CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Webinar - How to maintain code security through code quality at scale

Originally aired live on Crowdcast December 8th, for future events see https://www.crowdcast.io/mackenziefromgitguardianBuilding secure software runs hand in hand with building high quality code. In this webinar we welcome Baptiste Bouffaut, the CTO of Ponicode to discuss code quality and break down; what is code quality? How can we ensure code quality and how code quality helps secure our applications?0:00-Introduction6:45-An overview of code quality37:00-Expert panel questions48:15-Lightning Demo ⚡️ Live demo of Ponicode 58:45-Audience Q&ASpeakersMackenzie Jackson — Developer Advocate @GitGuardianBaptiste BOUFFAUT — CTO @Ponicode

Video Transcript

all right and we're live hello everyone welcome to another webinar i'm very excited to be here with you today and we have a great guest with us that uh i'm excited to have on the webinar with us so i'd like to introduce baptist before who is the cto of pony code uh we'll dive a little bit into what pony code is but uh baptist uh do you want to maybe give yourself a quick introduction to everyone that's tuning in yeah sure hi everyone um i'm baptist as mcandy mentioned i'm the cto of pony code and ponycode is a is a startup and we we implement an ai platform that aims at helping developers develop faster and better and and to do that the first skill we gave to our ai is the ability to automatically generate unit tests based on the code that has been written by developer but the ambition is to implement much more skills that will help developers in their day to day life like helping them writing documentation helping them refactoring their code helping them doing all the stuff that again will will help them in their day-to-day activity so yeah it's really cool i love this i love this concept i love where we're heading in this ai when it comes to helping developers because it allows us to really focus on uh what we're what we can work we can do what we love to do which is creating new things and today we're going to be focusing a little bit about how we could utilize this ai for code quality and how that really translates into what we can do in security so just while we'll wait for everyone to tune in uh a friendly reminder if you haven't been to one of these webinars before we love participation so you'll notice already we have some polls down there we'll introduce those as we go if you have questions for myself but uh probably more baptiste then you'll notice a button at the bottom of your screen that says ask a question these are the easiest ways for us to be able to see them so we'll have a q a section where you can ask any questions and we'll try our best uh to answer them and uh and participate in the chat and those that are participating uh good chance to win a swag bag which usually is a get guardian swag bag but today it's going to be a get guarded pony cone hybrid swag bag so uh you'll be you'll be you'll be looking very snazzy out there so make sure you participate uh to get a chance and also we just like hearing from you so first steps of participation whilst we're waiting for a few more people to jump on where abouts are you all tuning from so baptiste and i are both in paris in france at the moment i was very very excited to see that we had someone registered from my home country which is new zealand uh from auckland but i think it's about four in the morning but if you are tuning in from new zealand and auckland at 4 am and you decided to get up just to see this webinar then let me know i'll be i'll be so happy i'll send you send you a treat so bordeaux ah cedric welcome welcome i recognize that name it's great to see you uh tuning in cedric texas bangladesh atlanta lagos nigeria anyone tuning in from new york i'm going to be in new york we're going to have a live meet-up in new york uh in next week so if you're tuning in from new york check out the meetup group there michigan lagos nigeria oh awesome nate new york next week well maybe we can catch up in new york at the uh information security meetup um how can you join excellent i'll see if one of my helpers is online um zead or someone else can you post the link in the chat to the to the new york meetup so that people can can get this all right so first poll and then we're going to get straight into some some content but under the poll section let us know are you currently familiar with the concept of shifting left or shift left it's a security concept so let us know if you've never heard of this before you have heard of it or if you're actively implementing it um so the uh uh thomas thomas good just posted that in new york so if you want to come to the new york major you can register for free at that link there would love to see you and if you're just here for the for the prizes i will have prizes in new york as well okay and before we get started i have one other quick uh housekeeping announcement to make before i hand it over to baptiste to explore uh more into code quality i am excited to say we announced yesterday that guardian just raised series b so we raised 44 million dollars to help us protect code so this is exciting if you're you to get guardian if you've been with us for a while you're going to see some massive improvements some new features and also if you are interested in the cyber security space we're trying to add 100 new faces to our guardian team this year well not this year it's almost over but in the coming year so uh please reach out to us if you're looking for opportunities we'd love to hear from you especially if you've already been using it so without further ado now that we have the housekeeping announcements uh out of the way uh i'm going to close my screen i'm going to close my hello there we are uh and baptist i'm going to leave it over to you to share your screen and maybe we can