Code Security & Code Quality with Ponicode
Are you confused between Ponicode and CircleCI? It’s not you, it’s us. Ponicode was acquired by CircleCI as of March 2022. The content and material published prior to this date remains under Ponicode’s name. When in doubt: Ponicode = CircleCI
At the heart of the Ponicode project is the promise to make beautiful code more accessible than ever before. On numerous occasions, we have explained the definition of good/healthy/beautiful code → That is code that is refactored to serve one purpose, code that is efficient and performs well, and code that has been tested, documented and secured.
As we have been developing the Ponicode solution, we have had many opportunities for discussions with tech leaders and CTOs, which have brought us to the understanding that these characteristics are not separate from each other, they are, in fact, intricately intertwined. As a code quality focused solution, it may have been perceived that Ponicode does not directly support code security or documentation efforts. Today, however, we are going to talk with Baptiste Bouffaut about how Ponicode reconciles code quality with code security as well as our ambition to make beautiful code accessible to everyone.
Code quality and code security rely on one another.
Code quality means ensuring high performing software at all times, but security vulnerabilities are jeopardising this performance. This is why quality is inherently a source of security. These days, code security is all over the news, but not all major attacks that companies are facing are code quality related (see below). A hacker will systematically try to exploit defects and vulnerabilities, so when it comes to code quality, an attacker will try to find weak pieces of code to penetrate a system with malicious intent. If all of the code has been written following best practices, meaning that 100% of possible scenarios have been reviewed and the function is bullet proof, then code quality related attacks will not be possible.
We know now that if exhaustive testing has been performed, then any malicious attack should fail. Then why are there so many vulnerabilities after nearly half a century of software development? The issue is that we still test imperfectly, the testing phases are not yet being made in an industrial, 0 defect approach. Even Fortune 500 companies and tech leaders are carrying out extensive testing, but they are not taking into consideration the quality of these tests and how many scenarios have actually been envisioned during the testing phase. The only metric driving our industry to this day is test coverage which is simply a measure of how much of the code is covered by a test. The term coverage for compliance, or artificial coverage, is now becoming the new taboo word among software engineering teams.
For Ponicode, our approach to code security was to build a testing tool that uses the power of artificial intelligence to cover the scenarios that software engineers might not think of, thus covering the most unlikely vulnerabilities that attackers might be looking for.
Testing every component for maximum security
At Ponicode, we assist developers with more brain power. Thanks to artificial intelligence, we try to suggest the full scope of scenarios and help them to test as thoroughly as possible. Well tested code is, by definition, code where every single function is fulfilling what it has been designed for; efficiently and even in the most unlikely scenarios. Thanks to well tested code, we can systematically protect software from bugs and weaknesses, and consequently from the negative impacts it could have on end users.
The test-every-unit method is inherited from the zero defect approach that the manufacturing industry adopted decades ago. It consists of systematic testing of each unit or component of a product before assembly. Thanks to unit testing, you reduce the risk of finding defects later on in the production line, or even after delivering your product. With this unit-based approach to testing, we believe we can enable developers to create code that cannot fail, no matter the type of input it is being fed. It means building secure code at scale and ensuring the flawlessness of code as it is being written.
What the Ponicode team does is investigate how AI can be leveraged to reduce time and resource constraints, which get in the way of exploring the endless possible scenarios in an increasingly complex codebase.
Ponicode augments software engineer’s brainspace to build secure code
There are a few key sources of security flaws in our softwares
- Above-mentioned bug related security flaws.
- Information leaks inside the codebase that result in sensitive information being leaked to hackers. These leaks can be prevented thanks to secret detection tools such as Gitguardian (which we use at Ponicode). Secret detection tools scan code at all times to continuously check for any sensitive piece of information being pushed into production.
- Vulnerabilities created by mistakes in the setup of networks. Since all software and devices are increasingly interconnected networks, there is a significant amount of complex setup involved. When the setup has been done incorrectly it can create a breach that serves as an entryway for hackers.
These three types of flaws underline one thing: it's always where you find the biggest amount of human intervention that you find the biggest weaknesses. We are not expandable and far from being flawless, that is why tools which can reduce the space for mistakes are key elements to a successful code security strategy.
From assistance with Ponicode to automation with Gitguardian, we are finding new ways to bring more exhaustion and velocity to the work of software engineers, to ensure that the work is done well, efficiently, and never forgotten about and put aside.
When it comes to human imperfection, we decided very early on in our journey on the certainty that artificial intelligence is part of the solution. It can remove the dependence on human intervention, or make human work more exhaustive. Thus, enabling robust and safe software development.
Today, shift left security and dev sec ops are key
Shift left and dev sec ops are focused on the same goal; finding ways to build industrial grade software.
On the one hand, dev sec ops is a set of practices for developers: patterns and methodologies to ensure that engineers write with the highest standards. Along with these practices are tools to follow up and monitor that these practices are well respected.
On the other hand, the shift left approach is a zero defect approach to software development which promotes testing as early and as often as possible, to reduce the weight of late testing and the risk of detecting vulnerabilities after release.
Both approaches take the stand that thorough testing is key to building secure code. They take the reality of human imperfection in the development lifecycle and try to solve it, whereas other approaches are just pushing developers to be better without taking into account the limits of the developer.
When it comes to security and quality, we believe that unit testing is key because it is early in the development process. However, our ambition goes beyond this: the scope of our work is to be beautiful code enablers and we are already investigating how our AI-powered unit testing tool can be enhanced by security pattern reviews, or how we can use AI to boost pain tests, intrusion tests, etc
Today, the cost of bad code is estimated to be above $85 billion a year and debugging costs up to $300 billion a year to both public administration and private companies. Meanwhile, software engineers are being expected to deliver more and are feeling the pressure to produce new software at a higher level of quality, yet they are not receiving any help to let them do so. Company security and reputation, as well as their client safety, is jeopardised by this situation and the impact of providing proper tooling to produce secure and quality code is critical. Today, we have little awareness on how to connect these new tools with the ones who so desperately need them. Why leave a few organisations to build their competitive advantage when we can share these tools with such a wide audience ourselves? Companies who enable their engineers to produce high quality and secure code at scale are rewarded with easily increased market share and a booming turnover. You can be one of them.
We can see how our first enterprise users are beginning to find trust and confidence in the software they manufacture. Our industry is seeking industrial grade quality and security labels which will enable companies to give their best effort towards delivering bulletproof software.
The future looks bright, and the direction our industry is headed in is encouraging. The key to our success now is moving forward, fast.