SECURITY

Discover how to build securer web apps in Tim Armstrong’s new series, who starts with the essentials of Static Analysis and CI/CD.

OUR EXPERT

Tim Armstrong is a former lead engineer turned developer advocate specialising in networking, software development and security. Find him on Twitter as @omatachyru.

QUICKTIPS

When working on a larger change, running the static analysis tools locally before committing can save a lot of time.

If you make big changes frequently, consider adding them to your pre-commit.

A sa developer or software engineer, having enough time to work on cleaning up technical debt and fixing vulnerabilities is difficult. It generally requires that your project manager understands the risks and why prioritising the clean-up of technical debt is important. Thereby ensuring that your workplace isn’t the next company to be lambasted in the media for being the target of a cyberattack (or worse, leaking PII client data in a massive security breach). Project managers as a whole have a hard time comparing the risks of an attack to the benefits of a new feature. The feature is quantifiable, while the risk of getting hacked is not (especially if you don’t have the tooling to realise that you’ve been attacked).

This tutorial covers how you can integrate static analysis into your source-code management to identify, quantify, and prevent vulnerabilities in your code while improving general code readability and maintainability. This will enable project managers to obtain insights into any extant vulnerabilities or technical debt in the code, while simultaneously helping developers and engineers write better code. We’ll be focusing on Python, but there are alternatives to any tooling used for every language.

The tutorial will also be using GitLab as the source-code host and CI/CD solution. This is to make things approachable without the cost or complexity of closed source platforms.

Because this tutorial isn’t about GitLab’s built-in oneclick solutions (although these can be a good place to start if you don’t have time to set up your own pipeline) the final result of this tutorial is a functional static analysis stage for a CI/CD pipeline along with an understanding of what you can gain from building this into your workflow.

Linting hell

The first stage of any good pipeline is linting. This is a form of static analysis that dates back to the 70s, and is one of the most useful and versatile methods to identify and prevent bugs in code from reaching production. Lint derives its name from the fluff that forms pill-shaped “bugs” on clothing. It should come as no surprise then that the goal of linting is to find bugs (speaks for itself), stylistic errors (clean code is easier to spot flaws in during peer reviews), and potentially vulnerable constructs (vulnerable to code injections).