dive into this topic of code quality and how it can affect code security yeah sure can you see my screen yep it's just puffy yep perfect okay great well thanks a lot mckenzie for the introduction and i'm i'm very happy to uh to share to be there tonight to share with you what um what is our vision about the cut quality and code security at ponycode [Music] as a quick introduction i'm pretty sure everyone around the table knows that good quality matter and cut security as well but do you do you know why do you have concrete example why this is really so important maybe someone in the room do you have some experience about any good quality issue or cut security issues that that brought some difficulties in your business or in your activity okay no let's move forward i gathered a couple of examples if you remember well a couple of years ago ariane 5 which is a european rocket broke a couple of seconds after takeoff um and so it was years years of work and millions of euros of of loss and why ariane grew up it was just because of a big hint overflow problem in in the inertial computing system that has not been tested at all that blocks the the system the system of the rocket and the rockets blew up so that this this was purely a system a computing system software system that hadn't been tested before the launch of the exactly and to be more precise it was a copy paste from a previous version of rm and it has been tested in the previous version but they decided not to test again because it used to work on the previous version of the rocket but unfortunately it was not enough i'm sure we're all guilty of this the copy paste the copy paste to come bite us back in the bomb exactly second example you've probably heard about solarwinds we which which is a platform that deploy deployed terms of software all around the world in in most of companies in the world and because of of a breach in their system some hackers introduce into the system and and put some malware pieces of code into software that has been spread out all around the world in all in lots of companies even today even today not all the companies are aware if they are concerned by um by this problem or not so it's a huge huge [Music] issue a huge problem just because somewhere something has not been well implemented or tested and a hacker was able to introduce into the system so again very small things could have avoided that and the impact is is just huge one more example in 2015 there there were a mistake in the in the software that computed the the remaining duration of retention of prisoners and this mistake made some prisoners to be released before the normal date of their release and and for some of them a long long long before their normal release and it was just a computational mistake in in a small piece of code a piece of code that computes a duration so an integer nothing more again very small mistake or very small thing that has a huge impact on on here on some on something here on the prisoners and the last example you you've probably heard about as well is regarding paypal in 2013 there were a data breach uh in uh in their system and during four days uh they were around somewhere and during four days paypal was completely down and it costs a lot to paypal and again because of data breach so something that has not been found tested before it goes to production permits someone to introduce into the system and it cost billions to paypal so what what where do we stand today today we um if we if we if we look back at what what is software engineering for over the past let's say 10 years of course we we got a lot of new tools that helps delivering testing building deploying with all the devops strategy and devops blueprint so software engineering made a lot of progress but there is no there was no real revolution in in software in the software industry and and at unicode we believe that the software industry will will will have revolution like the automotive industry the car industry got uh 40 50 years ago when this industry knew a big crisis a big quality cruise 50 years ago cars all cars were were all the time out of order there were a lot a lot of quality problems on cars and there were a revolution and a lot of tools a lot of process were introduced to drastically improve the quality of the car at pony code we we are convinced that the software industry has to make this revolution and probably ai will will help on that but i will deep dive on that later in this presentation quick quick overview of of um of the market of what we are talking about today the developer spend some times to to code of course it's the heart of this job but there are many of the things that a developer has asked to do i i won't deep dive into the the precise list i know all of you know that all those tasks are as a responsibility of the developer but at the 21st century some of those tasks should be let's say automated at least the developer should be helped to uh to do that and he should not be he should not have to do this by by himself and and for so for for some of those tasks like like security issues or investigating bugs those tasks should drastically reduce if if we manage to improve the code quality uh developers should spend less time investigating bugs and doing some maintenance of the of the software so again at pony code we we don't think non-coding tasks will disappear in the life of a developer but what we are convinced of is that developer needs i want to say [Music] exoskeleton to to be helped to be augmented so that you can do all those tasks very very quickly and you can really really focus on coding and bringing value to the products the developer works on very last market overview you probably have heard about those figures but today the the the volume the the impact of a non-quality code so the bad code impact represents today 85 billion dollar per year i don't know if you represent