I read an article few days back about static code analysis and this kept me thinking for a few days about how static code analysis and all the other “things” around it like integrating security into SDLC, security code review and the big one which is getting developers to write and care about secure code.
The author of the article was spot on in identifying what went wrong with static code analysis tools. However, I think there are a number of psychological issues that are standing between the developer and the static code analysis tool.
Developers don’t like to be told what to do.
Isn’t that why they chose programming as a career from the very beginning? So that they could choose how to program a certain module and architect the application the way they think is best?!. Software programming is definitely creative work, maybe not for end users who wouldn’t identify the difference between well-designed and well-programmed pieces of software and another until one crash. If software programming is creative work and programmers are creative people then everyone knows that creative people don’t like to be told what to do.
The problem is that security experts and the tools they create just ignore this fact and try to tell creative developers what to do and ignore that developers are the ones behind the software security experts are trying to secure and behind the software that makes up the static code analysis tools itself.
Developers are creators of magic and security is ….boring.
Developers like to think of themselves as creators of magic, the magic of making things happen. Developers just look at software security as this thing that prevents them from creating this magic. If security and its tools including static code analysis, if these tools prevent developers from creating magic then developers will just ignore them.
Developers are passionate people.
Constraints kill them unless it is being given to them as a challenge to solve, then this is a totally different game. Developers are not lacking brain power and I think they should be given the upper hand in securing their own software. Security is being looked at by developers as one extra step to “do” before their creations see the light. Guess what? they will not like that!
Don’t get me wrong, static code analysis tools are God’s gift to us all in the software field right after cheese burgers and Star Wars, but if the software security industry in general and the static code analysis didn’t empower the developer more in taking steps towards fixing their own app, I don’t think there is a chance to getting wide scale adoption of writing secure code by developers.