The cost of writing unsafe code
As Freecodecamp wrote in it's article, "A hacker stole $31M of Ether — how it happened, and what it means for Ethereum"
This is another example that demonstrate the cost of write UNSAFE code. Or at the opposite, how every $ spent in code security is well spent and can generate a great payoff.
How do you secure your code?
- code review by peers?
- DevSecOps?
- Static code analisys?
- Praying (aka “do nothing”) ?
Let’s analyze the three methods and see PROS/CONS of each
- While it is true that the human brain is definitely the most advanced computer that you can currently find, by means of creativity and of being able to find what is unobvious, it is also true that everything is human is inconstant and prone to what us called human error. Nevertheless, conducting team code review by peers is a long and tedious task and comports a lot of cost in terms of time/man diverted by the production of code. This is a good approach when the amount of code is not too big (like <1MLOC). PROS: human brain based : powerful - CONS: human brain based : inconstant and time wasting
- DevSecOps (aka. Krav Maga of Security - ref: http://www.devsecops.org/blog?tag=DevSecOps+Explained) it’s a process, a mentality that is the best you can achieve in your company, but like “DevOps” it is a long process that composes of several little steps. PROS: it’s the best goal you can achieve in terms of code security - CONS: it’s a philosophy, it’s a set of process, it is a long journey and must be embraced by all the staff
- Static Code Analysis (SAST): this is a concrete, tactical and easy step that can be easily introduced by every development team. It basically consist in a tool that analyzes automatically, and more or less transparently, your code and warn you on instruction or pattern that are potential unsafe. It is like the filter you put in your tap water. Easy and efficient, you can drink the water out of your tap. You don’t change your habits about how you get the water, but you are safe and sure your water has been cleared. Of course the result in this context depends by the “quality” of your filter. In order to choose the best “filter” you can always look at what Analyst like Gartner says in the “Magic Quadrant for Application Security Testing” . PROS: very effective and easy to adopt in every organization CONS: it is just the first step in your DevSecOps journey
- Do nothing, it’s always the biggest competitor in front of every possible need of change. Human being is always prone to “do nothing”, but in many cases this solution lead to the result of the article I pointed out here below……..
What are your thoughts?