SonarQube & DevSecOps - Improving code quality and security go hand in hand

SonarQube - Static code analysis to enhance the code quality

SonarQube is a system with which the code quality of all software development projects can be centrally managed and continuously improved. 

The main functionality of SonarQube is the static analysis (SAST - Static Application Security Testing) of the code base to identify bugs, vulnerabilities and uncleanly implemented segments of code that are difficult to maintain and modify. SonarQube supports a large number of different programming languages, which sets SonarQube apart from similar solutions. 

At Engel & Völkers SonarQube is also used to check compliance with shared company coding guidelines. The necessary rules are centrally managed and can be maintained for all projects at the same time.  All this helps to estimate and eliminate the so-called "technical debt", even for old "legacy" software.

The results of the static analysis is managed centrally so that the quality of the code base of all Engel & Völkers software development projects, as well as any changes over time, can be tracked at a glance. This not only helps the developers to improve the software, but also gives managers a quantified insight into the current status. At Engel & Völkers, the goals of good code quality and easy maintainability are not only achieved through static code analysis, but also supplemented by peer reviews and pair programming methods.

What does that have to do with information security?

With SonarQube we advance two requirements regarding our software: the general code quality and the development of secure software. The performed tests also check security requirements, such as the use of insecure methods, outdated cryptographic libraries, forgotten debug output and much more.

In general, the Engel & Völkers security team aims to support developers and other teams in their daily work with newly introduced security measures and thus promote good interaction and a security-oriented culture.

DevSecOps

The DevSecOps concept aims to integrate security measures directly into the development process and not - as in the waterfall model - at the end of the actual development. At this point, it can often be too late to change fundamental architectural decisions that are questionable from a security point of view. The software at Engel & Völkers is continuously developed and it is a great challenge not to lose sight of security requirements in the fast-moving DevOps environment. The static code analysis is a DevSecOps element that supports us in this. Manual, classic security checks are often too slow here and are therefore increasingly supplemented by automated checks.

In contrast to the classic waterfall approach, DevSecOps focuses both on automation and the establishment of a security-oriented coding culture. In addition to static code analysis and other automated security tools, the promotion of security awareness and the security know-how of the developers ("cross-skilling") is indispensable in order to continuously develop secure software.

In summary, our goal with the DevSecOps concept is to support developers in developing better and more secure software faster, instead of blocking them in their work with lengthy audits and checks. Security is thus integrated into the DevOps lifecycle instead of forcing modern ways of working into classic security measures.