Security leaders and software developers will benefit from deeper visibility into their organisations’ software development security posture as they work, bolstering moves towards the nirvana of so-called secure-by-design code, with the introduction of an industry-first solution from sector specialist Secure Code Warrior (SCW).
SCW Trust Agent comes hot on the heels of the introduction of SCW Trust Score, an industry benchmark that quantifies – for the first time – the security competence of software developers within organisations.
It uses the same dataset of millions of learning points collected from hundreds of thousands of developers to help users understand whether code being committed to public open source Git-based repositories is hot to go, or if it could be a risk down the line. It hopes the solution will become an integral part of the secure software development lifecycle.
“At Secure Code Warrior, we are unlocking new value for CISOs by giving them an easy-to-deploy solution to measure the health of code commits and visibility into the hundreds of source code repositories in their organisation,” said Pieter Danhieux, the firm’s co-founder and CEO.
“Our innovations are putting organisations in a better position to bridge the visibility gap between a developer’s skillsets and quality of code produced without sacrificing development velocity.”
Trust Agent will work with any Git-based repo, including GitHub, GitLab, Atlassian Bitbucket and others. It works by examining committed code to see if the uploader is flagged as having the prescribed secure code skillset in that commit’s programming language, and uses that information to rate the health of the commit. These proprietary ratings can then be aggregated across other repos.
SCW believes Trust Agent will offer greater control and flexibility when it comes to developer gatekeeping. For example, it will allow administrators to set up policies and criteria to make sure developers meet a baseline set of expectations before work begins, while for any skills gaps identified through its use, the firm’s agile learning platform can be pushed into play.
Overall, it said, the solution will deliver improved security controls, with policy configurations customisable based on the sensitivity of the project’s needs; comprehensive visibility, including actionable insight into the security posture of code commits; and developer-led security at scale, enabling projects to be delivered quicker and safer, with application security teams freed to focus on the most sensitive reviews.
CrowdStrike chaos
While SCW has made no claims as to whether or not its solutions could collectively have averted the chaos caused by a dodgy CrowdStrike update that temporarily bricked millions of Windows machines last week, the launch comes at a time when the integrity of software development is very high on the agenda.
However, with the issue leading to the incident now confidently identified as a relatively common C++ software security flaw known as a null dereference in kernel memory, Danhieux reiterated recent calls from security authorities – such as CISA in the US – urging developers to move away from memory-unsafe languages to better avoid such vulnerabilities.
Writing on social media platform LinkedIn, he said that would have been a tough ask for CrowdStrike. This is because most kernel-level code is written in C++ so things that are loaded into kernel memory, or need to access it, such as endpoint detection and response (EDR) in CrowdStrike’s case, will need to use it for the foreseeable future.
Danhieux said null dereference errors could happen in multiple circumstances and were “fairly innocent and easy mistakes to make”.
However, he added, organisations should still take steps to avoid them in their projects. “Once an attacker discovers them, they may be used in a denial-of-service attack or simply crash the application or the whole operating system,” he explained.
“SCW has language-specific coding guidelines, micro-learning videos and multiple practical coding challenges in C/C++ around null dereference,” added Danhieux.