it it's huge it's a huge amount of money today 85 billion dollar per year are lost in in translation because of non-quality code and and i i don't talk about bugs maintenance and security issues that represents 300 billions per year so definitely we enter uh um we we enter um a period where um those things will have to be improved uh we we will have more and more tools that will help developers spending less time on that and permitting companies spending less money on on non-quality code and on bugs and security and maintenance issue so just just so i understand that because that that's quite surprising 85 billion dollars of bad code so that's just kind of completely avoidable code that doesn't follow uh practices and and this is excluding blatant security voluntary vulnerabilities and bugs that are introduced so just that bad code 85 billion dollars in net loss in the industry yeah yeah yeah you will understand you will understand later in the presentation why uh bad code has such an impact but yeah that's just huge okay so maybe the first question we shall ask what is an healthy code again i think i will i will probably learn nothing uh for for all of you around the table but uh i think it's important to um to say it again um an fc code is is a code where each component each function is one purpose so one function that one thing one component does one thing and so on and so on a piece of code should be efficient it means well-written compact easily readable few lines of code a few numbers of parameters for four functions and so on and so on secure and safe um so to to ensure a piece of code is secure and safe there is no other way than testing it and we will be discussing this a bit later and a code the piece of code must be tested here it means the behavior of the code must be tested the fact that there is no regression in the code must be tested the security as i mentioned just before of this piece of code must be tested and and probably tomorrow we will have other kind of of tests like um performance testing uh and maybe one day and we start seeing this some environment environmental impact test as well and last but not least a piece a piece of code a piece of healthy code must be documented and on the right you uh you probably all know and recognize this uh this pyramid the the ground foundation of the pyramid of a healthy cod and a healthy software factory is obviously a good code refactoring a good code refactoring is a code that follows what i mentioned just before one purpose efficient documented secure and safe when you have this strong foundation it's it's very easy to implement documentation so that makes even more robust and even more healthy then you can easily implement some unit testing and you can also easily implement some static application security testing and then you can also have some integration and api testing on top of that but you need less if you if you already have a good coverage and a good coverage with unit testing you don't need so much integration and api testing and at the very top yeah you will have some end-to-end testing and some dynamic application security testing but again you need you need even more even less because you already have the previous layers that guarantee the quality of your code so that's that's very important to keep in mind this pyramiding because you will you will see in the following of the presentation that most of the time you have the inverse pyramid in the industry and that's not good so this is one of the question of the in the poll yeah yep this is in the poll here yeah so can we have a look at some results yeah so are you familiar with the concept of shift left we have 32 votes no nine votes yes zero votes actively practicing principles okay that's interesting i would have suppose that more people know what it is but that's good that's that means that my my explanation might help so that's not good to know so what what is shift left um this graph represents so you see um you see on the horizontal axis let's see the software development process requirements design until deployment and support and and this is what we observed in most of the company today the the red curve represents the cost of fixing issues depending on when the issue is identified so as you can see the the latest the issue is um is identified the most expensive it is to fix and for your information uh it's a huge factor it's almost a 1k factor between on the cost to fix a bug when it is it's discovered when already running in production compared with uh when it's discovered when it's on the laptop of the developer so a 1k factor or it's it's just uh it's just huge um and what unfortunately what we observe today is that most of companies do a lot of tests very late in the software development when i say the relate it's far after the development phase and it means it means bugs are identified too late in the process it means it costs a lot to um to fix the bugs the the ideal the ideal way of doing is shift left it means you should test earlier and you should test all the time um if if i if i make a comparison with the previous pyramid let me step back a bit sorry with this parameter the the test when you do some tests at the at the very right of the software development most of the time it's it's a top uh part of the pyramid so it means end-to-end test integration test api testing those tests are very very expensive to create and they are very expensive to maintain as well so if you put the fact that in this case tests are cost a lot of money plus the fact that bugs are expensive to fix you can you can easily imagine why we have this 55 billion dollar per year market it's because of this the ideal situation is that you do most of your tests at the very at the very left and this is the reason of shift left and when we say at the very left it means when the code is still in development in the branch on the