Original Post: When DevSecOps goes wrong
The growing trend of integrating security into the development process, commonly referred to as DevSecOps or "shift left," appears to be more favored by security teams than developers. Developers often find security measures cumbersome and arduous. An illustrative example from the 2019 UK government security evaluation of Huawei showed developers substituting unsafe functions with supposedly safer ones using #define, though this approach proved insufficient.
The report noted significant unsafe function calls remained, highlighting that renaming functions isn’t enough for security. Huawei’s challenge in enforcing secure coding practices is not unique; most companies outside top tech giants like FAANG struggle similarly. Suggestions to bridge the gap between developers and security teams include ensuring security checks are fast and non-disruptive, providing early feedback, and offering automatic fixes.
For assessing and pinpointing insecure code like strcpy usage in large codebases, tools like ripgrep and Semgrep can be helpful, with Semgrep offering more precision despite some parsing limitations.
Go here to read the Original Post