As a Software Engineer, I will like to detect security vulnerabilities early enough in my codebase before committing my code.
Detecting security vulnerability is very important in SDLC (Software Development Life Cycle), this will allow developers to fix any security-related issues before raising a change request or even before the security team flags this vulnerability.
In tackling these security vulnerabilities, Engineers can integrate the following techniques into their current workflow.
Engineers can integrate their favorite IDE’s with security scanning and detection plugins such as synk.io and sonarlint.
Synk IDE plugin helps Engineers to secure their code as they develop, the IDE plugins scans the code in real-time for vulnerabilities and provide advice on how to fix them.
sonarlint IDE plugin helps to identify and fix quality and security issues as Engineers write codes. These two plugins will fix and advise on any security vulnerabilities.
Software Engineers should cultivate the habit of implementing pre-commit hooks which will contain workflow for managing security vulnerability. The pre-commit hook will run first before even typing in a commit message.
The workflow will contain the following:
- Check if there are any form of secrets (passwords, API keys) as plain text in the codebase
- Check if there is a private key in the codebase
- Remove white spaces
- Check added large files to confirm if we have the right files in the codebase.
- Integrate an automated security testing approach such as one, which will detect Cross-Site Scripting XSS vulnerabilities and test for input validation injections.
In conclusion, please do let me know if you find this article interesting. More ways of tackling security are welcomed.