local computer of the developer because as long as the code is still in local local branch in the development computer the tests are very easy to write i don't say it i i don't say it's not boring to do it but it's easy to do it so i'm mentioning unit tests especially and and when the bugs when unit tests crash locally on the laptop of the developer it's very easy to fix it it doesn't cost a lot of time so it permits if everyone does that it permits to do less complex and expensive end-to-end testing integration testing and there are less bugs in production and so bugs are far less expensive to be fixed that's shift left approach means test as earliest as possible and all the time it should be continuous and it's true for functional behavior regression testing but also for security testing and we will dive about that just just after test test testing every time early in the process is the key to ensure good quality code security at at let's say low cost so what it means uh in terms of processes in terms of tooling uh what is the impact of this in uh in a software factory um so i i won't deep dive into details into these slides it's um it's an exhaustive representation of what what is a devops uh developed environment but it's even more it's a devsecops environment i don't know if you are familiar with with that but no we are not talking uh about devops anymore but we are talking about dev set ups because we the software industry realized that security must be completely integrated in the hand-to-hand process of software development it's not something that should happen so precisely somewhere in the process it must be all the time everywhere during the process so it means new kind of tools has been created for four years now about application security testing it is static tools dynamic tools interactive tools but now security tooling is is really definitely part of the devops tool chain and factory and now we are talking about depth circuits here is a simplified view again with this horizontal view that follows the development process a high-level development process i want to say and it illustrates exactly what what i just said security testing must be everywhere in the process so you should start when you when you start planning and designing your application doing some thread modeling thinking about what would be the uh the public endpoint of your uh of your api or the public interface of your application while you are coding you should have some static analysis uh static code analysis uh git controls um and get guardian you are you are a great tool for that and thanks thanks for that um obviously you have some secret specific security unit testing you should have review dedicated to uh to security i don't say dedicated but code review should include also uh security aspects of the code and then during the build during the qa you uh you you again have the pyramid so most of the tests should be on the left based on the chip left concept but later in the process you you you still have some other kind of tests but you should have less because those tests are more expensive to create and more expensive tool to maintain on this slide i i wanted to highlight highlight the fact that what we observed in in in a lot of companies today is that um despite the fact that there are some very poor full cicd tools today the hand the hand-to-end delivery process is very complex to uh to fully uh automate um because it is complex and now that we are introducing more control on security and maybe tomorrow they will have more and more control uh as i previously mentioned we might have one day some performance testing performance unit testing and maybe some environmental impact unit testing as well so the the let's say the control pipeline and the different gates software must go through during his whole life cycle will will increase and will be more complex so this is one of the challenge we we have today and and i think there is a lot of lots of rooms of innovation and improvement in in all the ci cd platforms and and devtool a platform to uh to help automate more and more um to uh to deliver even faster and to have very high confidence in in the quality of of what is available okay so why what is the link between code quality and and code security um because as i mentioned uh a secure code is one criteria of a good quality code but it's not it's not only that if if you remember the pyramid so what we observed today is that most companies we do have this inverse pyramid it means we have you you have very you have a weak foundation in your code it means the code is not so well refactored you have huge uh functions with tons of parameters the code is very complex to maintain the code is very is not self-purpose it's not efficient and so on and so on so if you if you have this weak weaknesses in your foundation it means the documentation is not easy to to uh to write because you reading the code you will have difficulties to uh to write down the documentation except if you do the documentation first but doing writing the documentation after writing the code when the code is very difficult to read it's almost impossible the same for unit test and static application security testing the more complex is the code the less well refactoring is the code the more complex is to write powerful and efficient unit tests and it's even it's even more boring to do it and this is one of the reason why most of the companies don't implement unit tests because it's difficult to implement unit tests when the code is not well refactored and this is the reason why you need even more integration and api testing and you need even more end-to-end testing and dynamic application security testing tools and the problem is that as as i mentioned previously those top-level tests are very very expensive to create and very very expensive to maintain and first and the second is that um the risks that there are still bugs at this level of the of the software life cycle is is higher is very high and this is the reason why there are a lot of bugs into production for companies that that have such kind of inverse pyramid so what is important to keep in mind here that good cut quality so well refactored code efficient secured well documented self-purpose one purpose is the key to have a very strong foundation of all your software and all your software factory because on top of that you can really build this pyramid in the right order with a strong unit test less integration and bi testing and even less end-to-end testing okay so what's next what was the future of that um today you you all of all of you know there are terms of test tool uh so you have used this tool continuous testing web mobile performance api uh and so on and so on and you also have a lot of good quality analysis tools static analysis dynamic analysis uh and so on what we observed today and what we believe in code is that we are pretty sure that ai powered system will will completely disrupt uh the these silos because today it is really complex to implement efficient tests as i mentioned and so the platform are complex the two are complex and most of the time the the tools are dedicated to one specific things sometimes they are dedicated to one specific language or one specific ide or so it's this is one of the reasons why there are so many different frameworks on entry what we believe in is that uh ai will permit to have some scalability in that because it's it's far easier to implement language support thanks to a ai-based system and our idea and we are convinced at polycode that as soon as we have a very strong ai technology we could implement different kind of skills different different kind of tools that will help building this strong clear pyramid and and our belief is that ai will will permit to inverse uh the pyramid a lot of companies uh face uh today after um if if you have a tool if you have some some some helpers that first help developer writing well refactored code then if you have some helpers that help developer writing good documentation then if you have a helper that help writing unit tests and that help writing application secret testing and it means you you will you will have you will have a very strong pyramid and you will require less and and you can also have ai for integration and api testing and ai for end-to-end testing but we we are convinced that ai will on all those different stages ai will help will augment developers um all those tasks will still be the under the responsibility of the developer but they won't be alone anymore to do that they will have their coding partner based on ai that that will help them and it will be far easier to um to move from this inverse pyramid to the real strong efficient pyramid that permit to guarantee cut quality and code security and that's that's the end of my presentation thanks thanks for these we've got some questions and we'll we'll get to that too but uh you know i i first i i have a i have a question for you too it's it's really interesting and what i i love about the presentation is that kind of continual that continual testing of it but my question is uh it would have this been possible at all before before ai how how important is ai in making it possible that we can create this coding partner for developers to be able to to be able to effectively uh move forward in code quality yeah that's a pretty good question so uh as you as you have seen on on my on the market slides there are a lot a lot a lot of tools or and and most of them didn't wait for ai to uh to implement some some very valuable uh system but what ai will permit uh is to implement even i think after after doing some r d and uh this is what we did over the past two years in pony code when you have this strong uh ai technology it's very very easy to to support any new language even to support any new feature any new kind of testing as an example just to give you an example the ponyboard one we we have this ai technology today and thanks to the technology we are able to generate unit tests that's the earth of our offering today but we are also able to generate documentation with no effort because it's the same it's the same technology of of ai on code of record understanding and tomorrow it will be let's see easier for us to implement refactoring assistant as an example so it's a very very powerful technology that will tell me to accelerate the delivery of new services and new features okay so uh i'm gonna dive into some of the questions that we have here uh we'll have a bit more time for questions so i might be won't do all of them now but uh if you do have a question uh there's a question tab down there be sure this is uh one of the one of the rare opportunities you get to ask a cto of a technology company a technical question so so definitely jump in and embrace that so the first one i have is uh we had muhammad asking a little bit about sql injection so this is a security vulnerability how when we're talking about security vulnerabilities like injection like cross-site scripting these types of things uh how how does kind of the the ai and the power how how does this contribute into us eradicating these kind of coding areas and can it or is this tool is this like a different tool that can do that well obviously ai is not magic it's not magic it means some some data breach doesn't rely on on software only there are some some network configuration as well and unfolds this kind of of leaks i want to say you will still have this integration and end-to-end test but this is i think for for me this is the only reason why we still will still need this end-to-end and integration testing just to uh to uh to be sure uh the configuration of the system uh including the network layers are are robust enough but um in any case uh what where a hi-hat is