When DevSecOps goes wrong

The movement to integrate security into developer workflows, often referred to as DevSecOps or "shift left," aims to bring security considerations into the early stages of software development, though it is met with varied enthusiasm between security and development teams. Developers often view security measures as cumbersome, which can lead to humorous security oversights, as illustrated by a 2019 UK government evaluation of Huawei where unsafe functions were naively redefined to safer variants. Despite Huawei's scrutiny, many companies outside major tech giants like FAANG have not enforced secure coding practices such as banning unsafe functions like memcpy. Clint Gibler and his colleague suggest three core principles to effectively bridge the gap between developers and security: ensuring fast security scans, incorporating feedback early in the development process, and providing autofixes to address security issues. Tools like ripgrep and Semgrep are mentioned as methods to identify unsafe function usage in codebases, though each has its limitations and strengths in parsing and accuracy.