What Kind Of Security Tools Should I Provide My Developers?

Question What kind of security tools should I provide my developers?

Casey Bisson, Head of Product and Developer Relations, BluBracket: There’s a belief that developers don’t care about security. Nothing could be further from the truth.

Developers are passionate about building great solutions, and security is emphatically part of a job well done. But if developers are forced to use tools or navigate a policy that blocks progress, they’ll engineer a way around those tools or policies.

Companies can choose between tools that help developers work effectively and securely, or tools they have to work around. It has never been more critical to empower developers with tools that promote security instead of those that ultimately detract.

Use pre-commit hooks to enforce conventional commit messages.

Commit messages are an afterthought for many developers, but the conventional commit format helps break the writer’s block that sometimes hits us when trying to describe what the commit does.

Commit messages are the first thing we see when going through code history to understand why something was changed and what the intent was. When another developer has to go spelunking in code to dig into a bug—or especially a security issue—conventional commits can help make sense of the noise and make it easier to identify anything questionable.

Use pre-commit hooks to scan for secrets and other code risks before they get into code.

A secret in code is a secret told. Blocking secrets at the source is one of the most important steps developers can take to improve security.

Sign your commits.

...and enforce signed commits using branch protection rules. Signed commits are the start of a secure code supply chain.

Automate your security.

We’ve long been using automated testing in the CI process to give developers immediate feedback on every commit/PR and end the “it works on my machine” problem. Automated security testing in that flow drives the same improvements for security: giving developers guidance about security risks before they get deployed is the best way to improve security with every commit.