that um what's important ai can can learn from the previous experience so it means each time there is a new bridge a new incident or a new leakage that is identified the system will be will be able to learn as well and to continuously improve but it's not magic i'm not saying that ai will permit to solve all security issues and all credit issues it will help okay yeah no that makes total sense all right another question here uh yes the presentation uh will be available offline uh so you'll be able to re-watch this uh replay uh too uh i'll just do one more question then we'll we'll we'll move forward uh we had some questions that want to go a little bit into maybe understanding the different offerings that you talked about so you talked about sast static application security testing there was dynamic application security testing sca maybe could you maybe expand a little bit on these and if and kind of how these these fit into the overall picture yeah so um you gave the example of scst and the ast just just for information it's exactly the same for um functional unit testing there are two type of um according to our vision artist um you can you can you can have two type of tests so the static test it means you you it means you read the code and you uh you you try to find based on on reading the code only to find some some bad patterns some some some things that are not wrong some some things that are not working well that's static analysis and again it's the same for for unit tests and and then you have dynamic it means the dynamic tools analyze the code running on a machine so it analyzes the runtime of the software it permits to have very very powerful additional information in addition to what you could you can see reading the code only at pony code we are we are currently working on uh and that's part of the patents we we put we are convinced that dynamic uh analysis of a running code will permit to uh to implement very very powerful box detection system and and to write even more efficient unit tests okay yeah perfect very clear okay so i i have some questions here uh too and this next this next one i actually put up as a poll because i was curious to see so but i want to get your uh uh your interpretation of it before i let i let you know what everyone uh has kind of said about this but uh major security incidences that we've seen now you mentioned a lot of them but we are at no short supply of being able to list major security incidences that have happened on the air how how big of a component is you know being able to implement this code quality and this automated detection of code quality and to preventing incidents like this can we essentially eradicate uh most all some of these incidents is where do we sit in in kind of moving forward with with this ability and code quality for me um as i mentioned previously so we we probably won't completely remove any kind of problems just doing some very powerful unit testing security testing but if you remember the first example i gave in the beginning of my presentation at least all those all those examples could have been avoided if if strong strong unit tests have been put put in place but probably others won't have been avoided but no but yeah uh so probably um i don't know how far we could we can go but uh i think today we are very weak uh the the progress the possible progress is just huge yeah yeah no i totally agree and this is a lot of what we talk about at get guardian is that uh in the world of cyber security vendors that we are at you you see a lot of hyperbolic statements from the magic solution that fixes everything and you just need this magic solution there isn't a magic solution it's consecutive work that we need to have and implement layered layered security and automated code detecting code quality enforcing code quality and having that co-pilot that helps you uh is uh is oh my battery's just right now so hang on i'm gonna have to fix that but um uh let me just share my screen for a second uh having a look at the polls the majority of people agreed with you on that 29 votes of people said yes some security incidents could be avoided with code quality um and there's still some people out there that are skeptical on the on there i have uh another poll here while i quickly uh fix the technical issue on my end i want to know does anyone out there currently use a code quality solution um and uh in your current i want to see what the maturity of this is i'm sure baptiste already uh has some idea yeah that's that's a very good question and the answer and we usually ask this question to all our customers and the answer is all the time the same and it is yes we do have some good quality checking and there are some major vendors and major solutions on the market that are widely used all around the world so yes the answer is yes but what is interesting in the answer is that yes but we don't really use it because most of the time it's very difficult to to take activable actions from the outcome of what the analysis the good quality energy tool gave to us what is this something we heard about our customers it means that most of the time the the uh the static analysis got quality tool there on the market gives uh tons tons hundreds of of issues hundreds of bugs or things to improve in your garden but you don't know uh where you where to start from uh and you don't know what is important to do first so all our customers say that at the end we we have it we look at sometimes but we don't really use it in our software process software development process yeah yeah i can uh certainly i can certainly uh i can certainly see that and what we have it's it's uh sometimes putting something in and not utilizing it to an effect or if the tool produces too much noise then it just becomes uh another thing causing more issues rather than actually solving problems so that's what i thought we could do here