A key concept of making security invisible to developers is to create an environment where 'most of the time' they don't have to care about security, and the only time they need to pay attention is when they create a security vulnerability.
Here is a PoC of what the developer's experience should be:
The key technologies used to create this are:
- O2 Platform - glue it all together and REPL script environment
- Roslyn - code compilation (by Microsoft)
- Cat.NET - SAST security scanner (by Microsoft)
Here are a number of posts and videos on this topic:
- Real-time Vulnerability Creation Feedback inside VisualStudio (with Greens and Reds)
- This is how we have to show security vulnerabilities to developers (in real time as they are created)
- Real-Time C# Solution Compilation and Security Scanning (using Roslyn and Cat.NET)
- Running Cat.NET SAST Scanner outside VisualStudio
- 1 line to compile, create and execute: O2 Script to use Roslyn to Dynamically compile and execute a method
- New Reddit Community for Cat.Net
- Using/Consuming Cat.Net's engine inside the O2 Platform (and outside VisualStudio)
- Using Roslyn to Load and (quickly) Compile C# Solution files (outside VisualStudio)
- Video: Real time Vulnerability Scanning using Cat.Net and Roslyn (SAST)
- Secure coding (and Application Security) must be invisible to developers
- Security evolution into Engineering Productivity
- "OWASP O2 Platform - Automating Security Knowledge through Unit Tests" presentation
- We need Security-focused SAST/Static-Analysis rules
- "Making Security Invisible by Becoming the Developer's Best Friends" presentation
Blog posts by category:
