Static Code Analysis: An Overview
Static Code Analysis (or Source Code Analysis) makes up a fundamental part of a Code Review and is carried out by the security team during their typical test’s postproduction. It aims to flag up any possible vulnerabilities within source code.
It is actually seen as so effective/useful the UK Defense Standard requires that Static Code Analysis has to be used on all software in their Defense equipment.
As part of a DevSecOps environment, this is implemented during the software development phase itself, providing immediate feedback to the developer on issues they might be introducing into the code during code development itself. This ‘instant gratification’ is very useful compared to finding vulnerabilities much later in the development cycle (and the headaches/arguments that ensue).
STRENGTHS:
- Can be ran on lots of different types of software, scales really well
- Can find some flaws automatically with very high confidence, making a developer’s life easier
WEAKNESSES:
- Many types of security vulnerabilities are difficult to find automatically, authentication problems for example
- Can’t find flaws like configuration issues, anything that is not represented in code
I think ultimately, whilst automation of security testing is what development and security teams are striving towards, given the current state of security tools they should be seen as an aid to security teams/DevSecOps engineers in determining whether code is secure or not, rather than replacement altogether – a substantial amount of human input is still very much needed (for the time being, anyway).
If you want to check out more, I recommended reading up on this article linked below:
https://owasp.org/www-community/controls/Static_Code_Analysis
Pair Programming
THE CHALLENGE
Technical interviews are essential for a company’s hiring process and are designed to gauge a candidate’s ability to tackle real-world problems. Hiring Managers devote significant time to assess a potential employee’s experience, knowledge and personality and to try and gain comprehensive insights into their technical skill set and their long-term potential.
However, interviewing, testing and onboarding technical employees can be tedious, especially when there’s limited knowledge about candidate assessments, which further exacerbates the hiring challenges.
So how does one sift through a massive pool of candidates whilst streamlining the technical interview process and improving hiring quality? This is where Pair Programming could come in.
WHAT IS PAIR PROGRAMMING?
Pair programming is a software development practice in which two Developers collaborate on a single workstation at the same time, either in person or remotely.
Each Developer has an alternating role to play. One acts as the driver who writes the code, and the other acts as the navigator who reviews the code and provides information and instructions. Both then switch at regular intervals from anywhere between 15 minutes to 1 hour.
Whilst there are many approaches to Pair Programming, the goals are usually the same:
Two brains are better than one – When two people work together, the code quality will increase and fewer mistake will be made than if it was one person alone.
Sharing is Caring – When two people are responsible for building a specific feature, it’s easier to for them spread the knowledge of how that feature works to the rest of the team, meaning more people understand how it works and how to rebuild or refactor it in the future.
It’s for these reasons that Pair Programming could be the answer to a streamlined technical interview process.
ITS ROLE IN THE INTERVIEW PROCESS
During any interview, you want to be able to analyse an individual’s suitability for the role and culture. Not only does Pair Programming provide those answers, it also enables you to gain a technical understanding of their ability and the unique opportunity to see how they work in situ.
The key skills that you’re able to analyse are:
Collaboration – Working alongside someone else gives you the opportunity to see how they operate in a team environment, how they communicate and to see if their personality is suitable. It also gives you the opportunity to provide feedback and see how they deal with criticism.
Problem solving – Development is all about solving problems and it’s what a Developer will be doing in their job every day, so you need to know how they approach the problem, why they approach it that way and the rationale behind their choices.
Code quality – Ultimately, you want a Developer to produce code to the best quality, relevant to their skill set and level. Pair Programming gives you the perfect opportunity to see this, as well analyse the clarity, testability and readability of their code.
Learning – Pair Programming can also be a great platform for more junior Developers to learn from those with a lot more experience. Whilst the premise can seem daunting, those with the openness and eagerness to gain knowledge and ask questions show an important trait if you want to create an office environment that breeds creativity and innovation.
CONCLUSION
By no means is Pair Programming the only solution and it will no doubt have it critics, however it does offer many benefits that can help speed up the technical interview process. Technical Tests are becoming outdated and can often put candidates off altogether, so providing a platform that puts an interviewee at ease whilst benefiting the interviewers might be a step in the right direction.
Tech News
Here’s our latest batch of tech news snippets.