is i've seen pony code in action and i think it helps kind of get a visualization of actually what what we can do in code quality and code quality testing are you able to do a quick demo of the of the slope now that would be that'd be fantastic yes let me share my screen okay so i will do it quickly but i i encourage everyone to to give a try and to send us feedback about that so i'm i'm in my vs code codycat today is available as an extension on the vs code marketplace we are we are also available uh on intelligent marketplace for um for java language only but with uh with alfa support it has just just been released uh last last week so it's very young we don't have the same maturity on java than on javascript typescript i will show you today so it's quite easy to uh quite easy to uh to install you just have to use to search pony code on the marketplace uh here and then you would just install it it takes a couple of the guns for the first time just after you have installed it it will propose you to login and and seconds after you install it it's already available and usable on your project so let's let me open a file so here it's a typescript this is a very simple function but this one is is let's say we can say that it's well written it's efficient it's a compact it's readable and when when you have a pelican extension activated you have the the little ponies on the left that um that need to show you uh when when functions are unit test table by by opening code so if you if you want to you need tests there you you you just have to sorry when you cut unit test and then you have this nice interface that happen sorry i will remove this so what do you have in this view is it is it big enough you can see yeah yeah i can see so there are two sections in this view on the on the bottom you have some unit test suggestions uh and and what what is the unit test for pony code it's um it's a line in the table uh with some parameters suggestions for the function and with some assertions uh suggestion for um for the for the corresponding parameters and if you want to add some tests you just have to click on the plus button and it has the proposal and the suggestion from ponypod in your unit test section here so sorry as you can see here i have had two unit tests in my in my unit test and i gained 100 coverage um and what what and just for your information but when you code generates unit tests in a guest format for javascript and typescript so it's not blackbox at all it really generates tests that are human readable by developer as you can see there here this is the file view of what you have there in the in the table view so that's very powerful and you see in a couple of seconds i i generate two unique two unit tests with uh with one person coverage so coverage on this function is very easy so it's not a big deal but it's very very smooth what is important to ah sorry what's important to keep in mind especially in the context of code security we just discussed about is that um the power of our ai is is uh the capability to identify some happy paths for the function so some set of parameters that we permit to test the normal behavior of the functions what is expected from the function but also h cases and and regarding code security that's where we will have a lot of video because most of the time the the problem uh that implies some security issue comes from some edge cases that has not been identified and and well catched in the in the code so as you can see here uh pony code made some proposal uh on some h cases with some infinity zero and so on and so on um let me give you another quick example with a much more complex function here on this one yeah so here you can see get unvalidated department so the function is is a less robust a bit longer with a several heath healthy and so on so hi my little pony i can unit test it and here again uh but you could suggest some input that will permit to um to uh to test some happy pass the normal behavior of the function uh and also some h cases uh you can see that with a little orange box there and you have some coverage information meaning that if i accept if i take this unit test i will have a good coverage if i add this one i will gain five percent coverage uh and i was almost there because there is this as you can see here there are some some red lines that are not covered by unit tests but that's well that's nothing here um and i will also have some age cases um oh yes so there are some obvious uh hk's here uh like like undefined but there are also some some hkgs that are less obvious and what's important to see on this example is that the the input generated by by the ai of pony code can be very very complex as you can see here if a human developer has to write this test he has to write manually this kind of complex objects so let me show you there so you have this complex jason so it's um it's very annoying and very boring but pennycode is able to generate it for you and it's it's also permitted to generate some h cases inside those kind of complex objects so as an example if you have an array in your json uh you uh you you will have here as an example empty array in this specific key of the parameters so it will be very permitted to secure to secure your uh your code by running those unit tests well so um and just to to let you know so you you have this nice web ui ui in vs code we also have a flash test feature which which is a feature where you you trust the ai and you uh you don't want acid to manually pick the suggestions and you let polycod choose uh the situation for you and it automatically generates pick up some some input situation and you write down everything into the the test file here and this this feature permits to have to implement a coverage what we call coverage catch up so when you have a huge project with very low unit tests you run conical flash test in in our cli because we also