"We take source code, and do the analysis on 10 or 100 lines of code, allowing the developers to see the vulnerabilities at a very early stage," said Amit Ashbel, director of product marketing at Checkmarx. "And then we take them to a brief, five to 10 minute session on how to fix the code. We show them how to hack the code, and they can try it in real time. Then they understand what that vulnerability could have exposed to their code to."
As a result, the learning is delivered exactly when the developers need it most, he said.
"They don't have to move away from their desk, they don't have to spend too much time sitting in a room and listening to lectures," he said. "I think this is the way to do secure coding education."
On the issue of whether the product is more helpful or more annoying, he pointed to its page on Gartner PeerInsights, where the reviews were very positive.
"What I like most is the level of adoption usage and impact within our engineering department the product has made," wrote one CISO at a large manufacturing company.
"The feedback from our developers had been very positive, which has aided our adoption of code scanning as a routine activity," wrote a technical specialist at a large financial firm.
Early-stage testing can miss big problems
The security testing that takes place while code is being written is a type of static analysis.
With static analysis, the tools simply look at the code the way it is written, while dynamic analysis actually follows the flow of logic. That means that static analysis can miss many problems.
"The tools can only protect against errors that have certain patterns that it knows about," said Mike Milner, co-founder and CTO at Immunio, which offers run-time application security detection.
Meanwhile, as more companies move to agile development, the dynamic analysis tools are identifying problems quicker and quicker.
"You write and deploy several times a day," he said, "So it becomes a development tool."
When companies first began moving from traditional waterfall development to agile, security was often sidelined, said Mike Kail, chief innovation officer at Cybric, which offers a service that scans code whenever a developer commits it to GitHub or BitBucket, using Veracode or other commercial and open source vulnerability scanners.
"Currently, companies are testing for SQL injections or cross-site scripting once a week, or maybe once a quarter," he said. "We need to make this a continuous process because the hackers are attacking companies continuously."
It makes sense to have security testing tools as part of the software development process -- but not during the writing phase, said Brian Doll, vice president of marketing at SourceClear, which makes tools that look for open source security vulnerabilities during the built process, instead.
Sign up for Computerworld eNewsletters.