis tools identify a bug in the production code, there are two approaches organizations can take. The sensible one is to put a software developer or two on the problem and implement an immediate bug fix. The other option is to assemble the software team, debate the relative risk of not addressing the problem, and then choose not to do anything about the issue because the reward associated with doing so isn’t commensurate with the risk. You’d be surprised how often teams choose the latter approach.
The dangers of risk assessment
“Many organizations have an effective process for identifying problems, but no process for remediation,” said Matt Rose, the global director of application security strategy at Checkmarx. “Organizations do a lot of signing off on risk. Instead of saying ‘let’s remediate that’ they say ‘what’s the likelihood of this actually happening?'”
Sadly, the trend towards cloud-native, DevOps based development hasn’t reversed the this trend towards preferring risk assessment over problem remediation. The goal of any team that is embracing DevOps and implementing a system of continuous delivery is to eliminate as many manual processes as possible. A big part of that process is integrating software quality and static code analysis tools into the continuous integration server’s build process. But simply automating the process isn’t enough. “A lot of times people just automate and don’t actually remediate,” said Rose.
The bug fix benefit
There are very compelling reasons to properly secure your applications by implementing a bug fix. The most obvious is that your code has fewer identifiable issues, giving software quality tools less to complain about. “It doesn’t matter whether a bug is critical or non-critical. A bug is a bug is a bug. If you don’t act upon it, it’s not going to go away.”
“Many organizations have an effective process for identifying problems, but no process for remediation. Organizations do a lot of signing off on risk.”
-Matt Rose, the global director of application security strategy at Checkmarx.
The other benefit is the fact that the process of addressing a problem and coding a bug fix is actually an educational experience. Developers get informed of the problem, realize how a given piece of code may have created a vulnerability, and then they are given the opportunity to re-write the given function so that the issue is eliminated. “Working on vulnerabilities that are in your application and are real-world to you is going to teach you how not to make the same mistakes over and over again.”
So skip the risk assessments. If there’s a problem in your code, implement a bug fix. That will eliminate the risk completely.