have a cli and it will automatically generate for the whole project some unit tests on all functions that pendicote supports because pennycode doesn't support all type of function today and and the developer just need to maybe have a look uh if if there are confidence with the test that has been selected by ponycod by reading the the file but it it is very very powerful to starting from zero to reach a very good level of code coverage uh in minutes wow yeah and that's it i think uh we are we are running out of time soon so uh yeah yeah well uh this uh we've had some great questions come in uh one in particular from ian that i i want to ask and i think it's a good timing now because we're talking about uh uh you know using that cli and putting a bit of trust in the the the pony code to create the unit tests um to do that so the ian's question is uh putting all the eggs in the ai basket how do we validate that the ai is improving quality in the correct way in the right way so what how do you how do we go about in pony code training the ai making sure that it's improving in the in in the correct way yeah that's a very good question so for me the the the best and and almost only way to uh to really demonstrate that when you can help is to observe the number of bugs in production but the fact is that we don't have enough enough uh story before us to really being able to show this decrease of bugs in our in the customers we do have but that's that's continuous improvement coming from our team we we are continuously looking at how many tests are accepted by developers we because you can also reject them so it gives us information about is the suggestion is good or not and we are improving based on this based on that yeah very cool i thought that was a great question uh to ask uh ian so thanks for putting that one out well we're coming to the end of it now uh i just going to run through we have some final polls that i'm actually uh that i i'm curious to uh to see some some answers to so we put out this one here in the poll too what do we all think this is the last webinar that we have for the year so i'm curious to know what does everyone think of the state of cyber security for 2022 are we going to get reduced reportable breaches are we going to get roughly the same amount of year as the malicious activity going to increase as it did going from 2019 to 2020 and 2021 um do we expect it to get so bad we're going to have widespread uh disruptions i also have a fifth option in there which is currently hiding in my doomsday bunker i'm uh there's a few people that are currently hiding in a doomsday bunker according to according to this poll but look at the results now i think so most people most people expect it to stay the same some people expect it to to uh to kind of get worse uh very few people expect it to get better and a few people expected to be horrible about this what's your prediction for 2022 where are we heading uh in the immediate future for this the state of cyber security well uh very short term it will um [Music] i think it will um [Music] it will be good i mean um for sure we will be improving drastically and uh even if they will have more important attempts to uh attempt to uh to crack uh i think rnd and startups and huge company will will go faster than the hackers for sure absolutely i think ai in this area is going to be key in making sure that we can uh get the carriage i feel like the last few years attackers have had the edge and now it's becoming more mature uh we're understanding it and we're getting great products like pony code and of course guardian uh out there that we can keep it so i want to thank uh oh i gotta announce the winner i almost did this well uh the winner we have a we have a winner by uh by uh a fair distance but i think i think nate knows who he is so so thanks for participating nate you had the most amount of uh engagement that we have so we'll make sure i'll reach out to you after the webinar um and we'll make sure that uh um we get i'll reach out to you we get that that so nate fedor congratulations on winning the swag bag uh we have another webinar coming up uh so this one is on the 19th of january uh thomas if you're in the chat can you paste the link or yet i see the ads in there too uh can you paste the the link to the next webinar so it'd be great if you guys can register for this so we can kick off the new year we're going to be talking with rewind about disaster recovery uh going through them and there we have an ear one glass question baptist from ian because i see that he's uh he's one of the roadmap for more languages where where does ponycode have a roadmap for adding more uh accepted languages into the platform uh in the future yeah sure so um so we we just released an alpha version of java the next one to be quite frank will be probably a c chop because um because our market is b2b our customers are big companies and most of them are very legacy code and very low tested legacy code so uh c-sharp will have php for the same reason so it's not sexy language but that's the market that's the variety of the market excellent but we can expect as pony code grows we're going to get more more languages of course uh we're looking for that well baptiste it's been awesome to have you i've learned a lot i hope everyone has enjoyed it um so uh yeah i well thanks for being on the webinar i hope we can have you again on a guest in the new year and if i don't see you or talk to you i want you to have a great christmas and uh happy new year thanks a lot mckenzie for an invite and thanks a lot everyone that's it for this week guys make sure you register for the up and coming webinar we have a link in the chat it's going to be with rewind planning for worst case scenarios disaster recovery on github looking forward to that one thanks again baptist thanks everyone for participating and i hope to see you next time see