Security Guidance and Feedback in IDE
This Working Session will consider the IDE (Integrated Development Environment) as the best location to provide security guidance and feedback to developers.
- Review current state of security guidance and understand what works and what doesn’t work
- When should security guidance be provided to developers?
- What is the best way to present this information?
- How to use gamification techniques/workflows to create a positive and engaged environment
- Who should write the guidance?
- Create industry-wide guidance (avoid reinventing the wheel)
This Working Session will create industry-wide security guidelines.
Synopsis and Takeaways
Specific and targeted
- Address noise within an IDE – specific and targeted live analysis of code to highlight specific areas requiring attention rather than flooding developers with a long list of errors that they will not be able to address; filtering option may be useful to streamline the process of identifying security errors.
- Feedback on vulnerabilities needs to be accurate particularly if it’s a general security issue. However, there may be exceptions to these rules.
- Think carefully about when and where to highlight these exceptions to maintain the credibility of the tool.
- Developers are competitive and want to maximise achievement. Introducing a scoring system may be a good way to do this: e.g., scoring unit test coverage on how it addresses security errors.
Low resource consumption
- Many IDEs can be resource-intensive and development may involve virtualisation technologies that are also resource-intensive. Whatever is added to the IDE should not add to that load.
- Don’t just think about the code the developers are writing, think about code being included from third party libraries or dependencies., e.g., CVE scanners.
The target audience for this Working Session is:
- IDE developers
- AppSec professionals
- Tool makers
Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)
Related Working Session(s)
Back to list of all Working Sessions and Tracks
Edit this page here