Software quality affects software vendors as much as it affects end-user organisations. The question is, how do we improve software? It has to be done. Organisations are castigated when they don’t apply patches but with so many software vendors now having to issue patches due to issues in their code, it can be a battle keeping up.
At the RSA Conference in San Francisco, Enterprise Times talked with Chris Eng, Chief Research Officer, Veracode about the issue of software quality. Eng is responsible for the quality of Veracode’s own products. ET asked him what do we need to do? Eng replied: “A lot of what we are finding lately is getting more touch points with developers.”
Eng continued: “We are now in the IDE, the continuous integration pipeline, we are at every touchpoint.” The goal is to be able to immediately let the developer know if they have introduced bad code. That also allows the tools to show the developer how to fix bad code.
DevOps is providing the right environment to make this happen, according to Eng. It’s push for automation and speed means that fix now is better than fix later. It prevents security debt adding to the technical debt that development teams carry.
Another part of this is changing culture and a need for better education. Eng points out that a computer science graduate is unlikely to have been taught what a SQL Injection attack looks like. They are not taught about their code from an attackers viewpoint. The only way to fix this, says Eng, is for the large technology companies demand that level of knowledge as a prerequisite for employment. At that point, education changes.
To hear what else Eng has to say, listen to the podcast
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
use the Enterprise Times page on Podchaser
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there
