Continuous Assurance: Bringing Static Analysis into Modern DevOps

By Stephen Magill, CEO MuseDev

Over the past two decades, agile practices have transformed software development by bringing automation, integration, and consistency to a previously disjointed set of tools and processes. Through Continuous Integration and Continuous Delivery pipelines, this modernization has dramatically improved the efficiency and effectiveness of development. These agile practices, tools, and culture today are collectively referred to as DevOps, and organizations of all shapes and sizes are adopting DevOps at a breakneck pace.

But one area of software development has lagged behind — Static Analysis. It has remained stubbornly stuck in waterfall practices where security teams run their tools, sort through piles of false positives and file issues, and plead with developers to fix security bugs, long after they’ve moved onto new code.

The good news? Change has been brewing.

Facebook and Google were at the forefront of this transformation, recognizing the lack of scalability of this human-driven process and searching for alternatives. These companies eventually transformed code analysis within their organizations by integrating it into the developer flow, enabling their teams to quickly identify and remediate errors as part of code review. Facebook published their approach, describing how they delivered deep code analysis at scale while Google shared insights on crowdsourcing analysis within their teams, detailing their tight feedback loop to identify and adjust analyzers that are too noisy. Amazon has also been advancing its automated compliance strategy through automation of formal verification techniques — a powerful human-assisted form of static analysis. Meanwhile, banks have taken a lead role in leveraging controls in the DevOps pipeline to streamline governance workflows, with CapitalOne and PNC bringing automated compliance into their DevOps practices to ensure compliance with internal standards and external certifications.

Understanding Continuous Assurance

Continuous Assurance is the modern DevOps-driven approach to software quality, security, and compliance, whereby various quality and security controls, including static code analysis, are fully automated and tied into the software development process, allowing developers to identify and remediate quality and security errors without breaking their flow.

And while these large enterprises have implemented Continuous Assurance at scale, the practice is available for teams of all sizes.

Teams that have implemented Continuous Assurance have incorporated three essential elements:

• Integrated: Code scanning results are delivered within the code review process and focused on changed code, allowing developers to easily triage issues and within their existing workflow to correct any issues without disrupting their flow.
• Collaborative: Not just developers, but stakeholders across all disciplines, including security, QA, compliance, etc., are able to participate in the development of code analyzers and other quality and security control mechanisms that achieve their goals.
• Iterative: Feedback on usefulness of errors to developers is incorporated so stakeholders can continuously adapt and evolve their analyzers to increase signal and reduce noise. Statistics on overall issue rates, checks performed, and sign-offs on exceptions are collected to support compliance efforts.

Who benefits from Continuous Assurance?

Any development team benefits from Continuous Assurance, but mid to large enterprises gain massive efficiencies while improving their code quality and security. Teams that appreciate the value of static analysis tools but dread the thought of using them are ideal candidates to bring Continuous Assurance into their development practices.

Continuous Assurance brings three key benefits to software teams:

• More bugs get fixed and at a lower cost. Research shows that bugs reported during code review get fixed at a dramatically higher rate and a fraction of a cost when compared to bugs reported as issues by security or QA teams.
• Overall code quality and security improve over time. As developers work in the code to add features, improve performance, or shift architecture, that code gets analyzed by all of the tools within the Continuous Assurance process. This gradually eliminates bugs and raises the quality of the codebase, without requiring an out-of-band effort.
• Teams work better, together. For too long, development and security teams have worked at cross-purposes, developers trying to push code fast and security teams trying to stop vulnerabilities. Developers are the only ones who can actually fix the bugs, so it’s critical to have a unified approach that integrates security and associated tooling into the development process. Doing so gives security, QA and development teams a seamless workflow, ensuring they deliver secure and reliable code, fast.

Adopting Continuous Assurance

Continuous Assurance, like other DevOps practices, enables organizations to deliver more secure and better performing code faster and more efficiently. These practices can be adopted incrementally or deployed as part of a broader transformation of software development and delivery practices. The important thing is to have a plan for ratcheting up automation of security and quality processes, letting tooling directly perform checks and manage workflows wherever possible.

With ample research and successful case studies to pave the way, organizations of all sizes can adopt these practices to bring Continuous Assurance to their organizations.

About the Author |

Stephen Magill, CEO of MuseDev, is a world-recognized expert on program analysis. Previously a principal scientist at Galois and research scientist at the Institute for Defense Analysis Center for Computing Sciences, he earned his Ph.D. and M.S. in CS from Carnegie Mellon and has published a wide range of work in R&D and program analysis.

About MuseDev |

Muse is a Continuous Assurance Platform that integrates into the developer workflow, continuously analyzing code for new bugs and delivering results as code review comments alongside your team.