VAARST LAUNCHES TO DRIVE THE FUTURE OF MARINE ROBOTICS THROUGH DATA FOCUS
Bristol-based Vaarst, a spin off from Rovco, was formally launched last week. Their goal is to revolutionise the offshore robotics sector by providing Artificial lntelligence technology to marine and subsea providers for autonomous robotics work. They’re already predicting revenues of over £1m by the end of 2021!
https://www.techspark.co/blog/2021/04/08/vaarst-launches-marine-robotics/
HIRO CAPITAL PUTS $2.3M INTO TEAM SPORTS TRACKING PLATFORM PLAYERDATA
PlayerData, an Edinburgh-based startup that aims to transform the way amateur and professional sports teams train, has raised £1.7m in its latest funding round. The investment comes from Hiro Capital and former Tesco CEO Sir Terry Leahy and will help to grow their injury prediction software across multiple sports and countries.
CLIM8 PLEDGES TO FIX “DYSFUNCTIONAL” ETHICAL INVESTMENT WORLD WITH NEW APP
After raising almost £6m in funding and 8 months of beta testing, London-based sustainable investing platform Clim8 Invest have successfully launched their brand new app. The app let consumers invest in companies and supply chains with a focus to tackle climate change.
https://sifted.eu/articles/clim8-launches-sustainable-investing-app/
Stay tuned for the next instalment!
Terraform vs CloudFormation – which is the better tool for IAC?
Infrastructure-as-Code allows teams to manage and monitor infrastructure through source code which can easily be accessed, edited, and improved. IaC is a key DevOps practice as it automates routine tasks and saves time for developers and operations teams, which leads to quicker deployments and continuous delivery.
Two popular configuration-orchestration tools for IaC are Terraform and CloudFormation. Terraform is an open-source infrastructure as code software and CloudFormation is a service of Amazon Web Services. The role of these tools is to automate the deployment of servers and other infrastructure.
Companies often require experience with IaC when hiring DevOps Engineers, especially with Terraform and CloudFormation, so I have researched these tools and some of their comparisons.
Availability – As Terraform is open-source it can be used to apply changes to several cloud providers and third-party providers, however CloudFormation only manages AWS resources so if a company is not using AWS infrastructure, they will not be able to use CloudFormation.
Usability – Handling modules with Terraform is simpler than CloudFormation as they are self-contained and come with native support, whereas CloudFormation lacks a place where templates are shared and leaves it to the user to modularize templates.
CloudFormation has a graphical user interface where resources can simply be dragged and dropped to deploy which makes it easy to use for beginners, in contrast Terraform does not offer a user-interface.
Cost – The open-source version of Terraform is free of charge and problems are generally resolved quickly by the support team. The Terraform business version which is paid for offers different support options including SaaS or private install. CloudFormation a free AWS service where the level of support included depends on the plan chosen.
The administrative overhead cost is less with CloudFormation as it is a managed service which guides the users with some decisions and has a lot of possibilities, whereas the user is responsible for managing the process with Terraform.
Speed – CloudFormation can take some time to support new features for existing services whereas Terraform is often faster in supporting new services.
There are many other comparisons that can be made, but I have found they are both considered to be extremely powerful tools and remain to be the most popular choices for infrastructure-as-code. Although, with the ever-changing world of technology you never know if there is a newer, better tool just around the corner…
References:
- https://www.infoworld.com/article/3344382/what-is-infrastructure-as-code-a-big-step-up-from-server-scripting.html
- https://www.stratoscale.com/blog/data-center/choosing-the-right-provisioning-tool-terraform-vs-aws-cloudformation/
- https://cloudonaut.io/cloudformation-vs-terraform/
- https://www.porscheinformatik.com/en/cloudformation-vs-terraform/
Tech News
Here is our latest batch of tech news, this week focussing on Bristol
AJ BELL EYES MOBILE PLATFORM WITH ADALPHA ACQUISITION
Bristol-based Adalpha have been bought by AJ Bell. Adalpha is currently developing a mobile-focused platform for financial advisers, and this recent buyout will enhance AJ Bell’s mobile accessibility for advisers and clients.
UPLAND SOFTWARE ACQUIRES BLUEVENN
Another Bristol company in BlueVenn has been acquired by Upland Software, who have their HQ in Austin, Texas. As a leading SaaS vendor, this deal will enhance their global reach and enable Upland to provide more in-depth data insight.
https://www.businesswire.com/news/home/20210302005743/en/Upland-Software-Acquires-BlueVenn
NEW VENTURE FUND BACKS CYTOSEEK, A STARTUP LOOKING TO GIVE “SUPERPOWERS” TO CANCER-FIGHTING T-CELLS
CytoSeek, a hugely exciting BioTech startup, has recently raised £3.5 million in its latest round of seed funding. The money will help to accelerate the commercialisation of its AI technology, which will be used to discover the potential of immune cell therapies for treating tumours.
https://fortune.com/2021/03/16/cytoseek-t-cells-cancer-venture-fund/
Stay tuned for the next instalment!